It seems there’s no shortage of enterprises that fall short when it comes to protecting their information and digital assets. Most of the time you will see this blamed on new attack techniques, advanced forms of custom malware, and the rise in recent years of state-sponsored snoops and criminals. Security professionals have it tough, as their adversaries are always improving their tactics, no doubt. And the technologies their organization uses to boost productivity and provide new services are always advancing in areas such as mobility, cloud, data analytics, and soon the Internet of Things.
All of this makes information security an IT challenge unlike any other. But it’s just as true, if not more so, that security teams and enterprises do great harm to themselves and their efforts to protect the business. Here are a few common themes I’ve come across in my interviews through the years:
They align poorly with business management and teams
One of the biggest self-inflicted weaknesses is not aligning themselves, and staying aligned, to the business. One way this is done is by adopting risk-based frameworks that help companies to not only identify the risks their businesses face, but prioritize them based on their specific business risk.
According to the 2016 Global State of Information Security Survey, 91% of organizations say they’ve adopted a risk-based cybersecurity framework. How far they’ve actually gone down that path is less clear, but they do see tremendous benefits. Some 49% say that they can better identify and prioritize security risks, 47% are better able to quickly identify and respond to incidents, and 45% believe they are better at securing sensitive data thanks to their risk-based information security framework.
Of course, going down this path takes time and tremendous effort so, as the framework gets built out, finding ways to better collaborate and understand the specific business needs will go a long way toward better alignment.
There is a habit to rely too heavily on technology as “solutions”
Security technologies are improving their ability to detect advanced attacks, manage identities, perform complex data analysis of logs and system events. The frameworks and practices are maturing too. And the automation of software vulnerability tests is certainly improving, or certainly has the capacity to improve, software security and quality. But security is much more than blinking lights and dashboards (honestly, it is).
Security is about learning the business, the value of data and systems and intellectual property, and aligning the resources available for security in the most effective way possible to reduce the risks that matter. That not only requires deployment of rock-solid technology-driven security controls, but also understanding the intricacies of the specific business, the vertical(s) in which it operates, and the risk tolerance of the executives. It requires the ability to communicate technology risks and controls to business executives so they understand how all of this technology and data value translates into business risk. These communication and business skills are essential to help any enterprise understand the risks they face and what is appropriate to spend to reduce those risks.
They build policy and regulatory compliance empires
Too often security teams function as compliance organizations. They make sure they are compliant to internal policies. If they are regulated they use those regulations - HIPAA, Sarbanes, or industry regulations - to gain security budget. The result is that many organizations end up staying focused on maintaining their baseline compliance controls. They check the boxes. Authentication: check. Firewall: Check. Web app security analysts: check. This won’t stop motivated adversaries.
Security teams are copying the role of audit departments. To improve security, this should be flipped around: build effective security controls and layer the reporting on top of these programs to feed into regulatory and internal policy compliance monitoring. Audits should help monitor and provide guidance where failures can occur in policy, whereas security teams should help optimize security spending to reduce risks most for the budget.
There is a poor line of command for the CISO
While this isn’t something that security teams control directly, it’s something that they must lobby for internally: and that’s, in most organizations, to not have to report to the CIO. I qualify with the caveat ‘most’ because every organization is different, and no one-sized model will wear well on every organization. However, there are potentially conflicts with the CIO that are antithetical to good information security. Not every CIO, of course. But CISOs mention this potential conflict quite a bit.
Information security is not just an IT issue – it is systemic to the entire organization. Every employee, contractor, and every board director must be involved. The CIO’s job is to move technology out, often as quickly as possible. And while the quality of the software and services are part of the evaluation of the CIO’s job, information security is just a subset of that and not something that ranks high on a CIO’s job evaluation. For this reason, if adequate and reasonable security measures would slow an IT initiative down, there is great motivation for the CIO to overrule those steps.
But don’t just take my opinion on that. Surveys from the past few years also support it. A survey of more than 9,000 IT and security respondents found that those who worked in enterprises where the CISO reported to the CIO had 14% more downtime due to security incidents. Financial losses from incidents were 46% higher for organizations where the CISO reported to the CIO, compared to those who had the CISO report to the CEO. “In fact, having the CISO report to almost any position in senior management other than the CIO (Board of Directors, CFO, etc.), reduced financial losses from cyber incidents,” Bob Bragdon concluded in his post Maybe it really does matter who the CISO reports to post. An earlier survey showed very similar results.
There’s little attempt by security pros to empathize with business users
Too many security teams fail to try to understand where their business and IT associates are coming from in the day-to-day business. Everyone is generally trying to get their job done and deploy new apps and technology, or improve existing ones. It’s security’s role to vet those changes for their affect on security posture, and communicate those changes in risk posture and provide feedback on effective controls to mitigate the risks and the associated costs. What to do next is generally a business decision.
However, this isn’t how most security teams manage themselves. They are too often the organization of “No.” They attempt to block new initiatives altogether instead of trying to find ways to make it happen while cost-effectively mitigating risk. This is a great way to get steamrolled and ignored by people trying to move the business forward. Instead, try to understand where others are coming from and help them achieve their goals in the least risky way possible, or affordable.
They’re not constantly measuring progress and working to improve
You should always be looking for ways to improve, such as keeping the security team aligned with the business. Too few security teams look for ways to measure progress and improve. Since information security doesn’t have a universal way to do this, teams can pick reasonable performance metrics to measure, and add metrics over time. Many key performance indicators can be used. Some may measure the team’s speed in identifying and responding to breaches, the time it takes to fix vulnerabilities and patch, the percent of budget and publicly disclosed breach rate compared to industry peers, and more.
It’s a rough world out there, and every organization is facing more intelligent and motivated adversaries, and plenty can go wrong in an information security program: a trusted employee can turn bad suddenly for any number of reasons, an honest employee can make a simple mistake that exposes the information of many customers. And intelligent attackers that target enterprises will have varying degrees of success – so there’s no reason security teams shouldn’t do everything they can under their control not to harm their own efforts themselves.