Fixing What’s Really Broken In Cyber Security

One might think that the common problems in cyber security programs are that teams aren’t resourced correctly and that the business doesn’t sufficiently support the cyber security program. Could be, but maybe we’ve confused the symptoms of being broken with the underlying root causes.

Some of those symptoms?

• Non-committed leadership.
• Vague security goals and objectives.
• Lack of understanding and consensus by executives.
• Best practices applied before analysis and prioritization of good practice for the particular organization
• Poor execution.

When we stitch together the above points, we get something along the lines of the following:

Organizations continue to apply an increasing amount of resources to a set of imperfect industry best practices often skewed by vendors without the knowledge, training, analysis, or prioritization of what the risks or good practice for that particular organization might be. This results in overworked cyber security teams poorly executing against vague security goals and objectives that aren’t understood by process owners, cause friction with users, and lack consensus with executives.

Does that sound like any security programs that you are familiar with? Based on various recent blog posts, podcasts, and conference topics, I’d guess that these might be common descriptions.

Can you blame organizations for not resourcing or supporting cyber security programs if this is true? When a cyber security program is always flailing about chasing the latest shiny thing or state actor APT, less time and resources are available to expend on the beautiful basics of cyber security.

You know, the basic vulnerability miigations or poorly thought through actions that have a high likelihood of happening versus a lot of media time or vendor focus.

But all of these things previously mentioned are just symptoms.

At some point we have to recognize that there is a common denominator for all of the symptoms. The buck has to stop somewhere.

If only there were a role or set of roles in a cyber security program that owned the following:

• Defining and aalyzing cyber security risks and goals
• Balancing best practice appropriately with good practice
• Building consensus and understanding among executives
• Identifying and reducing friction with users
• Prioritizing work
• Providing a trained team
• Executing against objectives

Oh, wait. There are roles that own these activities. It might be your CISO or whoever the senior cyber role(s) might be. Perhaps, within those roles is where the changes should begin.

So dig deeper into your own program.

• Where can you bring more clarity to the executives and the team?
• What can be done to ensure that gaps are identified more quickly and more clearly defined?
• How can more deeper consensus be built on risks, approaches, mitigations, prioritizations, and outcomes?
• How can we better train the team on technical issues and also engagement skills such as negotiations and proactive identification of security friction?
• How can you reduce the confusion and distraction of inefficient activity with actual forward progress in the cyber security program?

Answering these questions will take leadership. Leadership helps to bring more order to any cyber program. “Order” might bring some fixes to what’s broken in cyber security.

Asking cyber leaders to be leaders rather than just additional engineers or analysts might help too. Perhaps, it’s us as an industry and not the execs that need fixing. Today’s solution of just moving on after 12–18 months certainly won’t provide a fix.

Let’s grow cyber leaders that deal with the root causes and not the symptoms.

That’s a call to action focused on the right things.