Last week, I shared some of my take-aways from a large event filled with US Federal CIO’s and CISO’s – specifically around how to connect security to the mission. To continue that theme, I’d like to share more of what I learned – this time around the topic of getting everyone on the same page.
There were a number of observations about the difficulty of getting everyone to achieve “shared perspective” within organizations. These tended to cluster in a few areas:
- Traceability. A big issue is that there is often no explicit “linkage” of infrastructure, applications, etc. to the missions they support. From the discussion, this linkage exists on occasion, but seems to degrade over time. In other words, things may start out with clean edges but as time goes by, infrastructure begins to be used for additional or new purposes so that it becomes difficult to achieve traceability and clarity with regard to what is involved in a specific mission or business service. Often, as this “drift” occurs, weak documentation and unclear ownership just exacerbates the problem.
- Prioritization. In many organizations, objective prioritization is difficult because the relative priority of mission components is very subjective or perceived as a moving target. There was a belief amongst the participants that greater use of the NIST Risk Management Framework (RMF) will help create more consistency in this area, but it is a challenge to appropriately allocate and align resources when priorities are invisible, inconsistent, or haven’t been agreed upon throughout the organization.
- Training, awareness, and healthy habits. Training and consistency were big issues for a lot of the organizations in these discussions. There is a lot of variance in both practice and understanding of security fundamentals. Some of this seems to be rooted in a false sense of security, or naïveté – one panelist described this phoenomenon as “Leaving your car unlocked because you feel safe parked in your gated community.” Bad habits put the mission at risk, regardless of intent. One of the recommended approaches was to move to a model that teaches a “mind set” of security rather than a specific set of items learned by rote; in other words, teaching skills vs. a checklist approach.
- Stale assumptions. There were a number of examples of program assumptions and categorizations that had become outdated or “stale” because they were not re-evaluated in the face of changing conditions (mission priorities, new threats, resource changes, etc.). There was a general feeling that we need to improve rigor when it comes to updating and questioning our original assumptions to ensure that we keep up with current conditions.
Do these sound familiar to you? What other challenges get in your way? I’d love to hear from you – with both challenges and solutions.