The Tactical Trap
Many CISOs struggle to look beyond day-to-day firefighting and get trapped in tactical games. We highlighted this last year in the context of our “100 Days” series and it is one of the major factors preventing organisations from developing better levels of cyber security maturity.
In many firms, this goes beyond incidents and the natural need to address those: It is often compounded by 3 structural elements literally trapping the CISO in tactical games, forcing endemic short tenures and creating the conditions for a systemic spiral of failure around cyber security.
First, corporate short-termism, which is still prevalent in many organisations amongst senior executive communities:
“In the long run, we’re all gone,” and anything that doesn’t affect the next quarter’s numbers tends to lose interest quickly. Cybersecurity issues are being pushed up to higher management levels due to constant media coverage of data breaches and possible GDPR fines. However, when faced with multi-year, seven or eight-digit security projects that would truly require the company to change its operations, those executives often fall back on decades-old compliance methods: seeking quick fixes and inexpensive tasks to “show progress” while keeping costs and disruptions low.
The issue with cyber security is that organizations dealing with these problems usually need a complete overhaul of their security practices, and “quick wins” are often not available. Achieving real and lasting change requires time. Just “fixing” fake quick wins has never been the foundation of any transformation.
Second, plain old office politics between IT and Security which have always been a component of the life of many CISOs, irrespective of their reporting line (and this is undoubtedly worse where the CISO does not report to the CIO):
Technologists are trained and incentivised to deliver functionality, not controls, and many, over the past decades, have developed a culture which sees security measures as constraints instead of requirements.
Many CISOs are constantly bombarded by “urgent” requests to define security measures coming from IT people who should know better but are just “passing the buck”.
The CISOs often feel that they would fail by not responding, not realising that this is a game they cannot win, and a form of political and emotional blackmail which must be avoided, especially outside large organisations where teams and resources tend to be smaller: The CISO and their team simply cannot be expected to be deep technical security experts on all technology streams and across all platforms, or to “drop everything” at any time to help projects.
Of course, they can rely on external skills (budgets permitting), but fundamentally roles, responsibilities and demarcation lines should be clear, and resources placed where they should be: The security of IT systems should be the responsibility of the respective IT teams. The security team should assist, validate and control while retaining a degree of independence. This is the spirit of all organisational models developed over the past 20 years around IT security. It should be clear and the CISO and their boss should have the backbone to enforce it.
Finally, in many cases, the greed of the tech industry, which is only aggravating the situation:
For each of those alleged “quick wins” or “urgent” issue to fix, there are countless vendors bidding to sell their stuff to put a tick in that box, irrespective of any bigger picture.
This is a pressure the CISO must resist. Over time, this accumulation of point solutions simply leads to a product proliferation problem which makes everything more difficult for the CISO and their team: From incident management to compliance reporting, security operations become burdened by the need to collect data across multiple platforms often in inconsistent formats, resources requirements escalate, and it aggravates the perception that security is just a cost and a pain, instead of a necessary barrier against real and active threats.
The CISO and IT must build the discipline to work with a small number of security vendors and service providers around which they can structure effective and efficient security operations, properly segregated, proportionate to the threats the business is facing and the resources available to fight them.
Clarity of roles and responsibilities across Security and IT, and a clear approach putting People and Process first ahead of ready-made Technology solutions, are the basis on which the CISO can avoid the tactical trap. It is also the only basis over which cyber security maturity can grow, across any organisation, large or small.
Originally published here.