In our last article, we discussed what’s happened in 2018 that will carry over into 2019.
Everyone who interacts with information security in 2019 will be facing tough decisions in the coming year. They will be forced to look in the mirror and ask what kinds of security programs they want to run.
This means that 2019 is the year that we stop talking around the issues in security and determine whether or not we’ll address them honestly. It’s a choice we must make.
This coming year is all about progress and talking frankly about security issues. It starts with addressing three main themes: turning away from compliance-based security, shifting where the blame falls when a security program fails in an organization, and acknowledging a lack of authenticity at the board level.
Ready to face 2019? Here are our top tips:
1. If you want to build an effective security program, it’s time to move away from a compliance-based approach.
2. Outsource your security program as much as possible if you want actual changes to be made.
3. Focus on remediation from the very beginning if you have any assessments or analyses performed on your security program. Having the company that assesses your program also play a role in remediating your program can be helpful.
4. Don’t accept a position as a CIO unless accountability is clearly defined, and you have the right resources to implement corrective change as it relates to cyber security.
5. Security leaders need to implement project management to help manage scope, schedule, and budget for any effort in support of an organization’s information security program.
6. Everything boils down to your security program processes and your resources. Focus on building strong processes, ensure that you have the right team, and commit the appropriate resources to carry it out.
1. Moving from Compliance-Based Security to Business-Based Security
Everything that’s been done previously in information security has been associated with a compliance-based approach. This approach starts by using some type of framework, such as ISO 27001 or NIST 800-53, and then measuring your environment against the framework requirements, and then implementing gaps.
The problem is that you can totally align to a best practice framework and still have a poor security program.
Those of us that have been in information security for a while know this and it’s time that we start talking about it to make organizations aware of this pitfall.
Many organizations with best practice frameworks in place are facing unrelenting attacks and intrusions into their data, forcing them to learn this the hard way.
Because of this, we believe the solution in 2019 is to build their security programs with a progress-based approach.
This means implementing a security program that can do four, repeatable things:
1. Define security within the organization.
2. Establish accurate measurements of the environment based on that definition.
3. Provide stakeholders with information from the measurement activities that can help them make decisions regarding the security program.
4. Support and implement stakeholder decisions.
It’s possible to implement these items above and align to best practices; this should be your goal, since using frameworks to establish your baseline can be valuable.
Be aware, however, that it’s possible to implement all the requirements of a best practice framework without having any of the functional capabilities of a program in place. This is the pitfall that many organizations have fallen into.
The best way to implement everything properly is through effectively designed processes and skilled resources to implement and perform these processes.
But there aren’t enough resources, and good ones don’t usually want to work for one company. This leads to our second prediction for 2019.
2. Increase in Outsourced Information Security Services
If organizations want to implement and execute processes properly with the right resources for a progress-based approach, they must find those resources from somewhere.
Organizations will likely turn to outsourcing with third-party professional and managed service security providers. Outsourced requests will start with professional security services, specifically in program development to build the appropriate processes. From there, companies will take advantage of managed services to perform the processes that have been built.
The rising demands for outsourced security programs will lead to both an increase in the market of professional and managed security services available, as well as a noticeable improvement in the overall effectiveness of security programs.
3. The Continuation of SOC Testing
Although organizations and security programs will be moving away from a compliance-based focus, there will paradoxically be a rise in SOC (Service Organization Control) testing and certifications, despite its basis as an auditing framework.
To clarify, it isn’t SOC testing itself that provides any value. SOC compliance is based on its requirement that organizations build specific processes and provide enough resources to perform these processes in a measurable way. The SOC audit component simply measures this.
Although SOC testing is biased since the test isn’t perfect and audit companies want you to pass, this process will still produce a better progress-based byproduct than a compliance-based approach alone.
SOC testing might be a step in the right direction, but it won’t solve another prominent problem: providing adequate protection against attacks.
This involves implementing effective technical safeguards to protect the company from attackers.
4. Shifting Accountability for Information Security
While security plays a role in acquiring these technical safeguards, this battle will be fought by the average organizational CIO and their IT teams.
In 2019, security teams will identify the technical problems through vulnerability testing and evaluation, but they’ll turn accountability toward the company’s information technology teams to fix them.
After all, these are the systems they manage and control. But it will be a hard problem for IT to solve.
The common CIO and their teams are experiencing a technology sprawl as the businesses they serve continue to grow and leverage more and more technology. New devices, larger, more complex systems, and a simple phone call to deploy environments in the cloud — but the problem boils back down to resources.
