Author Archives: James Myers

Investing in Enterprise-Wide Security

Investing in Enterprise-wide Security
James M. Myers B.S., MS., CCISO, CISSP

Does your organization view spending money on information systems security (cybersecurity) as an investment, a financial burden, or an unjustified cost of doing business? Is your security budget directed primarily to the Information Technology (IT) department? Realizing that business operations security is a business issue and not just an IT “thing” has become the new cybersecurity paradigm. This new operating paradigm requires business executives to seriously think about how they’re going to secure the entire enterprise. A new “holistic” approach is needed. This holistic approach requires an enterprise-wide security investment in people, process, and technology.

How to Think About Cybersecurity Investments

The most critical thought about securing the entire enterprise is acknowledging that technology is not the panacea to solving all security issues. Imagine how many companies worldwide had implemented security solutions through their IT department only to realize their network systems had been breached by a criminal element? A higher level of thinking in cybersecurity leadership is needed to effectively thwart future financial losses. Below are some questions to promote critical thinking prior to investing in cybersecurity solutions:

  1. Is my cybersecurity investment supporting the business’ strategy, goals, and objectives?
  2. How much inherent and residual risk is the business willing to accept?
  3. How much annual security budget do I need to address the level of risk and why?
  4. What are the people skill sets, business processes, and technologies that need funding?
  5. What are the most to least critical people, business processes, and systems that make up daily operations inside the business?

People Component of Cybersecurity Investing

The new reality in today’s business environment is that everything is electronically connected. The plethora of wired and wireless connections has created a fast moving and ever changing security landscape (posture). This new posture requires critical thinking that challenges the status quo of existing security solutions. The increased complexity of enterprise technologies requires a village of people to secure it. In other words, there is no single individual that has all the answers nor can they solve all the security problems. The new business enabled security leader must be able to guide, direct, and help enrich everyone across the enterprise with a security investment mindset. This is the holistic human capital approach to mitigating the constant threat of network systems breaches or loss of critical Intellectual Property (IP).

Process Component to Cybersecurity Investing

The move to cloud computing and storage has changed how business processes support daily operations. Businesses IP is now being stored and managed by third party companies. This creates new business processes that reside outside the core boundaries of brick and mortar companies. These processes must be analyzed and assessed for their level of criticality to support daily operations. Cloud enabled processes may require High Availability (HA) data links with strong security such as Multi-Factor Authentication (MFA) and encryption techniques. Investing in cloud services is a security paradigm that requires a serious look at business processes and how to secure them. This includes all data links to/from vendors, customers, contractors, and remotely connected employees.

Technology Component to Cybersecurity Investing

The cybersecurity vendor community has exploded in numbers since 2012. Worldwide spending on cybersecurity products and services is predicted to eclipse $1 trillion for the five-year period from 2017 to 2021. There will be plenty of security technologies for security executives to analyze and assess. There is enhanced opportunity to purchase and implement tomorrow’s security technologies into today’s operating environments. Out with the static and signature based solutions and in with the new Artificial Intelligence (AI), Machine Learning (ML), and User Behavior Analytic (UBA)/User Entity Behavior Analytic (UEBA) solutions. Each of these solutions requires advanced mathematical algorithms to effectively assimilate multi-vectors of input data. The intent is for machines to assist with analyzing real-time security incidents, thereby decreasing security investments while increasing information systems data reliability with an effective security posture.

Holistic Approach Value

There are minimum requirements for protecting company IP and critical data. This is the technology-only approach to solving the complex task of effectively securing the entire enterprise. Given the number of successful security breaches over the past five years, it’s safe to say that change is needed. The holistic approach to cybersecurity will:

  • Provide a stronger defensive security posture across the company’s information systems
  • Encompass a greater knowledge of security practices across the entire employee body
  • Allow executives to make well informed security enabled decisions
  • Help to protect the company’s brand, image, financials, and intellectual property

Taking a holistic approach to invest in people, process, and technology can provide the needed foundation for securing the enterprise today and in the future.

Leadership In Cybersecurity

Leadership in Cybersecurity
James M. Myers B.S., MS., CCISO, CISSP, ITIL

A challenging and sometimes confusing task is defining the leadership in cybersecurity for an enterprise. There are various job titles such as; Chief Security Officer (CSO), Chief Risk Officer, Chief Information Security Officer (CISO), V.P., IT Security, V.P., or Director of Information Security. Regardless of titles or functional position, the lead role in a security organization is expected to wear many hats and solve a myriad of strategic, operational and tactical problems.
Today’s security leader must keep their pulse on a plethora of security initiatives. Below is a list of security initiatives that a security leader would either manage or have parallel impact upon within a business:

Data security Vendor management Budgeting & forecasting Network systems security Disaster Recovery (DR)
Application security Identity & Access Management (IAM) Vulnerability Management (VM) Data storage Business Continuity (BC)
Cloud enabled solutions – SaaS, IaaS, PaaS Policy & controls development with implementation Managing enterprise risk tolerance Communicating to executives and board members Human resource leadership
Incident Response Planning (IRP) Multi-year security architecture planning Audit management & support Breach mitigation Keep current with leading edge security solutions

Couple the above list of security initiatives with the below statements and you quickly realize a practical yet manageable shift is needed. Today’s information security leaders are faced with:

  • Multi-vendor proprietary point solutions. This creates financially inefficient security architectures with increased vulnerabilities
  • Technology aligned reporting structure. Security leaders are primarily reporting to the CIO. Security initiatives viewed primarily as technology solutions create misalignment with business requirements. This increases security spending costs
  • Obtaining an effective security budget is a constant battle. If the security budget is measured against a percentage of the IT budget, this creates an ineffective security posture for the business
  • Black hats (criminals) don’t care. Meaning, the bad hackers don’t care if you are required to comply with a policy or law, nor do they care about your budget or resources. Time is on the side of the black hats – they only have to get lucky once
  • Historically, security teams have been built in vertical silos. This enhances miscommunications and weakens trust across lines of business

The new leader in information security must be envisioned as a leader integrator. This person accepts the responsibilities and accountabilities of the position but leads and manages with a higher order of thinking. The position requires an individual that can zoom in on technical discussion to solve tactical problems while comfortably collaborating and communicating with top executives. Security leaders today should be viewed as change agents, culture builders, transformers, visionaries yet able to keep their fingers on the tactical pulse of the enterprises security posture. Their position relative to the enterprise should have transparency to the executive team. The ability to present security information to direct reports or during a board meeting at a level understood by the audience is of vital importance to the overall risk management to the business. The new leader integrator for operational security is proactive with the following:

  1. Envisions security value horizontally – reaches out to other departments such as operations, finance, HR, sales and legal.
  2. Is a bridge builder across disciplines, departments and stakeholders
  3. Enhances collaboration through communication while building trust inside and outside the security organization
  4. Invests in security technologies that supports business objectives
  5. Actively listens while proactively accepting critique from subordinates, executives and board members
  6. Has a business and technology background and thinks as a strategic “holistic” thinker
  7. Constantly learns and stays abreast of emerging security trends, while transcending learning to the employees, organization or partners
  8. Is a persistent servant leader to others and helping individuals become leaders in their own right

The new information security leader understands that security transcends technology. Technology is the enabler to business yet security is the overarching business operations protection program. Tomorrow’s security leaders will be required to effectively and efficiently integrate people, process and leading edge technologies to ensure a consistently relevant security posture for the business. This requires business acumen and the ability to think critically to solve complex problems. The time is now for security leaders of tomorrow to approach security as a business problem first, followed by the supportive skill sets, business processes and technologies required for securing the enterprise.