Cybersecurity Strategy: Do LESS With Less
I know, the mantra is "do MORE with less." I think we're already trying to do too much in cybersecurity departments and it is time to change that mantra.
No, that's what I meant to write.
I know, the usual mantra these days in Cybersecurity is "do more with less." I think we're making a huge mistake with that attitude - we're making ourselves into an island of functions that alienate us from the business, and we seem to be rushing faster and faster towards that place. We're making enemies, not creating allies. And we're taking on more than we have the ability to do.
Administering Other Department's Systems
One legacy of cybersecurity programs I've seen is the preponderance for them to be responsible for administering systems that really belong to other departments. Don't believe me? Here are a few practical examples:
- Web content filtering - Isn't this an HR system? Every web filtering system I've seen since the beginning of time is more concerned about content types like "gambling" and "nudity" than about different types of security concerns. If your CISO is in the business of determining if content about weapons or swimwear is appropriate for access from corporate systems I'd say your CISO is doing the wrong job. In fact most of the web filtering solutions have one or two categories that could possibly be considered cybersecurity focused, and yet somehow many cybersecurity departments end up owning this system. Why? We could be stakeholders of a system owned by HR as opposed to HR being stakeholders in a tool we arguably shouldn't own.
- Vulnerability Management Systems - Isn't this an IT tool? Is your cybersecurity department really involved in anything beyond auditing the state of vulnerabilities in the organization? Is your program that immature that vuln management is a key part of your strategy as opposed to a routine part of IT's workflow? Why do you own this system instead of being responsible for simply auditing IT's work?
- VPN's, Remote Access, and the Like - Aren't these systems essentially just "the network" these days? Is this a fiefdom you need to own, or, again, would this be better served by handing it over to the IT staff?
- User provisioning - Isn't "role based access control" really an HR function? It certainly doesn't seem like security should own deciding who has access to what, or even executing on granting access to systems.
Accounting's Approach
Think I'm out of line here? Let's just consider one example from Accounting: your expense reporting system.
- Who actually administers that system? I bet you that there isn't someone in accounting with the title "expense system administrator." IT administers is. IT set up the authentication system. HR set up the approval hierarchy for managers to approve their direct reports' expenses. And while Accounting may have set up the ruleset, they're likely not the people creating the rules in the system.
- Who spends the most time in that system? I'm willing to bet that it is primarily the managers approving their direct reports' expenses while also submitting their own expenses. The back end of the system is likely very automated, and Accounting probably does periodic audits of the information, or gets involved in final approval of any overridden rules.
The real question is this: is your cybersecurity team there to administer systems or to be a strategic and tactical resource for keeping the company's data secure? Does spending time administering systems that you don't need to be responsible for help you be a better resource for those key goals?
End User Cyber Training
Ignoring the fact that this sort of training - phishing training, generally - has dubious practical impact, what other departments in your company are responsible for administering company-wide training? Does the shipping department run monthly shipping trainings company wide? Does the warehouse run monthly forklift trainings company wide? I'm betting they don't. But I'm willing to bet that if your company is large enough you have a training department. Is this not something that could be more appropriately owned by that sort of department?
Your cybersecurity team could be the key stakeholder creating requirements for the training, but you could leave the management and administration to the training team. That would give them the flexibility to choose a 3rd party to deliver the training, bundle that training from a 3rd party they already use for other training, or even build internal training themselves.
It Isn't About Empire Building, Is It?
That's a serious question.
Are you a CISO trying to build an empire, or are you a CISO trying to protect the business? You're being expected to be agile, current, and ready to address new threats daily. Seriously, you're inundated trying to figure out how to protect against all the new capabilities AI is bringing to the environment, aren't you?
How's the budget? You're not getting the headcount you need are you? I bet you're basically holding steady maintaining systems and solutions with your current budget, and you're having a tough time expanding new security capabilities.
So is your time, effort, and focus best spent administering, updating, and replacing tools, or do you and your team need to focus on solving new problems?
Benefits of Change
I believe there are at least three key benefits to doing less with less, that will pay you back many times over for rethinking how you manage cybersecurity as a department.
Streamlining Focus
There's plenty of work for your department to do, but you're spreading yourselves too thin to get it done. Much of this is because you're still hanging on to legacy activities and legacy tech that isn't core to your real mission and skill-set. Even if it is just one example - administering the building's access badge system for instance - you can free up your team to focus on more mission critical activities.
Stronger Partnership With Other Departments
Yes, you're offloading some work and some systems. On the other hand you're building important interactions and relationships with your peer departments. Working more closely with HR on cyber training and web filtering. Working even more closely with IT on VM and firewall admin. Working more closely with the physical plant team on the access-card system. Sure, you're giving up control, systems, and possibly headcount and budget, but you're becoming less of the "island of no," and more the integrated part of the bigger team.
Budget Space
Your team becoming more lean and focused means that the budget you were spending on systems and system administration are now at least partially freed up. Yes, you had to move some of it to your partner departments, but there's room for headcount efficiencies to occur, and likely even for tool and system consolidation, etc. allowing for overall cost savings. Your own budget becomes less of a significant item of scrutiny from the rest of the business, and you're able to be seen as a more efficient team.
What the Less With Less Cybersecurity Department May Look Like
Just like there is no such thing as a "one size fits all" pair of pants, there is no such thing as a universal cybersecurity department. That said, here's what I'd be focusing my cybersecurity department on if I had the opportunity.
Strategy and Future Planning
The business already expects us to be out in front. We were supposed to have secured AI the day Sam Altman told us all that ChatGPT was open for public business. We are supposed to already have quantum computing's ability to crack encryption in mere moments sorted out and defended against, even though it hasn't really gotten there yet. And we're supposed to have all the possible contingencies of deep-fakes sorted out already as well.
If we're supposed to be that superhuman, why not give ourselves the best chance by spending time on these questions before the business tries to integrate them (or worry about mitigating against them)?
Yes, I say some of this tongue in cheek, however I can tell you that I know exceedingly few organizations where cybersecurity was ready for AI before the business started using AI. That's a trend I can trace all the way back to remote access, email, FTP...
Governance
While we've come a long way from the old days, there's still this inherent bias that cybersecurity is the responsibility of the cybersecurity department. While we all "know" that isn't true, we still allow ourselves to act that way in many instances. There are obviously some places where this definitely "IS" the responsibility of the cyber team, but it is this thinking that makes cybersecurity an "add on" to the business rather than a core responsibility of the business. Approaching our work more the way legal or finance does means we shift the responsibility for the day-to-day to, well, everyone in the organization, and we take a more governance, policy setting role.
Business Alignment
When we stop trying to be the judge, jury, and executioner we free ourselves to become better aligned with the business. We can spend more time helping the business make good business security choices and less time on chasing our own tails.
Is this all the fever dream of someone fed up with what cybersecurity has become?
Perhaps, but I know I'm not alone in recognizing that we're not on the right path. CISOs are being removed from companies almost as quickly as they were elevated to the C-suite in the first place, and I believe a lot of it is because of our approach to securing the business. We need a different tack, and I'm suggesting this one. If you don't think it's right for you or your organization, fine. But I'm willing to bet what you're doing now isn't either. I hope that at the very least I've gotten you thinking about changes you can make for the better.