The Top Cybersecurity Challenges of 2018: What Enterprises Are Saying
By E. Doug Grindstaff II, CMMI® Institute Sr. VP of Cybersecurity Solutions
Throughout 2018, I was privileged to talk to literally hundreds of CISOs, CIOs and CEOs as I spearheaded the launch of the CMMI Cybermaturity Platform. Those conversations provided many insights into the problems that organizations continue to face in the fast-changing realm of cybersecurity, with several issues emerging as almost universal concerns. In this post, I share the five top challenges emerging from all those 2018 conversations; in a companion piece I suggest some approaches to address them in 2019
Challenge #1: Framing Cybersecurity in a Business Context
The first and perhaps most pressing issue is that despite all their efforts to date, CISOs and CIOs still struggle to communicate cybersecurity issues to the board. My conversations led me to an epiphany about why: Too often, they are unable to adequately frame cybersecurity in the business context
that boards and other executives relate to best. CISOs still present cybersecurity issues to the board as technology problems—which naturally leads to a focus on solving them using technical controls.
But today, cybersecurity is not simply a matter of putting the right controls in place; it is about identifying and mitigating the biggest risks to the enterprise
. No organization has unlimited resources, and in any case no controls exist that are capable of stopping every attack. The goal is to direct resources to the organization’s most important risks in order to achieve cyber resilience: The ability not only to prevent the vast majority of attacks but to survive and minimize the impact of the few exploits that inevitably succeed. And that requires a holistic strategy that permeates the entire organization from the top down, including governance, the development of robust security capabilities, and building a strong cybersecurity culture among all employees.
In order to focus the board’s attention on building cyber resilience, CISOs and CIOs need to present information in language the board understands, by framing security issues in the context of the business risks that they present. Those risks will vary based on the organization’s mission and the industry in which it operates. For some organizations, the biggest risk is the theft of intellectual property; for others it may be the destruction of critical assets or brand reputation. Using the language of business risk elevates the discussion to a strategic level, enabling the board to understand where the organization should focus its cybersecurity investment—and why it must continue to do so.
Several of my other top challenges are related to this pressing issue.
Challenge #2: De-Risking to Avoid Terminal Impact
The business risk-focused approach may reveal that some cybersecurity risks could have a potentially terminal impact
on the organization—they could cause financial losses, reputational damage or operational disruption that the organization simply cannot survive. Therefore, the top priority in cybersecurity strategy should be to identify the biggest risks and then de-risk
them by taking whatever measures are necessary to reduce risk to an acceptable level. This de-risking approach is vital to ensure the organization’s continued existence.
Now, think about how to frame cybersecurity de-risking in a business context. Venture capitalists provide an instructive analogy because, as Leo Polovets of Susa Ventures writes in his post, How to De-Risk a Startup
, “startups are collections of risks, and … the best way to make progress on a company (and to get higher valuations from investors) is to address the biggest risks as quickly and thoroughly as possible.” Sound familiar? Just as a VC would de-risk a startup, CISOs can frame for their senior executives and board how the organization needs to understand the size of its risks, which risks are potentially terminal (for example, an online bank losing customer access), and then in a disciplined way explain the steps of de-risking that potential threat or loss of business, or the loss of value that could result, from a relevant cybersecurity breach.
Challenge #3: Tailoring Strategies for Different Parts of the Organization
Many organizations have multiple business units, and operate via extended networks of business partners, including their supply chains. To be effective, a cybersecurity approach must encompass all of these elements. But each of these parts of the organization has different business priorities and therefore faces different business risks. So a one-size-fits-all approach to security—which remains the approach taken by many organizations—doesn’t make sense. Instead, the organization needs a collective set of cybersecurity programs, each tailored to a specific set of business risks.
When it comes to the supply chain, many organizations have already recognized the need to manage the risks of compromises at key suppliers. Unfortunately, the approach to managing those risks has often been ineffective, consisting of simplistic questionnaires that reveal little about the true state of the supplier’s cybersecurity, or writing contract clauses that threaten huge penalties in the event of cybersecurity problems. Clearly, to mitigate supply-chain risk, organizations need to find ways to delve deeper, to better understand and influence the way their suppliers approach security.
Challenge #4: The Expanding Cybersecurity Regulatory Universe
A chart tracking the worldwide increase in privacy regulation would show a sharp hockey-stick acceleration in 2018, as Europe’s GDPR came into effect and California passed sweeping privacy regulation. Many organizations are still wrestling with the challenge of how to organize and manage their response to this expanding universe of regulations, which have different yet overlapping requirements—a challenge that will become more acute as further privacy and cybersecurity regulations emerge in 2019 and beyond.
Challenge #5: CISO Turnover
Amid a chronic cybersecurity skills shortage, the rapid pace of CISO turnover presents serious challenges for CEOs, for CIOs and for organizations as a whole. Tenure is often measured in months, rather than years. As one CEO put it, each new CISO “brings their favorite homemade brew to the party”—reshaping security strategy based on their own preconceived opinions and preferences. When this key role changes hands, organizations often struggle to maintain a consistent, effective cybersecurity strategy—one that is based not on opinions, but on the organization’s primary risks.
An Extraordinarily Challenging Year
For many of us who are immersed in cybersecurity, 2018 was an extraordinarily challenging year. Yet it also underlined the fact that security is one of the most important, dynamic and continuously fascinating issues for enterprises. In my companion post, I discuss approaches to addressing these challenges in 2019.
Learn more: https://cmmiinstitute.com/products/cybermaturity