Being a cybersecurity leader these days is… well, complicated. From standards, frameworks and policies to platforms, products and vendors, the cybersecurity roles within an enterprise, including the CISOs who oversee them, are faced with more complexity than ever, even as the visibility and pressures on them have increased.
As noted in a recent white paper on the Six Essential Tasks for State Government CISOs, the first imperative for security leaders is to manage complexity.
While there are particularly acute ones associated with the role of state government CISO, there are many common challenges across all industry sectors:
- Complexity of threats and vulnerabilities—The threat landscape continues to evolve, and the potential impact of cyber-attacks has risen sharply, expanding from financial and reputational impacts to life and limb. Meanwhile, new vulnerabilities are introduced as rapidly as new hardware, software and their updates.
- Complexity of solutions—The marketplace of vendors and platforms, from which many essential security tools come, is crowded with start-ups and traditional IT companies joining security pure-plays to address growing demand. (Many of these vendors will not survive the inevitable market consolidation.)
- Complexity of requirements—From legislative and regulatory requirements to internal policies and industry standards, the “minimums” are not so minimal, with more regulation likely on the horizon as the government struggles to address national, homeland and economic security needs.
- Complexity within—Many enterprises struggle to understand, quantify and resource appropriately to mitigate risk. Meanwhile, a critical shortage of cybersecurity talent worldwide means organizations must do more with fewer qualified people, pay more for the ones they have, and suffer high levels of turnover.
Perhaps the greatest challenge is not even the degree of complexity but its relentless rate of increase. The rapid development of new technologies is alone sufficient to guarantee this, compounded by the many aforementioned dynamics.
The overall effect has been to increase “noise,” which introduces uncertainty, doubt and distractions when clarity is needed most. Tony Sager, of the Center for Internet Security and former senior official at the National Security Agency, has dubbed this the “Fog of More,” a play on words alluding to the impact of wartime chaos on the military decision-maker’s mind.
So how, then, can a security leader filter out the noise and regain clarity?
Industry leaders at independent authorities like the Center for Internet Security and Tripwire’s extensive work with cybersecurity leaders suggest several ways:
Reassess the foundation
Much of the noise is comprised of good things, such as promising new technical solutions with many good reasons for adding them to the to-do or to-buy lists. But they may not deliver the return on investment that proven best practices do. We already know, for example, that the first five CIS Critical Security Controls address approximately 85 percent of the problem By focusing on excellence in the essentials, a security leader can build a strong security program on foundational controls, assured that the most important things are getting done.
Strengthen the core
Building on a strong foundation also means taking the time and investing the resources to implement the essentials well, avoiding the tendency to “check the box” for critical controls like inventory management, security configuration management, and vulnerability assessment and remediation. In other words, it’s not about doing more, but about doing better.
Cut out distractions
Security—whether cyber or physical—is as much a discipline as it is a program. It’s about checking, re-checking, paying attention to details and maintaining vigilance when all appears to be normal. Here, the cultural and behavioral aspects are key, from the performance of security analysts to the oversight of the CISO. Being able to say “no” to distractions, including all the good things to do or buy, is a requirement for effective security leadership and helps the leader avoid “analysis paralysis” in time-sensitive situations.
No platform can solve all problems. At the same time, security teams are experiencing the pains of technology sprawl and are therefore forced to manage an increasing number of products and vendors. Often the right balance is to invest in robust, multi-purpose platforms that can address multiple security controls.
For example, a solution that discovers assets; monitors systems for configuration compliance; provides alerts on drift from compliant states; detects suspicious changes; and reconciles this data with patch updates and ticketing systems can address multiple security (CIS Controls #1-5 and #11), compliance and operational needs. At the same time, increased automation and integration is necessary to reduce the burden on over-worked security teams.
There is no “silver bullet” in security. But a lot can be done—to do less and better!
The job of the security leader will not get any easier. But it can become clearer, more focused and ultimately, more effective in reducing cyber risks, enabling the enterprise while increasing the confidence of its leaders, employees, partners and customers. The first essential step is to effectively manage complexity.
You can see me talk more about managing chaos and complexity here: https://youtu.be/2LjCX6ultUI?t=14m
And you can download a recent whitepaper I wrote called, “Six Essential Tasks for State Government CISOs“