Evolving Cybersecurity Operations Across the Organization
Successfully defending the organization requires more than guarding against security threats. As organizational success and technology become more intertwined, a holistic cybersecurity operations program can be the piece of the puzzle that helps CISOs connect organizational goals, technology investments and daily defense.
Today’s CISOs must do more than combat threats. They must also meet the tall order of baking cybersecurity into the enterprise.
My colleague Todd Neilson wrote about how to reduce risk by aligning cybersecurity objectives to business requirements. My colleague Kent Noyes wrote about how an agile security architecture requires more than the right technology.
Business and architecture: these are the first two pieces for building a successful cybersecurity program. The last piece is cybersecurity operations. Here, we’ll explore enterprise cybersecurity (EC) operations and how organizations can use it to manage the intersection of business, IT and cybersecurity.
Enterprise cybersecurity operations vs. cybersecurity
It’s important to start by understanding the difference between EC operations versus traditional cybersecurity operations.
Traditional cybersecurity operations were designed to manage anti-viruses, install and monitor firewalls, protect data, and help users manage passwords. EC operations, on the other hand, extend cybersecurity to all levels of modern-day business computing.
EC operations are designed to:
- Protect on-premise and cloud-based infrastructures.
- Identify enterprise-wide vulnerabilities.
- Secure technical architecture.
- Vet third-party providers.
- Secure software development.
- Manage new business ideas and technologies.
- Make the organization resilient against cyberattacks.
What’s driving EC operations?
Tighter alignment between business and technology
The user experience has become central to the products and services that organizations deliver. As organizations use technology to meet the needs of users around the world, whether in the form of digital experiences or physical goods, the risk of security breaches and attacks increases.
Coordination and influence with IT
In some organizations, IT and cybersecurity are at odds. IT exists to support business growth and efficiency. Cybersecurity exists to secure not only technology but also data produced by employees, partners and customers.
The need to get the basics right
Years ago, anti-virus, firewalls and reviewing logs used to be the most effective way to manage cybersecurity. But technology has become more intrinsic in the lives of consumers, and hackers have become more determined and competent. To keep up and maximize operations, organizations must do the basics with excellence and prepare for the future.
Stumbling through the last ten years
The approach to cybersecurity has changed during the past decade. One term that sticks out is cyber hygiene. Like washing your hands or brushing your teeth, the concept of cyber hygiene means doing the basics, the minimum to secure your organization.
These basics include ensuring employees change their passwords regularly, developing an inventory of all software and hardware across an organization, and allowing and blocking websites.
Although doing the basics well increased cybersecurity, cybersecurity operations became somewhat chaotic.
Breach after breach of corporate and government organizations spawned an array of new cybersecurity standards. These regulations apply more rigor to data security, financial security, international privacy, banking security, healthcare security and cloud security to name just a few. The dizzying number of requirements made it difficult to coordinate cybersecurity processes, which led businesses to only focus on the bare minimums.
Moreover, cybersecurity threats to an organization can change daily. Added to the mix are increased business risks, IT architecture growth, thousands of cybersecurity tools and few experienced cybersecurity professionals.
With new technical vulnerabilities being discovered, new attacks being created, or humans just making mistakes, it’s nearly impossible for most organizations to keep pace if they are solely focused on doing the bear minimum for compliance.
Preparing for the next ten years
The adage, "What got you here is not going to get you there," rings true in cybersecurity. Basing your cybersecurity operations on compliance alone or relying on the latest technology will not equal success in the future.
Technology is moving at a rapid pace, to be sure, but there are certain things we can predict about the future.
- Conflict between older legacy IT systems and newer technologies will continue.
- Successful business growth will rely on the internet of things and 5G networks.
- Business growth will depend on automated business processes and IT systems that are based on consumer needs.
- Automated security operations and machine learning will help drive innovation across industries and among our adversaries.
- The spectrum of cybersecurity products and services will continue to grow but won’t necessarily be integrated.
Lead vs. lag measures
To keep up, companies should incorporate both lead and lag measures. Lead measures are those tasks that clarify the best things we can do to help achieve our future goals and targets. Lag indicators are outcomes, like revenue, that help you identify if you have achieved your goals.
Cybersecurity lag measures include the number breaches an organization has experienced, or how many security audits it has failed. Companies that try to run cybersecurity on lag measures alone pay the price, from wasting time and money hiring the wrong staff, to buying the wrong equipment or outsourcing what they should manage internally. Most importantly, lag measures alone prevent organizations from tying cybersecurity to business outcomes and IT architecture.
Lead indicators offer a much better way to manage enterprise cybersecurity operations. They include:
- Having the right data security policies in place, as well as a process to verify compliance regularly.
- Tracking the number of IT systems with known vulnerabilities.
- Measuring the organization’s resilience.
- Tracking and measuring high-risk business areas.
- Maintaining an integrated business, IT and cybersecurity strategy.
Creating a strong enterprise cybersecurity operations program
Baking cybersecurity into the entire enterprise can seem overwhelming. Often, it’s hard to know where to start.
The following can be helpful in evolving current cybersecurity practices into a strong EC operations program.
Create a core team of business, IT and cybersecurity leadership that works in concert to identify, prioritize and manage risk.
Identify business risks (current and future) and map them to IT systems. Then, prioritize cybersecurity goals and objectives according to business requirements.
Ensure visibility and understanding. Not all business risks are clear, and not all technology risks can be mitigated within acceptable tolerance levels. Having clear visibility and understanding will increase your organization’s security posture.
Grow resilience and recovery capability. Cyber resilience involves areas such as ensuring business delivery of products or services, having systems that are safe-to-fail, and building security from within, making it a part of all business and IT operations. In addition, it involves multi-layered protection that includes strong passwords and two-factor authentication.
As technology becomes more integral to business and grows in complexity, it’s critical to start incorporating cybersecurity into every aspect of the enterprise. The adoption of EC operations is one of the best ways to do so. Although it’s a challenging task, it’s one that CISOs can accomplish when they understand the evolution of cybersecurity, measures of success and some areas of focus to get started.