You will know the drill if you work in cybersecurity: something goes wrong, and immediately the recriminations begin. Vendors, customers, consultants and service providers form an orderly circle, face off, and begin blaming and shaming.
We all know deep down that this circular firing squad routine is toxic and counterproductive, but it is an all-to-familiar reaction, and it is symptomatic of a much broader problem.
CISOs are drowning in an ocean of tools that don’t connect or are too niche – and they have a shortage of people trained to use them. It’s the security equivalent of the tangled wires behind my telly that look like the back of the old Space Shuttle on its launch pad – with me ferreting around trying to figure out which is which.
So, how do we as an industry untangle this complex knot? How can organisations be confident that their multifarious security tools talk to each other across their tech sprawl and will work in unity to protect them, their shareholders and their customers in the face of ever-escalating cyberattacks?
Well, a promising start is the industry’s move toward standardisation, through The Open Security Schema Framework (OCSF) – a consortium of leading tech and security companies. It has an admirable aim, to enable better communication among the elements of the security suite – which in turn should help close gaps between applications and make the whole system more resilient and responsive.
But, like all major initiatives involving multiple parties, it will take time; and in my conversations with fellow CISOs, it’s clear that time is a luxury they can ill afford.
Recent high-profile cyber breaches have made boards of directors across Australia skittish and they are not alone: 88 percent of boards globally now see cybersecurity more as a business risk than a technology risk, according to a Gartner survey.
That has only added to the strong and immediate pressure for corporations to make security and resiliency investments as digital transformation marches on, even in the face of economic uncertainty.
My invitation then is that we each take this opportunity to pause, reflect, and take full responsibility right now for our part in ensuring cybersecurity.
We can start by giving ourselves a break. It’s not as though we security professionals meant this to happen – and that’s sort of the point, which is why it is important to understand how we got into this cluttered mess.
I recently asked the CISOs I work with how many security vendors that they work with. The answer was between 20 and 40, per CISO. No wonder most big organisations’ security solutions are disconnected.
We’ve seen the huge boom in offerings in recent years, but we haven’t approached them all that strategically. On the day-to-day treadmill of corporate security, the security team responded to crises, jumped through the hoops of each regulatory or compliance demand – and often did it by buying the cheapest, most targeted solution possible.
Or else they got the solution as part of a bundle, and it may or may not have been implemented. Either way, the security stack is too often the consequence of a series of such decisions, made under duress and often without the CISO’s approval.
Now I understand the constant need to stay up to date with compliance, and to be seen to innovate. But when CISOs have inherited and/or acquired that level of complexity, the heart of the problem is not, as my colleague Kris Lovejoy, Kyndryl’s Global Leader for Security and Resiliency, has pointed out, a lack of standards. It’s simply too much stuff.
It is therefore incumbent upon us CISOs to pick and choose the correct tools and to take ownership of the technology and the decisions that create better outcomes for our organisations. This is often not the case today.
An important first step is the unification of IT operations and IT security internally within organisations. In most cases the two still function as separate islands of configuration, spending and responsibility. A sub-optimal situation to say the least.
At the same time, we need to become cyber resilient, accept that some breaches will always happen and realise that it is how we respond to them that counts.
That means playing regular cyber disaster recovery and continuity exercises covering all functions of the business that ask, for example: “If my primary data centre is down, what does that mean from a business point of view and how can we recover fast to minimum viable business status? What do we do if Microsoft Teams is gone – how do we now communicate with each other? Where do we recover our backups from?”
This fire alarm testing work is not just about insurance capability; it’s about strategic business outcomes.
Finally, we all need to hold ourselves accountable, including vendors, consultants and service providers. Our job is to deliver the outcome for the customer, whether that’s through a system integration, one or two of us forming partnerships to align into the organisation, or another solution.
It means having some level of ownership and trust that if a customer has already got a technology within their environment, how do we make our best efforts to reutilise it, instead of saying: “Oh no, you must buy my product because it’s the new fancy thing” (which just feeds the elephant in the corner we are trying to address here).
It means that when something goes wrong, we can’t just point the finger elsewhere and say: “Sorry mate, that’s not my fault/area/problem.”
And it means customers taking responsibility to tell squabbling vendors: “Stop fighting between yourselves. This is the outcome that I want; now go away and sort it between yourselves.”
So, yes, the industry’s collaboration on standardisation is welcome, overdue and vital.
But whilst it is worked through, let’s all form another circle, turn outwards and aim as at the real enemy, the malicious criminals that are finding ever more inventive ways to attack our IT infrastructure.
Are you with me?