The evolutionary nature of cybersecurity requires professionals to focus on a multitude of criticalities. We must chase technology innovations, develop novel risk theories, seek insights into evolving threats, institute new controls practices, and push the boundaries of capabilities, cost efficiency, and relevancy outward in the pursuit of better computer security. It is a never-ending race to maneuver for an advantage, driven by both valid concerns and irrational fears. Some paths we take are worthy and many are not. In this pursuit, we risk being distracted from the fundamentals of cybersecurity.
Certain aspects of security will always hold true. They are based upon the nature of adversarial conflicts and persist over time. Attackers and defenders. Predators and prey. Security professionals must be vigilant in following these timeless concepts and how they specifically apply to cybersecurity. We must not allow ourselves to be distracted and forsake the basics of protecting computing systems, information, and services.
Risk management leadership, understanding the changing threat landscape, and establishing effective controls are fundamentals which drive the way security is perceived and how problems are approached, evaluated, and solved.
Three Tips for Stronger Risk Management
The very best security organizations all have one thing in common: A leader capable of navigating, commanding, and delivering results. Cybersecurity is difficult and ever changing, so strong risk management leadership is crucial. The security mindset drives action and is essential to every organization serious in defending its electronic assets, capabilities, and sovereignty.
- Seek optimal risk. Security comes at a cost — attempting to eliminate all loss is not realistic. Identifying the right tolerance of risk is challenging, but necessary to define success. There are tradeoffs to consider in that the triad of risk, cost, and productivity must be balanced. Investments in controls must be rationalized against the costs to acquire, integrate, and sustain capabilities, and also tempered against the user impact and productivity impediments which may be introduced.
- There is no room for superfluous activity. This is a race, best run with minimal burden and by relentlessly following security basics, leveraging best practices from across the industry, and developing a highly adaptive set of capabilities. Attackers maintain the initiative and are the genesis for the justification to invest in defense. By its very nature, security is responsive and must remain very flexible to adapt to the maneuvers of the threats. Take a lesson from the Maginot Line of World War II. It nearly bankrupted the country only to result in a fixed fortification that did little to protect the nation from invasion. Security must be fluid and not waste time, energy, credibility, or resources on expensive missteps.
- Keep morale high. Security can be unforgiving for practitioners, viewed as a cost sink by management and an unnecessary nuisance by users. The deck is stacked against us. Deal with it and don’t let that stop you or distract your focus from consistently following good practices. There is no finish line. Communicate up to executives, down to operational teams, and across peers as necessary to gain lasting support, confidence, and cooperation. It is a continuous state of effort, just as quality or customer service requires relentless dedication. Stay rational, settle in, build teamwork, and get comfortable!
Proactive management built around strong communication is the cornerstone of establishing a capable, sustainable, and balanced security capability. When you prioritize understanding the complexities and chaos of the threat landscape, as well as establishing effective controls, you will be on your way to properly fortifying your enterprise.
In next development of my series on the fundamentals of security, I will discuss threats and how they ultimately drive the needs and requirements necessary to achieving an optimal level of risk. Stay tuned to the IT Center for part two.
IT Peer Network: My Previous Posts
My Blog: Information Security Strategy