Author: Paul Hewitt, Managing Director
February 28, 2017
“Why Strategy First?”
Three Immediate Actions To Better Align Your Cybersecurity Program With Your Business Objectives
Cybersecurity is moving into everyone’s daily lexicon. It’s actually now cool to be in the know about cyber (call it cyber geek chic), and for those involved in the IT security industry, this is the time of the year — at the annual RSA conference earlier this month — when cyber moves to the center of many conversations. As the industry prepares to introduce the latest technology required to fight threats, and win the war on trust, February could very well be branded “Cyber Technology Awareness Month.”
I’m not a fan of technology for technology’s sake, but I am a believer in the ongoing quest to align technology innovation with business strategy in the realm of cybersecurity. I’ve spent years at technology companies in Silicon Valley, and I have a great appreciation for how we can apply true innovation to address the challenges we’re facing today. Still, rather than getting excited about the next set of technologies that promise to solve the cybersecurity dilemma once and for all (they very likely won’t), CISOs need to think strategically. Before investing in more technology, they should invest more time in developing a proactive plan that’s aligned to their businesses and to where their businesses are going.
CISOs have an enormous challenge on their hands, and the spotlight is on them. The daily question every senior risk executive must face is how to facilitate the digitization of their enterprise while meeting the demands of regulators and keeping the enterprise safe against threats and cyber news headlines.
Making security investment decisions is not easy. To be effective, CISOs need to rethink their strategies and plans in three different ways:
- Strategic choices that go beyond security technology decisions. Too often, strategic security questions are limited to considering the merits of a particular security technology. CISOs and their teams first need to ask a set of more important question: “can we better and more easily protect our most sensitive assets by (a) educating users, (b) limiting application functionality, (c) changing business processes, or (d) changing our data architecture?” The reality is that any of these approaches may be more achievable, more effective, and less costly than attempting to use yet another set of complex cybersecurity technologies to protect the company’s infrastructure and assets.
- Advocating and championing a more tailored approach. While many companies need to increase their spend on cybersecurity, even the largest companies do not have infinite budgets. Hard choices therefore have to be made. This means moving away from a one-size-fits-all security posture and instead focusing on protecting the company’s assets in line with their criticality to the business. Losing millions of customer records containing credit card data as part of a security breach is obviously far greater in business impact and customer loyalty than losing a set of shared internal documents used for product marketing. The effort put into protecting the former versus the latter needs to be balanced accordingly. As organizations begin to classify intellectual property into tiers, programs can be created to understand the threat vulnerability of the crown jewels versus information that is highly critical, critical, or just “important.” With prioritization of the most important company resources, programs can be put in place to better protect what’s most at risk.
- Focus on business resiliency not just protection. A number of leading CISOs have already reached the conclusion that breach is inevitable. With that in mind, CISOs need to focus much more of their teams’ energy and time on how to manage through a breach. They must be able to quickly limit any potential damage — and restore operations as quickly and seamlessly as possible — so that brand trust is not eroded. Today, more than 80% of a typical CISO’s budget is focused on acquiring and operating security protection technologies. The problem is that if a breach occurs, the key to success is staying one step ahead of the bad guys including how fast a company is in detecting the breach and how effective it is in managing through the crisis. There needs to be a change in investment strategy to focus more on business resiliency.
Typically, the response to the new challenges in cybersecurity is to just adopt more and more technology. But this is rarely a good thing. By some estimates, large enterprises today now have security point tools from as many as 54 vendors, all playing some role in keeping the bad guys out. Yes, that’s correct: 54. Clearly, this is not ideal. If I suggested that you run 54 CRM systems to manage your customers, or 54 ERP systems to control your supply chain, you would laugh. So why does it take products from so many security vendors to secure the typical enterprise? In reality, it doesn’t.
I’ll grant you that the security and threat landscape is complex, but many of the tools CISOs and their teams are using today are the result of legacy investments. They were acquired in response to specific sets of requirements or security concerns, and they often have significant overlap in their functionality. Many of them were also designed to protect old computing paradigms and are, therefore, inherently weak in adapting to the rapidly changing IT landscape. Using and managing 54 tools is also a recipe for operational paralysis and saddling CISOs with very inefficient cost structures. What is even worse is that because many of these tools are so poorly integrated (or not integrated at all), this complex and largely unplanned security infrastructure actually offers lots of opportunities for the bad guys to hide and evade detection.
By rethinking the cybersecurity challenge along the lines described above, CISOs have the opportunity to build an effective strategy that will better support the business and its goals, while simultaneously rationalizing the current cybersecurity toolset and reducing operational complexity. Scarce budgets and resources can then be redirected to the most critical items. Done right, the overall effectiveness and efficiency in stopping the bad stuff from happening will increase, while the chances of a breach causing irreparable damage to the enterprise will significantly decline. That’s something that all CISOs, executive teams, and boards can support.
If you need a trusted partner to take the next step in improving your cybersecurity posture, get in touch — we’re already thinking about you.
Author: Paul Hewitt, Managing Director