Our profession can be a little crazy. We sometimes do things that fit the definition of insanity by dooming ourselves and committing the same mistakes again and again. We make it worse by allowing others (and ourselves) to believe the world is over because a breach occurs while mumbling to ourselves, “breaches will always happen, breaches are bound to happen” — all the while hoping they don’t.
Imagine the chief of police of a major city promising citizens there will be no murders, no drug sales and no accidents in the town for any period. This would be reckless and ridiculous. However, in our world, we live this double life, hoping and believing the inevitable won’t happen. We don’t live in a crime- or disease-free world — and we don’t live in a breach-free world, either.
To make matters worse, there are business leaders who place undue pressure on security leaders to do the impossible and operate within unacceptable budgetary and risk tolerance levels. How many times have you heard, “You must do more with less.”? Or, someone is accepting a threat that they will not take responsibility for? Yes, we could all sit around a table at Black Hat or Gartner and have a pity party, but we won’t.
Now that we understand how schizophrenic we are, let’s talk about how to address this “illness.” We’ve seen the symptoms. Lack of staffing and funding, the inability to get our message across, risk discussions which lead to frustration of IT, business and security staff, inadequate security tech stack, to name a few. These symptoms aren’t new. They’ve been with us over the years. However, they are more pronounced as security becomes more of a business concern.
I don’t pretend to have all the answers, but I know what has worked for me and many CISO and CSO colleagues. Plan, speak and present as a business leader who incorporates cybersecurity into your work. From strategy to operations, include a business justification or risk in every conversation. Let people argue about something more than the cost of the solution or how many resources you’re asking for in your budget. Give them a choice about what business risk they want to defer or the strategic initiative they want to put at risk. This may be difficult for some, but many non-security people will appreciate the fact you’re putting decisions in terms they can understand.
This approach is not foolproof. Some have a strict point of view and won’t budge, and there’s very little to be done about that. However, if you garner the support of key business leaders by helping them understand how security enables their business objectives, you’ll stand a better chance of getting your point(s) across.
It’s easier to discuss the value of your security programs when your metrics are defined as business benefits. For instance, for every vulnerability your team patches on a revenue-generating system, you ensure a compromise is not realized, and therefore you’re saving the company X. This is easier said than done. However, it is worth the journey and reduces the noise of your many executive and management conversations.
Here’s how you find out what’s important:
- Make sure you know why your company is in business.
- Understand the systems which help your company generate revenue and the leaders who are most concerned about ensuring those systems are running and secure.
- Know what data / information is important to run the business and monitor and report on how it is protected.
- Know what regulators require.
- Partner with IT to understand their platforms and strategies, which may affect security’s direction, and plan accordingly.
- Pay attention to the security industry’s emerging threats and techniques and define your protection strategy and solutions to meet those emerging challenges.
Following these suggestions may not cure the illness, but it will treat most of the symptoms and reduce the pain.
Contact us for more information and to get started on your cybersecurity plan.