The silo we call security

Eighteen years ago, in the crowded shuffle of NYC, I had a packed day of back to back meetings to discuss information security with several large clients. For three years, this was my routine. In doing so, I learned a key point that has stayed with me since; security should be viewed through the eyes of risk. How much risk a business is willing to absorb, vs. shed. And that was the beginning of a long journey that led us here to 2018 with MeasuredRisk.

Today, the world is so different than it was back then. Blockchain, AI, MTD, Cyber Insurance, etc. Every innovation that has come about is driving a digital economy, with new risks and new opportunities. All of these innovations are moving us closer to automation, and in many cases mitigation. The race of defeating risk has accelerated, now with full gusto, and is driving companies to think and act differently. It’s also driving the vendor community to do the same.

So, let’s discuss this a bit more in detail.

Organizations have historically looked at information security (now often referred to as cyber), as a function of the business. That function, is represented as an element of a broader whole, that must function to protect the organization from risk. Traditionally, this element has been staffed with technical leaders, developers, engineers and support roles. The integration into the business fabric has been secondary, or tertiary. As a result, this function has been operating without systemic interplay between the broader business.

And, that hasn’t worked.

Budgets are created, spent and technologies are leveraged. At the same time, organizations have been breached at unprecedented levels.

What gives?

It’s time that leaders and board members decide to educate themselves on cyber risk. Relegating that sole responsibility to a CISO or CIO is a cop out. And it is highly negligent.

Boards and C-Level executives share responsibility in an organization risk posture, and that concept needs to be engrained across the team. At the same time, the CISO has a responsibility of democratizing information to their constituents, in a manner that is understood, timely and ongoing.

Vendors have a responsibility to stop peddling fear, false hope and playing on the complexity of the problem space. That has contributed to the problems we are facing. Analysts need to be objective, and look at a technology solution in the broader context of a system and organization, as opposed to being a “category” winner. This approach has driventhe creation of hundreds of companies which are truly just features.

And the most important point here, is this:

Organizations need to move away from having an information security group, and quickly toa culture of being a security focused organization.