If you’ve been reading along, you’re aware of the lightbulb moments from my article, “echo: hello world”, that allowed me to discover the benefits of an analytic approach to cybersecurity. This is the start of my new blog series, The CISO’s View, where I focus on the executive level business concerns facing security leaders. Today, I’d like to focus on why culture is critical and an integrated approach to cybersecurity solutions is the key to success for the security program.
Cybersecurity Isn't Just a List of Products…
I use several innocent questions in conversations to gauge the maturity of a company’s security program, the first I lead with is “What’s your security program look like?” Unfortunately, I’ve had many instances where I’m given a list of security point solutions as their answer. Digging deeper, it appears that the entire program lifecycle consists of: Identify gap -> purchase product. These same folk will then go on to explain – at length – how the business doesn’t get security, won’t invest in the products they need, and considers security to be a nuisance.
Digging even deeper, the security organization is structured around the security products: the anti-virus group, the forensics group, the data loss prevention group, etc. Each of these people/teams are responsible for the full stack support of each of these products; patching, maintenance, configuration, and, occasionally, use.
This thought process leads to the last question I ask to understand that maturity of the company: “What title does the head of security hold and where in the organization do they reside?” Just understanding where this role sits within the company shows me the how security is perceived by the company.
The Security Maturity Path
As you can see, those simple questions can tell you a lot about the maturity of a security program as the answers range from the reactive technical response to the mature security as a strategic business value proposition focus. The maturity path roughly follows the following growth pattern:
- The head of security considered a middle or technical manager of a team reporting indirectly up to the CIO. Security is considered a technical add-on or a specialized IT team to be treated in the same fashion as desktop support.
- The head of security holds some chief title such as CISO/CSO and directly reports to the CIO/CFO/COO and is responsible for presenting security metrics to the board on some infrequent basis such as annually. The organization has realized that security concerns cut horizontally across all of IT and needs governance as such; however, it is still considered a cost of doing business alongs the lines of facility maintenance – somewhat important but not core strategic value.
- The head of security with a title such as CRO (Chief Risk Officer) is considered a full member of the CEO staff to ensure the desired risk posture is embedded into the corporate strategy for competitive advantage. The organization realizes the cost savings of incorporating security and risk management principles into all phases of the business from design to operations and security initiatives are prioritized on the basis of minimizing uncertainty.
- The head of security has a matrix reporting structure to the CEO and board since there is awareness that the risk posture of the company directly impacts shareholder value. The organization realizes “security” is actually a set of sound risk management practices that help drive best of industry practices that make the business more agile and capable of capitalizing on market opportunities. Traditional “security” roles are embedded through the organization where the accountability should have always been; with those who make the decisions.
Cybersecurity Is a Cultural Issue
We are living in interesting times where companies are transitioning from operating as legacy brick and mortar to technology focused for disruptive advantage.
“May you live in interesting times” – a curse.
The fact is, the modern company is a technology focused one that happens to make, service, or sell stuff. We can see this new reality by comparing companies that get this to those who don’t.
- The neighborhood bookseller to Amazon
- Blockbuster to Netflix
- Paypal & FINTECH to community banking
- Uber and autonomous vehicles to taxi services
Those who understand the new reality become a disruptive force in their industry, and those who don’t become – disrupted. The modern company’s core is a technology platform that integrates with their partners and customers, and the company’s operating tempo is the development and release cycle of that platform with the disruptors aiming for continuous delivery.
Great, What Does This Have to do With Security?
In my view, legacy company thinking is the result of consolidating not only the responsibility but the technical skill for leveraging technology into a single department or division within the company, treating technology as some operational cost center somehow divorced from the core company strategy, and believing their strategic decision makers don’t need strong technical competency. After all the business makes widgets, moves boxes, provides services – it’s not a technology company.
Technology focused companies become disruptive industry forces.
Those that don’t become disrupted.
It is this legacy thinking – this cultural issue that is the core challenge a CISO faces in being successful. When technology is considered some operational cost center and security is a minor issue within that cost center, then, of course, it isn’t given the consideration and funding required to be truly successful.
Leveraging Cybersecurity As a Competitive Advantage
I view the first and most fundamental challenge a CISO must face when building their security program is addressing the cultural thinking head on. The CISO must win the hearts and minds of the CEO and board by changing the perception as some peripheral afterthought to a core part of the company’s strategy. “Show, don’t tell,” isn’t just a tip for writers seeking to engage their readers. The CISO must show with every communication how security can be a competitive advantage and the value it brings to the business.
Security: Is “The” business enabler
To do this means taking all the activity in the security program and making it both visible and tied directly to the company’s top and bottom line. It is the CISO’s first and most important job to show – on a daily basis – that security is a critical part of the company strategy. Yes, I’m saying the CISO’s first job is metrics. These metrics influence and enable the rest of the program and this topic will be the focus of a later article. Today, I want to keep to why integration matters and we have now arrived at the core concept that drives a program focused on a single integrated security platform instead of a list of security products.
Data, transformed into metrics, drives understanding of the company’s true risk posture, and that in turn drives both the security program and company strategy. These concerns are all interconnected and so our data needs to be as well. This drives a shift into what we look for out of the list of security products above, from a list of bells and whistles to a core requirement that the data they create is open and available for integration into a larger enterprise platform.
Integrated Approach for Point Security Solution:
- Be a succinct source of data or control point and not a monolithic closed black box.
- Provide data using open non-proprietary data formats ready for machine parsing.
- Establish data provenance, chain of custody, non-repudiation of all data for forensic evidence through the data lifecycle.
- Be designed to sit within a larger enterprise platform architecture versus built as a closed application or security appliance.
To be succinct: The CISO’s first and most fundamental job is taking all this security data, threats, vulnerabilities, policy violations, and transforming it into business language that shows the impact to the company’s top and bottom line. Once this is done well, the authority and resources to be successful are justified within the executive’s and board’s minds and doesn’t have to be fought for using fear uncertainty and doubt.