Six ways security teams sabotage their own plans

It’s not always the bad guys that sabotage enterprise security efforts, sometimes organizations do that all on their own.

Here are six common ways:

Enterprises fail to plan

Too many organizations fail to create an information security plan that is purpose-built for their organization. When the right plan is in place, enterprises are able to get the security controls they specifically need to do everything that needs to be done to keep people, apps, and data secure.

A good security plan involves not only technical and development teams, but also the lines of business, legal, human resources, internal audit, executives and the CEO and the board. It also uses data (internal and external) and feedback to measure its effectiveness and costs and improves over time.

Without a plan, the enterprise is at significant risk of floating mindlessly from one threat to another and never getting ahead of the risk.

There’s no data classification

This is another big one. Enterprises that don’t know where their most valuable data resides – or even what their most valuable data and applications are, are flying blind. When data is classified, enterprises know where to invest their security resources, based on such factors as business importance of the data and systems to the running of the business, financial value, regulatory mandates that may control that data protection, and such.

By classifying data, not only is investments in security better known, but such efforts will also help to inform other areas of the security program such as incident response planning, and identity management and access privileges. Without classifying data, enterprises really don’t know where they should start, so they over-invest by trying to protect everything the same or the invest in the wrong areas.

Not coming to understand the specific organization and industry

Every industry is different. How a company whose primary asset is data will be secured differently than one whose primary service is transportation, which is different from the concerns on manufacturing and a research and development firm. Then each organization is different on its own in terms of culture and risk tolerance. Whenever a CISO is out of touch of their organization and their industry, the organization’s security program suffers because it’s not tailored to the demands of the specific industry or the risk tolerance of the organization.

There’s no alignment with security and business objectives

As organizations become more dependent on data and software services to operate their business, the alignment of cybersecurity teams and the goals of the broader business becomes even more crucial. Not only does the attack surface of the organization increase as the digital footprint increases, but the software and data becomes more central to the survival of the business.

Of course having strong security and business alignment requires good communication with senior leadership, but it also requires learning about each line of business, their objectives, and becoming more empathetic to their needs and helping them to better manage risk while obtaining those objectives.

Regulatory compliance drives security

This is always a bugaboo of mine. Enterprises get caught up on meeting regulatory demands and “checking those boxes” that they don’t actually focus on mitigating the actual risks of being breached. In other words, there’s a big difference between installing all the right security technologies, having someone called a CISO, and having all the right polices in place on the surface from managing all of these technologies properly, and supporting the program with the right processes enforced by security leadership who has actual authority. 

Business execs not involved in tabletop drills

Tabletop testing, an exercise which consists of team members having to respond, through discussion, how they’d respond to a realistic adverse scenario, such as an attack on their data or critical systems. Each participant must respond with how their organization would respond to the attack, and these exercises help to establish the right lines of communication are in place for the real event and that gaps in resources and capabilities are filled long before any adverse event occurs. It’s also essential business leadership sit on these exercises so they understand what each group is responsible for and how to help manage the organization properly through a live event should that ever be necessary.