Stop Fighting the Last Battle, CISOs!
By E. Doug Grindstaff II, CMMI Institute Sr. VP of Cybersecurity Solutions
If information security is war – and it is – CISOs at many corporations are fighting it poorly by looking backward, not forward. In all the time I’ve spent with hundreds of CISOs over the past few years, many can't seem to resist preparing for attacks that have already occurred. In other words, they’re fighting the last battle instead of anticipating the ever-evolving cybersecurity threats most likely to come at them going forward.
Meanwhile, everything we know about winning the cyber information security wars tells us that a CISO’s best strategic impetus is to develop cyber resiliency
concentrated around his or her organization’s highest-priority business risks
Dealing with the frustration and stress of the constant pace of change in cybersecurity
may make it tempting to rehearse the known, regardless of its relative lack of value. CISOs learn of a breach that might have happened within their sector and then task their teams to find out whether they're ready to respond to that kind of breach. But constantly chasing the last breach, evaluating the readiness of your cybersecurity program based on how others were breached in the past, is a dangerous game. It may make you feel safer and more secure but at the expense of preparing your team to meet the next big challenge. Girding for some other company's six-month-old breach isn't much better than sticking your head in the sand.
Nicolaus Copernicus’ famous 1543 book formulated a model of the universe identifying the sun as the body around which the planets, including earth, orbited. That book forced a shift in thinking away from the commonly held belief that the earth was the center of the universe. A conceptual Copernican shift is needed in cybersecurity
. At many companies, security strategy means compliance, inducing that backward look because regulators are likely to write new rules to defend against the damaging attacks they already know. The Copernican shift needs to move cybersecurity away from compliance and toward thinking about an organization’s culture, and how you're ensuring that culture has the proper situational awareness to be on top of potential risks and respond most effectively. An evolved cybersecurity culture
eats strategy for breakfast because it is the path to cyber resilience.
How It's Done: Building Cyber-Resilient Culture
After a serious breach, a retail chain responded by developing a model culture that bred cyber resilience. The company hired people from the NSA, FBI and CIA. The security team identified the company's key threats as nation states – with one, in particular, noted as a significant bad actor. Next, the company created a classification system for types of attacks, prioritizing them according to its own unique business risks. Because it had identified its anticipated attackers, it could use the known behavior of those attackers in characterizing and prioritizing attacks. It developed a team that learned to simulate the attacks that had the highest priorities. This team regularly tested the company's defenses using the tactics employed by their foes. The company evaluated the results, addressing areas of weakness.
The retailer also created employee training environments based on the different attack types. The training gave employees knowledge needed to recognize prioritized threats and take initial steps against them. Every quarter, new people were trained and evaluated. It impacted their pay scale. It was a key part of employees' performance reviews. It became ingrained in the everyday practice of how personnel did their jobs. Most of all, it was a continuous cycle.
This company turned a bad experience into a positive outcome, making itself highly cyber resilient in the process. It created an acutely situationally aware culture, well-trained in terms of how to recognize and address any types of risk. It’s a culture that's continuously testing and reevaluating its defenses and has financial incentives in place to back up the company's resolve.
Look to the Next Challenge
To build security-resilience-driven thinking into your cybersecurity program, start by establishing a strategic plan of security practices, policies and priorities for the long term. To do this, companies must build a tightly aligned security mindset that extends from the boardroom
to the frontline. Seek out sources of threat intelligence that will keep you continually informed on new and emerging risks. And see my previous post, Security Resilience in the Age of Rising Cyber Breaches
An effective cyber resilience strategy has three elements:
- Mature security capabilities for managing cybersecurity risk, from cybersecurity planning and governance through incident detection and recovery.
- Workforce readiness because, although the workforce is our greatest point of vulnerability, it’s also our greatest opportunity for improving cyber-resilience.
- An effective integration of security and IT operations.
For more information, see my post, The 3 Interlocking Elements that Build Cyber Resilience
The CMMI Cyber Maturity Platform
was designed to help organizations foster cybersecurity resilience. Cyber resilience is a never-ending goal because the threat landscape is highly dynamic. Major new threats emerge quite frequently. The CMMI provides a practical, objective method for assessing risk and measuring the organization's level of readiness to meet it.
The CMMI Cyber Maturity Platform can help you build and maintain cyber resiliency – and help you resist the urge to fight the last battle.