Meet Simon. You probably might have quite a bit in common with him because, as the chief information security officer (CISO) at an organization managing hundreds of users across multiple destinations, he’s responsible for ensuring that the organisation is secure from internal and external data threats.
When it comes to cyber security, the buck stops with Simon.
Simon knows a ton about cyber security, he’s read the books, attended the conferences, he may even have a certification or two, he has been there and done that and has the t-shirts and name badges prove it!
The problem is that as qualified as Simon is, he works in a very complex and constantly changing environment, unfortunately, he gets little support along the way considering the size of his company.
He works with multiple vendors and applications in his role, none of which talk to each other, and he is required to single-handedly wrangle these together, whilst simultaneously managing the needs and expectations of the company’s stakeholders.
Legacy issues
In his role, Simon has inherited cyber security technology from the company’s IT services provider as a value-added service. But like most CISOs in his situation, he is only able to make use of about 40% on average of the technologies capabilities he purchased, one of the reasons is because he has little to no support or staff to make the most of the technology. In some cases, his executives have made decisions on technology because he knows some guy who knows some guy and in these cases technology is paid for installing and the provider walks away after having done the sale, not really providing skills transfer through the process. If Simon does want services to ensure the value is received he is charged a premium with very little business value other than default features of the tech installed. Simon thinks there must be a better way!
The knowledge gap
Simon just doesn’t have practical experience with it and relies on his contact at a systems integrator for cyber help. It's easier to just make one call and get his cyber needs at least partially answered.
But how does he know that the contact is doing the right job? Simon has no access to any continuous measurement that could prove that the tech is actually doing its job.
Simon really finds it tough in the market as there isn't a community of resources for him to leverage off or bounce ideas off of to ensure his strategy will defend the organization he represents. He could really use some kind of proactive knowledge base where he can do a quick search for his concern or a forum he could discuss challenges without peers thinking he is asking for IP, they have the same common enemy, the hacker!
Company buy-in
Despite not even having played a role in the initial investment in quality controls, Simon knows he has to prove that it is doing the job.
The measurements of internal and external threats need to be measured. How many disasters has the tech prevented? Can the latest threats get through his current defences? a once off expensive red team exercise is only a photograph in time, how does he get a better proactive view of exploitable risks in the environment?
Simon is there to “fix this IT cyber thing”. There are expectations, but there’s very little help from the business itself due to their lack of understanding. As a CISO, Simon is there because it is a regulatory and audit requirement in some cases in others its a critical requirement, the struggle the business has is understanding its not a cost centre he runs but a risk centre.
He needs company buy-in to protect against penalties and a lack of compliance. He is happy that at least a few local breaches have escalated the concerns for cyber and privacy concerns are changing the conversation, but he is still fighting for budget and mindshare around every corner.
Measure for measure
Every year Simon also has to manage the audit team. They have their own perception of what “security” should be and are constantly changing the playing field.
They want data and facts that prove that the hundreds and thousands that the company has spent on cyber security technology are providing a service that can be measured. Simon needs to prove that he can be trusted to deliver on these promises that he didn’t make in the first place. In some cases, his KPI's are built on profit metrics for the business which really confuses the conversation, do more with less ! and ensure we are protected at the same cost!
If Simon had a way of measuring and then reporting on his mandates then he could demonstrate how well he is delivering on his KPIs, and tangibly demonstrate company savings.
Without those measurements, he may have no hope of a year-end bonus payout.
Social engineering and education
Education and social engineering around cyber security risk are mandatory, but it’s a massive undertaking. Simon could really benefit from resources and support. Again, a knowledge base and access to experts in the field would really help him get this done better and faster. Simon also realises there are better ways to address these concerns with a services level provider that is skilled and prepared to offer service guarantees'’ should they not deliver. This is unheard of...however aware there is an organisation that offers these service guarantee he believes they could not only support his KPIs and bonus but if they don't deliver he doesn't have to waste the companies money on another provider that didn't put their money where their mouths are.
This kind of engagement will allow Simon to put all the relevant structures in place and manage specific outcomes relevant to the KPI's of his role.
A knife to a gunfight
The trouble with the bolt-on cyber security offered IT service providers and in some cases, integrators is that Simon can’t be sure of the experience and expertise of the people that have been assigned to him and usually they change quite regularly not guaranteeing continuity in his environment.
There is a massive shortage of cyber security talent, in fact, by 2020 there will be 3.8 million resources short from a cyber security perspective.
Big cyber security firms are forced to employ new graduates, less experienced or qualified people to fill these gaps and the skilling will take time, Simon does understand this.
Should something as important as cyber security be entrusted to rookies? Especially without continuous supervision? That may be a bit like bringing a knife to a gunfight, ill-prepared to provide the defence that is required to prevent security threats. Service - S.O.S.
The biggest issue for Simon is that he has no real service guarantees from his cyber security provider. So he has to TRUST! Simon understands that trust alone won't keep him in a job, so he actively looks for assurance, that's how Simon knows he changes the game.
If he signs an SLA and the cyber security provider says they will implement the tech, there’s no guarantee from the provider that there will be an improvement of the security situation. Would there be any benefit to measuring on a continuous basis?
There needs to be a service guarantee, Simon knows that will ensure service as he has trusted one too many times. Without a mature environment or a guaranteed level of service then there really isn’t any service is there?
Poor Simon, he really has his work cut out for him.
Out of interest, what continuous measurement do you have in place for your Cyber Security?