Last year, I wrote about the Verizon Payment Security Report saying it was ”Not Just for PCI.” Verizon liked that post enough to include its introduction in this year’s version. This recognition was a wonderful surprise. Like last year’s report, the 2020 publication goes well beyond PCI in its information and recommendations.
While PCI DSS forms the foundation of these reports and informs their content, the guidance is broadly applicable, and they could easily be rebranded as “data security” reports. I hope everyone responsible for data security takes the opportunity to not only read this year’s report but to also download the reports from prior years. Each report builds on the previous foundations, and the 2020 report provides an overall success strategy for CISOs and information security leaders.
2020’s Theme: Strategy
The 2018 and 2019 reports had decidedly tactical viewpoints, ‘how-to’ guidance describing the nine factors of control effectiveness, the five constraints, and the four lines of assurance. These concepts help build a long-term approach to data security maturity.
In 2020, the focus is on the CISO and using these tools to take a long-term, sustainable approach to data security. That forward-looking vision requires strategy in order to be successful, and strategy is hard work. Fortunately, there is deep and rich guidance in the Payment Security Report (PSR) for both new and experienced cybersecurity strategists.
Rather than go into detail on specific sections of the report, (And there are a lot including strategic management traps, business modeling, and security strategy.) I’ll discuss three main ideas that stood out to me.
Shift from Technology to People
Security teams are having to manage more security solutions all the time. According to the 2020 PSR, “most organizations manage a multivendor environment with between 20 and 70 different IT security products for monitoring and detection” (pg. 21). That’s a substantial cognitive load for any team, especially one continually struggling with the skills gap. While companies are actively trying to consolidate vendors and solutions, that consolidation also has a cost in real dollars, project time, and learning new ways to operate.
Tools will often ‘check the box’ for compliance without providing any additional security or risk management value. The reason for this is that even though these products automate difficult or impossible security controls, they do not operate by themselves. It requires time and expertise to deploy, tune, manage, and act on the information provided or to ensure the technology is offering the desired protection. With so many tools to manage, the value of automation is lost as analysts spend their time managing technology and not risk.
What does this mean when developing a security strategy? To start, when considering the short- and long-term goals, incorporate a people-focused approach. This means shifting dollars and time to investing in developing the skills of the security team and possibly looking to augment them with additional staff or outsourcing. Create expertise in one or two areas that improve the business model, business objectives, and security goals for the near and intermediate future. Building strength in fewer areas will be more advantageous than adding more tools. This will create a foundation upon which to grow year-over-year.
Balance Strategic Work against Immediate Tactical Needs
“Firefighting” is part of any IT work, and that includes security. Addressing the immediate issues confronting a security team is a critical need and cannot be neglected. However, space also needs to be made for strategic planning in order to implement the projects that will help advance long-term security goals and reduce firefighting.
Balancing strategic and tactical work isn’t unique to cybersecurity, though it may be a larger area of growth for a CISO than other business disciplines. Almost 60% fortune 100 CISOs came from IT and IT Security (Digital Guardian as referenced on PSR, pg. 22). That doesn’t mean a lack of strategic mindset, though often the focus and incentives in IT tend to be on tactical execution rather than long-term strategic planning. Further hindering a CISO’s success with long term planning is the short average tenure of someone in that position. For example, 80% of those fortune 100 CISOs have been in their current position for less than five years (Digital Guardian above, PSR, pg. 29).
The Verizon report describes this as the “CISO merry-go-round”:
Security leaders unable to achieve effective and sustainable control environments leave an organization prematurely, likely breaking any momentum gained on the delivery of a data security management program. It plunges the next CISO into an environment where they, again, are forced to focus on realizing quick wins, which in most cases are technology focused—with projects that drive strategic objectives ending up on the back burner. (pg. 14)
So how to break the cycle? Ensure all security work, from quick wins to policy development, supports the data security environment. Verizon lists the five elements of that environment:
- Security business model
- Security strategy
- Operating model
- Security framework
- Security program
The security program is where those tactical “quick wins” mentioned above fit it in. If done in isolation, these quick wins can fail to deliver on long-term value. Without the other four supporting structures, the security program is just a series of one-off technical projects. Security teams hop from one project to the next without clear direction.
A complete data security environment ensures the security program aligns with the operating model, and the operating model ensures the security program is adhering to the security framework. The security strategy guides the overall operating model, which frameworks to use, and the work to achieve the outcomes of the security program. Finally, the security business model is the overarching structure that sets the objectives, aligns the sub-components to deliver the most value, and drives business support for the strategy.
This is easier said than done, and the challenge of the executive security leader is to understand each of the five components and ensure they are aligned and reinforcing one another. In doing so, the data security environment will have a defined direction and well-known objectives. Also, every element will work together to ensure those objectives are met. I recommend reading the full report for a deeper dive into the data security environment, which goes into more detail about each of the components.
Define the Victory Conditions
Every project or activity in a security environment needs a defined purpose and outcome. Often a technology solution is put in place to meet an immediate tactical need or respond to a pressing security event. Reacting to the current security state comes with the territory. It is not, however, the desired end-state of a well-functioning security system. For that to occur, the desired outcomes must be articulated and aligned with the overall business objectives.
Defining the victory conditions provides a necessary target for developing a strategy. In fact, it is impossible to develop a strategy without this definition. Consider: how does one win a game of catch? The answer is that one doesn’t win or lose in “catch”; there isn’t any need for a strategy because the point is to simply throw and catch a ball to pass the time. It’s only when a victory condition is introduced that a need for strategy and tactics arises. If we replace ”catch” with soccer, rugby, poker, chess, or any other competition, it’s easy to understand how to win because it is defined in the rules. Knowing how to win and what the rules are now provides a context for developing a strategy to achieve victory. The same is true for cybersecurity.
How, then, do we define winning in this context? Unlike a game, there is no easy answer like “outscore the opponent” or ”capture the king.” It is up to each security leader and business to look to the future and describe what a successful, well-operating data security environment looks like as well as how they know they have arrived at one. The security leader must design the scoring mechanism by which success is measured and then determine the path to get there.
Finally, a scorecard isn’t enough to develop a strategy. In order to form a strategy, one also needs to understand the rules or, to use a better word, constraints. Rules are, after all, just a list of constraints that define the operating environment, as described more thoroughly in the 2019 PSR. Once the constraints are known, a plan can be formulated. Things such as budget, the headcount of the security team, the skill level of those members, regulatory environments, and business targets can all be considered constraints. Those are the rules of the game, and a leader will need to play by them as part of the winning strategy.
The Verizon Payment Security Report remains one of the most valuable assets for developing and improving a data security environment. Whether providing key concepts such as the nine factors of control effectiveness, the five constraints, or this year’s focus on strategy, the report is essential reading for security leaders. The 2020 report reads like a short textbook for a master’s level college course for CISOs, and it is full of guidance for developing and improving security leadership.