Organizations are demanding and implementing new solutions that enable them to streamline operations, cultivate new business opportunities and provide better service to their customers.
These new solutions require CSOs /CISOs to maintain protection of their organization’s and customers’ assets even while moving the control of network, platforms, applications and data beyond the traditional technologies and boundaries of their organization. Adding additional network and provider layers along with operational uncertainty make it more difficult to sustain visibility into current security posture with assurance that a breach has not occurred.
In addition, the speed with which new solutions can be implemented has real financial consequences for many organizations. Meanwhile, the challenges posed by attackers continue to escalate in ability and complexity, and the processes to keep incident response plans up-to-date and effective continue to be deficient in most organizations.
For organizations that are under-going a digital transformation of their business, the following are critical success factors that CSOs /CISOs need to consider:
1. Adaptability: The existing risk, security and compliance programs and controls must be able to adapt at the same rate that new solutions can be implemented.
2. Risk insight: The security risks imposed by new solutions and the most appropriate counter-measures must be assessed quickly and accurately.
3. Business resilience: The business needs to be able to initially adopt and continue to operate these new solutions securely.
Organizations that exhibit the most adaptability in their risk, compliance, and security programs are those that have gone through a security program strategy setting and rationalization process. This initiative helps to clearly identify the key controls and processes within the organization, understand how those key controls and processes enable the organization to meet risk and compliance objectives, and effectively communicate this information to the organization’s stakeholders.
Sounds simple and only takes two long sentences to write down; but every CISO/CSO knows otherwise. Budget constraints, skills shortages, technology short-comings, increasing attacks volume and sophistication can conspire to push organizations from strategic planning, implementation, and operation into tactical, reactionary fire-fighting at worst, and an inability to accomplish their objectives at least.
But no matter the current maturity of a security program, new demands created as a byproduct of the digital transformation process should be viewed as an opportunity to further refine cyber-defense architecture and increase business resilience. Savvy CSOs/CISOs will ensure that the proposed adoption of new solutions includes the financial requirements to initially adopt and continue to operate it securely.
Consider adopting a “bi-modal security strategy” that clearly delineates the existing security program’s key controls and processes (long-term, fully integrated), from any new proposed extension to them, or entirely new controls and processes (shorter-term, not fully integrated).
By adopting this “agile” mindset, an entire organization can be aligned when identifying the total cost imposed by new solutions. Additionally, your security staff or provider can quickly adopt any identified supplemental controls and processes with the understanding that they will be fully integrated into your strategic program over time. This allows for more rapid adoption of new solutions, and the opportunity to make long-term decisions on how to best integrate new controls and processes without jeopardizing a solution’s implementation timeline. You may for instance determine that a new control implemented with the solution can replace an existing control in your larger security program. This pragmatic approach allows you to more effectively layer and integrate solutions across an organization with higher levels of cost-efficiency while reducing total cost of ownership (TCO) and increasing overall resilience.
Organizations demand that CSOs/CISOs speak the language of business. Risk identification and quantification are critical factors that enable stakeholders to evaluate TCO of any proposed new solution, and choose to either accept or mitigate the risks identified.
Due to the nature of digital transformation solutions, this may expose an organization to classes of information security risk that they are unfamiliar with. Quantifying the impact of exposure to new risk requires evaluating the financial aspects of the new solution in conjunction with the likelihood of adverse information security event occurrence.
For organizations that may not have a global footprint or specialize in producing, analyzing and using threat intelligence, they should seek a partner with real-world threat intelligence expertise who can tailor solutions to their specific business model and industry, and manage the proposed solutions’ technical infrastructure and processes.
Stakeholders can then evaluate the identified and quantified risks in the context of the organization’s risk tolerance, and better project the expected benefits the new solutions will provide.
The idea of bolting-on security after-the-fact has proven to be a losing strategy. It costs more, takes longer, and often produces sub-par results. Provider delivered solutions – whether they be IT/datacenter, communications or application centric – typically bring their own full-stack infrastructures into the scope of the primary solution.
CSOs/CISOs need to determine the level of control and accountability that they wish to retain or relinquish as a component of the solution implementation. Some choose to act as a general contractor and be the coordination point between the solution provider, a security specialist firm, and their own organization’s staff. Others choose to designate that role to one of the firms as part of developing a secure solution.
Regardless of that choice, the reality is that the best opportunity for a secure adoption and on-going operation requires that the solution, security and organizational subject matter experts work together as a coordinated team to accomplish the following:
- Design, configure, and implement new solutions as securely as possible while retaining the features and functionality required by the organization
- Account for the incremental identified risk to the organization
- Identify the misalignments between a solution’s ability to provide visibility and controls, and the needs of the organization’s risk, security and compliance programs
- Designate additional people, processes, services and technologies to “fill the gaps” and optimize the security of new solutions
- Manage and operate the new or extended security program components efficiently and effectively.
One particular challenge is that subject matter experts typically speak different languages and have different goals they are trying to achieve. The rewards are well worth the effort – so much so that contractual terms should provide a carrot/stick component to ensure that this integration of personnel is a goal for all parties.
Significant efficiencies can be gained by combining experts who possess a deep understanding of a solution’s inner workings and capabilities with security experts who are aware of the many technologies and services available to maintain and increase business resilience.
It’s easy to be overwhelmed by the demands of running an existing security program while simultaneously adapting new business solutions that utilize the cloud, mobile/ remote computing, and/or SaaS applications. However, by developing an agile bi-modal security strategy, you can best focus on accurately identifying and quantifying new incremental risks and integrate new security controls and processes to enable business solutions with a high degree of cost-efficiency and optimal security.