I should start by saying – I am lucky. When I became CISO, it was for an organization that had funded and prioritized cybersecurity for years. Defense in Depth – yup – mature and in some aspects over invested in capacity. This was an enterprise that valued cybersecurity and seriously looked to avoid the negative impacts of a breach. Working with great partners and consultants, there were early investments – and year after year, management approved budget requests and the information security teams dutifully maintained the infrastructure. It seemed the walls were high and guarded. While that was comforting – I saw a problem and shared the first of what became a series of sayings – or management mantras – for my team.
Momentum is the Enemy.
This one was obvious. Our adversaries were not resting – so we had to constantly challenge our assumptions, tools and processes to effectively meet them. And we needed to know the “Why” of every control – were they still effective and well positioned? Were there new attack vectors or better solutions in market? The “Why” would also allow us to be a constructive voice in determining what could be allowed, and what had to be restricted, as the environment and business requirements shifted. Yes, the walls were high, but had our perimeter expanded well beyond them?
Over years, I could see that most of the thought capital in cybersecurity was focused on tracking emerging threat actors and tactics, discovering vulnerabilities, and developing the new tools and technologies to address both. Without question, these are valued and mandatory endeavors – and foundational to our defense.
But in the day-to-day management of cybersecurity – I still saw the same approaches to implement our controls, basically unchanged from when I started my career 20 years ago.
Momentum is the Enemy.
I can hear it when I go to training and conferences. I can see it from my own team – as they struggle to manage two high speed and opposing forces – the demanding requirements of a business in a dynamic and competitive industry, versus a threat landscape that is overwhelmingly resourced and relentlessly motivated.
So – after convincing my teams and partners (who sort of have to listen to me anyway) – I thought I would share some of my ideas on how to manage and implement cybersecurity in the enterprises caught in the middle of theses opposing forces. The everyday enterprises; organizations in-between the small businesses that cannot even consider managing their own cybersecurity controls internally – and the mega-organizations who can fund their own research scientists ripping apart malware samples and searching for anomalous activity in data lakes.
This blog is for what I think is the vast middle of everyday enterprises – where the effective implementation of cybersecurity controls is the focus – and where best practice dialogues need to occur. How do we limit the risk aperture when consider new business initiatives? How do we enlist our co-workers and team members in the fight? How do we configure our tools to be flexible and responsive to valid business requirements, without compromising our security posture or complicating our controls to where we cannot reliably predict their behavior? These are the challenges put to the everyday CISO.
This is what I having been thinking about – and the dialogue I would like to have in our industry.
Let me know what you think.