CIOs don’t have the manpower to help them keep up with the patching, encryption, and segmentation that they’re supposed to do in order to have a fighting chance against the attacks. Their teams are struggling just to keep the lights on.
Without the right resources, all these technical tasks will be left unfinished, but the CIO will still be held accountable for them by the security teams they partner with.
Previously, the responsibility for these tasks has previously fallen on the security leader. Security leaders now have more opportunities to push this accountability onto the CIO, but pushing accountability won’t necessarily fix anything.
Taking this responsibility out of the security team wheelhouse might work for them, but it doesn’t mean it’s the right thing to do. It’s another choice that cyber security professionals must make: push responsibility away to look like you’re doing a good job or take some of the responsibility in executing technical IT tasks?
5. What Can CIOs and Security Leaders Do?
To avoid being held responsible for things outside of their control, a CIO should show their board what resources they need for specific security tasks.
More importantly, they shouldn’t be afraid to show large and potentially alarming numbers, especially if these numbers show the reality of what it takes to fix the technical mess of their organization.
Resource requirements should be something that has to be established clearly, even before you take the job or when setting a new budget.
To accurately get this number, CIOs and security leaders can’t rely on compliance-based security measurement or assessment firms, especially if these firms don’t have a proven history of building security programs or fixing these types of situations.
Someone who has just been an auditor or security compliance person isn’t going to help you.
Assessments from these organizations usually won’t yield accurate estimates, and you’ll be stuck with trying to stick to unrealistic or impossible timelines. Good luck.
Once you get approval from the board regarding what it takes to improve your security program, this is where outsourcing technical remediation tasks with specific service-level agreements helps: each agreement is a contract and guarantee that specific tasks will be completed.
Both IT and Security leaders should make the most of strong project management practices. Project managers are meant to help you measure the scope, schedule, and budget of all your security program-related tasks. These big messes need strict project management to have any chance of success.
But even with all these things in place to show the board what’s missing from their security program, there’s still another hurdle that CIOs, security leaders, and other security professionals must face.
6. The Lack of Authenticity and Truth About Security at the Board Level
Hopefully, it’s clear by now that the average organization is a complete mess when it comes to information security.
But this is a mess that’s hard to truthfully explain to a board, especially since organizations are making a lot of money and spending it on security. The money that boards have thrown at security up until now have been as a form of insurance, so they can rest assured that they’ve done something to protect the business.
Surely the more money they spend on security, the more secure they are, right?
This leads to the problem that security and IT leaders are facing. Nobody wants to talk about the real problems in their security programs, and there are a few reasons for this.
Security leaders may not want to admit that the security discipline has been implementing compliance-based approaches that might not actually make an organization secure.
Or maybe a security leader doesn’t know how to accurately measure the security program in the first place. Most risk management approaches are ineffective, so any information they yield won’t mean anything. This is if they’re even using a progress-based analysis process; most organizations are still using compliance-based analyses.
Maybe a given security leader doesn’t understand their security program at all. This could be due to poor assessment approaches, sticking to a compliance-based methodology that doesn’t tell them anything, or because they don’t have enough resources to accurately measure the program.
IT leaders may not feel comfortable explaining how bad the technical environment is, or how much it will take to fix the problem.
All these situations lead to poor information being sent up to the board, resulting in the board’s confusion and frustration as to why there isn’t any progress with the security program.
The board might bring security figureheads on as board members to try and address the problem, such as a general or a security vendor executive.
But these figureheads won’t be much help either — they end up receiving the same information as anyone else on the board.
At this point, the company’s caught in a deep cycle of ignorance and a lack of authenticity. The board will continue to try and dump more money into their security program to ease their minds, and as the security program fails to protect them or respond appropriately to a breach, they’ll blame the CIO and put the security leader under pressure to improve the program.
They may also take the diet pill approach and try to buy a security technology to fix all of this in a couple months. That won’t work either and the cycle starts all over again.
As the cycles continue across numerous organizations around the world, it’s only a matter of time before a large, profitable company will go out of business because of a massive, large-scale breach.
Or even worse, an organization caught in this cycle could be used by attackers in nation-state attack that leads to who knows what.
All of this to say that everyone, whether you’re a security professional, an executive, or the common employee, needs to start thinking about being honest with ourselves and the companies that we work for when dealing with our organizations’ security.
We need to start facing the harsh realities of what could happen if poor security practices continue and start having conversations about actual improvements.
We believe that 2019 will be the year that we’ll be forced to start these conversations.