BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

Is Your Security Program Stale?

Forbes Technology Council

Chief Technology Officer at Deepwatch.

Amidst Shields Up and with the broader enterprise community becoming more aware of both longstanding and imminent threats, much of the cybersecurity conversation in the C-suite is turning to security programs. These management tools provide a solid governance structure to operationalize security, and they focus cross-team tasks around well-defined goals. At the same time, what I see over and over again is that the execution playbooks for security programs do not actually improve how well you manage your cybersecurity risks.

It seems unfathomable that a security plan and playbook don’t improve security. However, the sooner we can distinguish the differences between effective and stale cybersecurity programs, the sooner we can be prepared as threats increase in volume, speed and sophistication. Just as important, the better we can openly discuss security programs, the better the relationship that develops between the CISO and C-suite. Security is dynamic, complex and never-ending. This requires trusted teamwork and agility for success, regardless of job title.

Based on my own work partnering with companies on rapid response and threat remediation, I’d like to suggest common areas of improvement. As a first responder in cybersecurity, I welcome continual enhancement and review of security programs, since every microsecond counts. The stronger your program, the stronger the team and components. My hope is this sparks dialogue across your teams to operationalize security and keep sight of the end goal: Protect what matters while navigating changing risks to succeed in business.

Custom design for relevant security.

An obvious yet common issue is the program itself. While templates and peer plans are helpful, you cannot copy and paste cybersecurity programs across organizations. Each enterprise contains a varied set of workflows, personnel and technology that is specific to that organization, industry and ecosystem. A replay of your prior company’s security program rarely covers the most concerning risks. Though there is room for standardization, custom fitting your plan increases the chances it will positively impact your business.

Take time to consider your tech debt, your people and your processes. This can take time upfront, but it can yield millions of dollars and far less disruption should an attack occur. It can also reduce spending. I cannot count the number of times I see companies with preexisting security solutions that they are not fully using to their advantage. Particularly as you onboard remediation teams, you can automate, connect and better utilize even existing tech to empower your program.

Next, with your unique organization in mind, consider your most significant risks. This might be an inability to run payroll. Or, if you’re a steel mill, it may be unauthorized changes to your furnace temperatures. A food and beverage company might protect ingredient formulas or prevent tampering with the production line. Starting with the diversity and custom view of your business helps avoid fruitless efforts and increases the chances you’re actually securing what matters most. Understand your unique environment and risks, then customize your security program around your business.

Manage complexity with timelines.

Considering the vastness of today’s networks, including IP-enabled devices, proprietary protocols and hybrid on-prem and cloud deployments, security is no small task. One way to wrangle the complexity is to utilize timelines. This is especially useful to align the specialized skillsets and teams you will need. Your security program can take a “low and slow” approach to make risk management achievable.

Consider monthly and quarterly security roadmaps in your program that you regularly verify, rather than only annual or five-year plans. By verify, I mean getting hands-on, not paper-based, to review configurations, check accounts and scrutinize logs and data-led alerts. Was budgeted technology actually deployed? Is it implemented correctly? Has the data collected been compiled and analyzed? Is the data connection live and working 24/7? Disciplined checks against the plan can clean up and document many issues that, if left unchecked, could lead to more considerable security issues. Consider how many years-old vulnerabilities are regularly exploited by attackers—evidence that verifications are not routinely done and your plan is, in fact, stale.

Another common mistake is not recognizing just how long it takes to reach the next level of cybersecurity maturity. Based on what I’ve seen in the industry, it can take four years and $1 million just to get threat intelligence feeds working well with your SIEM to the point they efficiently point to issues (rather than pointing to irrelevant information). Plot out realistic timelines alongside your risk reduction objectives. The discipline of timely, low and slow work is what truly improves your security posture at the operational level.

Remember: Security Never Ends, Keep Your Plan Alive

Many security programs establish a budget and itemize technology, assuming they are then “all set.” It is necessary to itemize and fund based on risks, such as ICS security to protect control systems or VPNs for secure data exchange. But that is not at all where security ends. We have seen too many security programs burn through all their budget on tech without considering how they will handle inevitable attack remediation and clean-up. Insurance? It just doesn’t cover everything you need (as any homeowner facing theft can attest).

As you identify your unique risks and prioritize them, scenario plan for a breach or attack. This could be ransomware executed through phishing emails or penetration of your IT network moving over to a flat OT network. Now, what security do you need? Chances are, there is documentation needed for forensics and legal notifications, as well as expertise to rapidly remediate. There may also be new machines needed to rapidly load and get running (many disaster recovery machines take days to ship from off-site locations). Perhaps different plants need more backup generators to electrify a downed instrument or keep a production line up during an attacker-caused outage. Take your program beyond its paper to add substance at the most critical time—after a breach has happened.

There are many more recommendations, but these are three obvious ones to avoid a stale security program. I look forward to your feedback and welcome your own recommendations.


Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?


Follow me on LinkedInCheck out my website