I’ve been working with all kinds of different organisations over the years, and I keep running into similar scenarios. The current state of the majority of organisations security postures are simply (as a broad-brush statement) far riskier than they need to be.
Conversely there are a range of common challenges I find in almost every org:
- Lack of Cyber Leadership
- Lack of understanding of cyber risk at the board level
- A vastly skewed perception between the perceived cyber capabilities of an organisations vs the ability to protect, detect, respond, and recover from a skilled human operated cyber threat
- Significant under investment in cyber/a lack of cyber budgeting
- Significant capacity gaps in human assets (overstretched teams)
- A lack of dedicated cyber security capabilities and people
- Huge levels of technical and cyber security debt
All of this leaves organisations in positions where they are either living with hope or they are creating piecemeal cyber capabilities which largely seem to be focused on point solutions and computer-based training, a sort of cyber security blanket (that has lots of holes in it).
Strategies I see in the wild include:
- Trying to do everything
- Trying to copy the neighbours
- Buying products but not having the people to operate them
- Hoping a new solution will solve all the things (it won’t)
- Doing a quick CIS TOP 18 assessment and hoping that will magically solve cyber governance, strategy, and digital safety (It won’t)
The hard truth that you don’t see on LinkedIn so much is that cyber security is not one and done, it’s not found in a product or solution, it’s largely lots of small things and lots about how you work as an organization. How you make business technology and human investments to deliver customer value whilst doing so in a digitally safe manner.
So, what are a few things to think about? Well maybe we can start with some questions to consider and reflect upon:
Cyber Security Governance & Leadership
- Do you have a CISO?
- Does the CISO report to the board?
- Do you have a cyber security budget?
- What percentage of revenue to you invest in cyber security?
- Do you have a documented enterprise risk appetite statement?
- Do you have a documented risk tolerance statement?
- Do you have a set of documented and communicated cyber security principles?
- Do you have a set of documented and communicated security policies which are written in clear language and are reflective of the current state?
- Do you have any third-party security accreditations/certifications? (e.g., ISO/IASME/CyberE/SOC2/CMMC)
Cyber Security Operations
- If a vulnerability is discovered, is there a defined, documented and well known/communicated process for reviewing, assessing, remediating, or accepting the risk?
- How did the vulnerability exist in the first place?
- What went wrong for it to be in the production environment?
- How could we stop this occurring again in the future?
Current State Analysis
I could go into a long list of questions from NIST/ISO/NCSC etc. but I want to keep this to a point where we don’t all fall asleep or end up in excel hell.
It is however sensible to do a formalised discovery which covers areas such as:
- Drivers & Requirements
- Business Context
- Architecture
- Current State Capability Maturity
- Risk Analysis
- Threat Modelling
- Asset Understanding
- Data Flows
- Vulnerability Analysis
- Policies
- Controls
However, for this post, hopefully the first questions will give you a good initial feeling for where you are today. What you might find in many orgs is a scenario like this:
Area | Current State |
Technical Debt | High |
Security Debt | High |
Leadership Support | Low |
Resources | Low |
Authority to execute | Low |
Budget Approved | No |
Realistic Appreciation of Change Window | No |
Good god, Dan are you trying to scare us? Well, no, not really. See this is literally the scenario I have found in lots of organisations, I could lie and tell you everyone has all the budget, resources, support and capabilities with low levels of technical debt and a robust security posture, but I’d be lying.
So, what do we do?
Ok don’t worry you have options, you could:
- Burry head in the sand and hope you don’t get pwn3d (hacked for those who aren’t familias with the pwn3d term!)
- Task our existing overburdened teams to SECURE ALL THE THINGS
- Try and improve a large number of processes and capabilities all at once
- Buy a blinky box which a salesperson said would mean we don’t need a SOC and all things would be secure (I’m sure they are trustworthy and wouldn’t lie for money right!)
- Do a quick 1-week assessment and leave the results on a shelf because they generated a long list of “what good looks like” and we have no idea how to do all of them, let alone do we have the budget for it
- Not do any of the above
I’m not going to lie; I’d pick option 6! There are way better (in my opinion) ways to go about solving organisational security challenges, but they usually don’t lie in top 5 lists or generic answers. They usually lie in a mixture of tactical and strategic change that is largely a business change programme rather than a security for securities sake project. That however is a post for another day (if I haven’t already written about that to death!)