If you’ve been reading along, you’re aware of the lightbulb moments from my article, “echo: hello world”, that allowed me to discover the benefits of an analytic approach to cybersecurity. This is the start of my new blog series, The CISO’s View, where I focus on the executive level business concerns facing security leaders. Today, I’d like to focus on why culture is critical and an integrated approach to cybersecurity solutions is the key to success for the security program.
I use several innocent questions in conversations to gauge the maturity of a company’s security program, the first I lead with is “What’s your security program look like?” Unfortunately, I’ve had many instances where I’m given a list of security point solutions as their answer. Digging deeper, it appears that the entire program lifecycle consists of: Identify gap -> purchase product. These same folk will then go on to explain – at length – how the business doesn’t get security, won’t invest in the products they need, and considers security to be a nuisance.
Digging even deeper, the security organization is structured around the security products: the anti-virus group, the forensics group, the data loss prevention group, etc. Each of these people/teams are responsible for the full stack support of each of these products; patching, maintenance, configuration, and, occasionally, use.
This thought process leads to the last question I ask to understand that maturity of the company: “What title does the head of security hold and where in the organization do they reside?” Just understanding where this role sits within the company shows me the how security is perceived by the company.
As you can see, those simple questions can tell you a lot about the maturity of a security program as the answers range from the reactive technical response to the mature security as a strategic business value proposition focus. The maturity path roughly follows the following growth pattern:
We are living in interesting times where companies are transitioning from operating as legacy brick and mortar to technology focused for disruptive advantage.
“May you live in interesting times” – a curse.
The fact is, the modern company is a technology focused one that happens to make, service, or sell stuff. We can see this new reality by comparing companies that get this to those who don’t.
Those who understand the new reality become a disruptive force in their industry, and those who don’t become – disrupted. The modern company’s core is a technology platform that integrates with their partners and customers, and the company’s operating tempo is the development and release cycle of that platform with the disruptors aiming for continuous delivery.
In my view, legacy company thinking is the result of consolidating not only the responsibility but the technical skill for leveraging technology into a single department or division within the company, treating technology as some operational cost center somehow divorced from the core company strategy, and believing their strategic decision makers don’t need strong technical competency. After all the business makes widgets, moves boxes, provides services – it’s not a technology company.
Technology focused companies become disruptive industry forces.
Those that don’t become disrupted.
It is this legacy thinking – this cultural issue that is the core challenge a CISO faces in being successful. When technology is considered some operational cost center and security is a minor issue within that cost center, then of course it isn’t given the consideration and funding required to be truly successful.
I view the first and most fundamental challenge a CISO must face when building their security program is addressing the cultural thinking head on. The CISO must win the hearts and minds of the CEO and board by changing the perception as some peripheral afterthought to a core part of the company’s strategy. “Show, don’t tell,” isn’t just a tip for writers seeking to engage their readers. The CISO must show with every communication how security can be a competitive advantage and the value it brings to the business.
Security: Is “The” business enabler
To do this means taking all the activity in the security program and making it both visible and tied directly to the company’s top and bottom line. It is the CISO’s first and most important job to show – on a daily basis – that security is a critical part of the company strategy. Yes, I’m saying the CISO’s first job is metrics. These metrics influence and enable the rest of the program and this topic will be the focus of a later article. Today, I want to keep to why integration matters and we have now arrived at the core concept that drives a program focused on a single integrated security platform instead of a list of security products.
Data, transformed into metrics, drives understanding of the company’s true risk posture, and that in turn drives both the security program and company strategy. These concerns are all interconnected and so our data needs to be as well. This drives a shift into what we look for out of the list of security products above, from a list of bells and whistles to a core requirement that the data they create is open and available for integration into a larger enterprise platform.
To be succinct: The CISO’s first and most fundamental job is taking all this security data, threats, vulnerabilities, policy violations, and transforming it into business language that shows the impact to the company’s top and bottom line. Once this is done well, the authority and resources to be successful are justified within the executive’s and board’s minds and doesn’t have to be fought for using fear uncertainty and doubt.
Michael Schiebel is Hortonworks’ GM of Cybersecurity Industry where he leverages his over 15 years cybersecurity experience working in financial services and healthcare companies to help customers build cybersecurity analytic solutions. He has lead incident response and computer forensic teams, designed and built security solutions, and created security roadmaps and strategies; learning how to position security projects based on delivering bottom line value to the enterprise.