Source: CSO Magazine On:
When I first entered the cybersecurity market in 2003, I’d already been working in the IT industry for about 16 years in storage, networking, and telecommunications previously. By the early 2000s, all three sectors had moved on from bits and bytes to focusing on how each technology could help organizations meet their business goals. Oh sure, we still talked speeds and feeds, but we led with things like business agility, productivity, and cost cutting. The technology was a means to an end rather than an end in itself.
When I got to the cybersecurity industry, I was surprised by what I saw. Unlike other areas of IT, cybersecurity was still deep in the weeds, focused on things such as IP packets, application protocols, and malicious code. In other words, cybersecurity remained a “bottom-up” discipline as the cybersecurity team viewed the world from networks and devices “up the stack” to applications and the business.
Fast forward to 2019: The world has become a lot more dangerous based upon a wide variety of sophisticated threats. In the meantime, IT has expanded horizontally, driven by mobility, Internet of Things (IoT) devices, SaaS, cloud-based workloads, etc., thus greatly expanding the attack surface. In the meantime, business executives now recognize two important realities: 1) Most of their business processes are anchored by IT, and 2) A cyber attack and/or data breach could happen at anytime and lead to devastating consequences.
In the enterprise market, business executives now “get it” and are all in on cybersecurity. For example:
- Cybersecurity is seen as a business priority. According to ESG research, 40 percent of organizations say strengthening cybersecurity will drive the most technology spending over the next 12 months. (Note: I am an ESG employee.) Strengthening cybersecurity tops all other business initiative.
- Fifty-eight percent of organizations will increase cybersecurity spending in 2019, while 40 percent will maintain the same level of spending as 2018. Clearly, business management is willing to throw money at vexing cybersecurity challenges.
In general terms, this is a good thing for cybersecurity professionals and the industry at large, as it equates to more money, resources, focus, etc. As business managers become more engaged with cybersecurity, however, this focus must be accompanied by a major philosophical shift. Business people don’t care about IP packets, buffer overflows, or encryption; they care about protecting critical assets and maintaining ongoing business operations.
Based upon this fundamental and ongoing change, I believe that large organizations must embrace a “top-down” mentality toward cybersecurity management. Top-down cybersecurity starts with protecting the business mission, objectives, and processes and then aligning these priorities with the right controls and monitoring “down the stack” (i.e. the applications, servers, networks, and data/storage that support the business).
Top-down cybersecurity management: It’s time to walk the walk
I’ll be the first to admit that top-down cybersecurity isn’t new – leading CISOs have pushed this type of agenda since CISOs were first hired. Nevertheless, I find that many organizations talk the talk, but can’t walk the walk. For example,
- Sixty-eight percent of organizations say there are instances of sensitive data on their networks of which they are unaware. This indicates a gap between business processes and cybersecurity monitoring and controls.
- Sixty-two percent of organizations claim that it’s difficult to measure ROI on cybersecurity spending. In this scenario, CFOs ask an obvious question: “What am I getting for my money?” CISOs need real metrics to demonstrate value here.
- Cyber risk management assessments tend to be done on a periodic basis for compliance or IT audits. This is antithetical to the business need for continuous risk monitoring for driving real-time risk mitigation decisions.
Cybersecurity has become an overwhelming task where few organizations have the resources, skills, or time to keep up with the ever-growing workload. Therefore, CISOs must focus resources and energy on protecting critical assets, business processes, and IT initiatives. This is the foundation of top-down cybersecurity.
How to ensure top-down cybersecurity management succeeds
A few closing thoughts on how to ensure top-down cybersecurity management succeeds:
- Top-down cybersecurity management must be anchored by continuous risk monitoring across the extended enterprise (i.e. cloud-based workloads, mobile users, SaaS, third-party risk management, the threat landscape, etc.).
- Top-down cybersecurity management will be built on a foundation of data security and identity management, the new security perimeters.
- Top-down cybersecurity management includes well-managed micro-segmentation.
- Organizations will need a strong cybersecurity culture and training for top-down cybersecurity to succeed.
- CISOs must work with CIOs to embed cybersecurity knowledge into the entire IT organization. Furthermore, the cybersecurity staff must work within business units to establish and enable a cooperative business/cybersecurity relationship throughout the organization.
- Top-down cybersecurity management may require a new type of CISO. Industry organizations and higher education institutions should take note.