During times of economic uncertainty, security budgets risk reductions due to organizational belt-tightening, requiring security teams to deliver more with less. We examine five common pitfalls that can be avoided at no additional cost and establish two complementary strategic approaches that can be adopted to set security programs up for success.
How are security programs set up to fail?
1. Organizations without a platform for the CISO to garner Board-level support engender underinvestment in security. Contrary to popular belief, the reporting line of the CISO impacts the security program less than having the right framework and resources in place to communicate with the Board. Unempowered CISOs without clear access to the Board leads to the following issues:
The Board failing to fully understand the business impact of security issues, leading to a misalignment between risk management and security investment.
Failure to realize the positive influence that mature cyber security practices can have on the organization, acting as a business enabler, as opposed to a cost center.
2. Capturing the wrong security program metrics leads to blind spots. Despite there being a vast number of metrics available to describe the state of a security program, a dissonance often exists between the information reported to the executive team and information that enables informed decision-making.
Organizations that fail to distinguish between tactical metrics that empower security program leaders to drive operational activities, and metrics that provide a clear holistic overview of the security program, create visibility gaps for the executive team. Strengths and weaknesses in the security program are not identified and the leadership team has no clear understanding of the effectiveness of security investments in reducing overall risk and whether the organization is trending in the right direction. These gaps are usually compounded by taking a compliance-centric approach to reporting and reporting metrics that are somewhat easier to measure, rather than meaningful.
3. Driving security initiatives from a compliance lens may not necessarily improve security posture. Compliance and security are related but distinct functions. While compliance with key regulations is an integral component of any security program, organizations that leverage a compliance-centric approach to security fail to prioritize resources most effectively. The absence of a risk-based approach at the nucleus of a security program means that some of the biggest risks to the organization may be left unaddressed. Every organization is unique, hence applying a one-size-fits-all approach may not necessarily result in uniform risk reduction.
4. Siloed security teams create obstacles to communication and collaboration. Sixty-five percent of organizations find it challenging to provide security teams with consistent data access to empower the key decision-makers. This yields fragmented teams, cultivates a resistance to change, and leads to teams working independently without considering the requirements of key stakeholders.
Siloed teams are not localized to security; cross-functional collaboration is often inhibited between teams with a vested interest in security, such as Identity and Access Management, IT, and Financial Crime, due to poor information-sharing practices and communication barriers.
The independent budgeting model does not foster collaboration between security teams; teams with their own budgets must often compete for additional budget or resourcing, which can lead to divisions and further reinforce information siloes.
5. Rigid practices fail to adapt to the changing threat landscape. The threat landscape evolves at an alarming pace and organizations that are unable to enact rapid changes to processes are set up to fail.
2021 and 2022 saw record years of zero-day vulnerability exploitation in the wild, continuous improvements to the capability of ransomware groups, as well as an escalation in the volume of supply chain attacks. Rigid security programs fall into one or more of the following categories:
Failure to continuously monitor the threat landscape and dynamically evaluate the impact against the organization’s risk tolerance.
Unable to adapt the security strategy and allocate additional resources to add new capability and combat the changes to risks posed by new threats.
Security programs without a constant feedback loop of information and action produce stagnation while the threat landscape continues to evolve.
The recipe for success
Addressing these pitfalls can be achieved in two complementary ways:
- Communicate effectively at all levels. Security is about making controls transparent to authorized behavior and inhibitive to unauthorized behavior, which is only possible through constructive communication between teams. Moreover, to drive security investment commensurate with the organizational risks, the pertinent information must be communicated from the security program to the CISO and to the Board.
Maintain an agile approach to security. "Because we’ve always done it that way" is one of the most dangerous phrases to hear in the world of security. For any security program to maintain a competitive edge against adversaries, established controls and supporting processes need to be constantly evaluated, challenged, and adapted to ensure effectiveness.