CMMI Institute


The latest information for media, analysts, and others interested in the CMMI® Institute and process improvement.

Solving the Top Cybersecurity Challenges in 2019

By E. Doug Grindstaff II, CMMI® Institute Sr. VP of Cybersecurity Solutions
CISOs, CIOs, CEOs and other corporate officers charged with cybersecurity and safeguarding their company’s assets must confront several key challenges this year, the most important of which is winning their board’s support for what I refer to as ‘a holistic strategy for managing cyber risk.’
In a companion post about the top challenges enterprises faced in 2018, I outlined why framing cybersecurity in a business context is the key to winning the board’s enthusiastic endorsement for such a strategy. Here, my focus is on how to do this, along with a few insights on how to tackle the other key challenges for 2019: defusing the biggest cyber threats to the business; tailoring a cybersecurity strategy to meet different business needs; coping with the growing burden of government privacy regulations; and dealing with the high levels of CISO turnover.
As I’ve noted before, 87% of board members and C-suite executives lack confidence in their organization’s level of preparedness against cybersecurity threats. But, in order to win the board’s support for a strategy that provides the necessary degree of cyber-resilience, CIOs and CISOs need to present it in language the board understands, by framing the security issues in terms of the business risks that they present.
A recent McKinsey article on cybersecurity puts it this way: “The holistic approach to managing cyber risk proceeds from a top-management overview of the enterprise and its multilayered risk landscape.” To reinforce this, the article includes an effective diagram that shows how cyber-risk management involves all parts of the organization.
Defusing the Biggest Threats
The goal of a holistic strategy is to take the whole corporate landscape into account, so organizations can focus cyber resources on the most likely and most dangerous cyber risk threats. Since no business has the resources to recognize, let alone address every conceivable threat, it can only place tight controls on its most critical assets. And given that business priorities are fluid and the nature of cybersecurity attacks are constantly changing, it must do this by striking a balance between building resilient defenses and achieving operational efficiencies.
A holistic approach begins by helping the board identify the most important risks facing the company. Only then can it confidently allocate the resources needed to address and monitor those risks that exceed the organization’s risk appetite. But to properly gauge those risks, the board must be able to view them in business—as opposed to technical—terms.
Tailoring a Cybersecurity Strategy
The latest developments in the manufacturing sector offer a prime example. Most manufacturers are currently transitioning their operations from a traditional waterfall environment to one that’s entirely digital—where from the time a product is designed until the time its produced, it is never touched by human hands, and the entire production process takes place under digital control.
But while hugely advantageous from a production and product innovation standpoint, from a security standpoint this poses a new and potentially catastrophic risk. If someone gets into the company’s network and accesses its product designs, that breach could wipe out its competitive advantage. If the company’s board understands the magnitude of this threat in business terms—that it’s potentially terminal for the business—then it won’t hesitate to endorse the policies, procedures and practices needed to de-risk and protect those critical assets. In other words, and what I'm suggesting here, is that the way you enter into the conversation will determine the type of board decisions you get.
Complying with Privacy Regulations
Pursuing a holistic cyber de-risking strategy has the added advantage of making it much easier for a company to keep pace with mushrooming regulatory requirements. As jurisdictions around the globe increasingly target cybersecurity with new regulations (Europe’s new GDPR rules and California’s sweeping new privacy regulations leap to mind), organizations have become even more preoccupied with compliance than before—and they were pretty focused on it before!
Yet compliance concern, while justified, should not become the focal point of a company’s cybersecurity efforts. A different sort of mindset is needed, one  I’ve referred to before as a ‘Copernican shift.’
Just as the astronomer Copernicus determined that it’s the earth that orbits the sun, and not the other way around, CISOs and CIOs must ensure that their company’s cybersecurity revolves around the real business risks that it faces—and not some set of government requirements, however well intentioned.
Such a shift in thinking is part and parcel of undertaking the holistic approach described here. It clears the way for an organization to focus on the cyber risks that are paramount to its business, by developing resilient defenses that detect and ward off established threats, while quickly adapting to new ones.
And working toward cyber-resilience also makes it easier to comply with new government regulations, because when the company is doing the right things to protect its business, compliance is the natural by-product.
Coping with CISO Turnover
For reasons that I’ll explore further in a future article, the CISO position at many companies is something of a revolving door. Tenure is often measured in months—not years—and each new CISO feels the need to put his or her own stamp on the organization’s security strategy.
That leads to inconsistency that can seriously undermine a company’s efforts to base its de-risking strategy on objective threats that can be quantified and measured—as opposed to the opinions and predispositions of each new occupant of the CISO’s office. To mitigate this problem, CISOs and others must base their controls on the assets and processes that their boards have deemed most critical, using the approach outlined above.
All the challenges described here are closely interrelated, and successfully resolving all of them depends on developing a strong cybersecurity culture with a holistic approach to risk-management as its center of gravity. But each of these challenges also has its own unique demands, and in future postings, as we move through 2019, I’ll explore many of them in greater detail.
Learn more: