Investing in Enterprise-Wide Security

Investing in Enterprise-wide Security
By
James M. Myers B.S., MS., CCISO, CISSP

Does your organization view spending money on information systems security (cybersecurity) as an investment, a financial burden, or an unjustified cost of doing business? Is your security budget directed primarily to the Information Technology (IT) department? Realizing that business operations security is a business issue and not just an IT “thing” has become the new cybersecurity paradigm. This new operating paradigm requires business executives to seriously think about how they’re going to secure the entire enterprise. A new “holistic” approach is needed. This holistic approach requires an enterprise-wide security investment in people, process, and technology.

How to Think About Cybersecurity Investments

The most critical thought about securing the entire enterprise is acknowledging that technology is not the panacea to solving all security issues. Imagine how many companies worldwide had implemented security solutions through their IT department only to realize their network systems had been breached by a criminal element? A higher level of thinking in cybersecurity leadership is needed to effectively thwart future financial losses. Below are some questions to promote critical thinking prior to investing in cybersecurity solutions:

  1. Is my cybersecurity investment supporting the business’ strategy, goals, and objectives?
  2. How much inherent and residual risk is the business willing to accept?
  3. How much annual security budget do I need to address the level of risk and why?
  4. What are the people skill sets, business processes, and technologies that need funding?
  5. What are the most to least critical people, business processes, and systems that make up daily operations inside the business?

People Component of Cybersecurity Investing

The new reality in today’s business environment is that everything is electronically connected. The plethora of wired and wireless connections has created a fast moving and ever changing security landscape (posture). This new posture requires critical thinking that challenges the status quo of existing security solutions. The increased complexity of enterprise technologies requires a village of people to secure it. In other words, there is no single individual that has all the answers nor can they solve all the security problems. The new business enabled security leader must be able to guide, direct, and help enrich everyone across the enterprise with a security investment mindset. This is the holistic human capital approach to mitigating the constant threat of network systems breaches or loss of critical Intellectual Property (IP).

Process Component to Cybersecurity Investing

The move to cloud computing and storage has changed how business processes support daily operations. Businesses IP is now being stored and managed by third party companies. This creates new business processes that reside outside the core boundaries of brick and mortar companies. These processes must be analyzed and assessed for their level of criticality to support daily operations. Cloud enabled processes may require High Availability (HA) data links with strong security such as Multi-Factor Authentication (MFA) and encryption techniques. Investing in cloud services is a security paradigm that requires a serious look at business processes and how to secure them. This includes all data links to/from vendors, customers, contractors, and remotely connected employees.

Technology Component to Cybersecurity Investing

The cybersecurity vendor community has exploded in numbers since 2012. Worldwide spending on cybersecurity products and services is predicted to eclipse $1 trillion for the five-year period from 2017 to 2021. There will be plenty of security technologies for security executives to analyze and assess. There is enhanced opportunity to purchase and implement tomorrow’s security technologies into today’s operating environments. Out with the static and signature based solutions and in with the new Artificial Intelligence (AI), Machine Learning (ML), and User Behavior Analytic (UBA)/User Entity Behavior Analytic (UEBA) solutions. Each of these solutions requires advanced mathematical algorithms to effectively assimilate multi-vectors of input data. The intent is for machines to assist with analyzing real-time security incidents, thereby decreasing security investments while increasing information systems data reliability with an effective security posture.

Holistic Approach Value

There are minimum requirements for protecting company IP and critical data. This is the technology-only approach to solving the complex task of effectively securing the entire enterprise. Given the number of successful security breaches over the past five years, it’s safe to say that change is needed. The holistic approach to cybersecurity will:

  • Provide a stronger defensive security posture across the company’s information systems
  • Encompass a greater knowledge of security practices across the entire employee body
  • Allow executives to make well informed security enabled decisions
  • Help to protect the company’s brand, image, financials, and intellectual property

Taking a holistic approach to invest in people, process, and technology can provide the needed foundation for securing the enterprise today and in the future.

Leadership In Cybersecurity

Leadership in Cybersecurity
By
James M. Myers B.S., MS., CCISO, CISSP, ITIL

A challenging and sometimes confusing task is defining the leadership in cybersecurity for an enterprise. There are various job titles such as; Chief Security Officer (CSO), Chief Risk Officer, Chief Information Security Officer (CISO), V.P., IT Security, V.P., or Director of Information Security. Regardless of titles or functional position, the lead role in a security organization is expected to wear many hats and solve a myriad of strategic, operational and tactical problems.
Today’s security leader must keep their pulse on a plethora of security initiatives. Below is a list of security initiatives that a security leader would either manage or have parallel impact upon within a business:

Data security Vendor management Budgeting & forecasting Network systems security Disaster Recovery (DR)
Application security Identity & Access Management (IAM) Vulnerability Management (VM) Data storage Business Continuity (BC)
Cloud enabled solutions – SaaS, IaaS, PaaS Policy & controls development with implementation Managing enterprise risk tolerance Communicating to executives and board members Human resource leadership
Incident Response Planning (IRP) Multi-year security architecture planning Audit management & support Breach mitigation Keep current with leading edge security solutions

Couple the above list of security initiatives with the below statements and you quickly realize a practical yet manageable shift is needed. Today’s information security leaders are faced with:

  • Multi-vendor proprietary point solutions. This creates financially inefficient security architectures with increased vulnerabilities
  • Technology aligned reporting structure. Security leaders are primarily reporting to the CIO. Security initiatives viewed primarily as technology solutions create misalignment with business requirements. This increases security spending costs
  • Obtaining an effective security budget is a constant battle. If the security budget is measured against a percentage of the IT budget, this creates an ineffective security posture for the business
  • Black hats (criminals) don’t care. Meaning, the bad hackers don’t care if you are required to comply with a policy or law, nor do they care about your budget or resources. Time is on the side of the black hats – they only have to get lucky once
  • Historically, security teams have been built in vertical silos. This enhances miscommunications and weakens trust across lines of business

The new leader in information security must be envisioned as a leader integrator. This person accepts the responsibilities and accountabilities of the position but leads and manages with a higher order of thinking. The position requires an individual that can zoom in on technical discussion to solve tactical problems while comfortably collaborating and communicating with top executives. Security leaders today should be viewed as change agents, culture builders, transformers, visionaries yet able to keep their fingers on the tactical pulse of the enterprises security posture. Their position relative to the enterprise should have transparency to the executive team. The ability to present security information to direct reports or during a board meeting at a level understood by the audience is of vital importance to the overall risk management to the business. The new leader integrator for operational security is proactive with the following:

  1. Envisions security value horizontally – reaches out to other departments such as operations, finance, HR, sales and legal.
  2. Is a bridge builder across disciplines, departments and stakeholders
  3. Enhances collaboration through communication while building trust inside and outside the security organization
  4. Invests in security technologies that supports business objectives
  5. Actively listens while proactively accepting critique from subordinates, executives and board members
  6. Has a business and technology background and thinks as a strategic “holistic” thinker
  7. Constantly learns and stays abreast of emerging security trends, while transcending learning to the employees, organization or partners
  8. Is a persistent servant leader to others and helping individuals become leaders in their own right

The new information security leader understands that security transcends technology. Technology is the enabler to business yet security is the overarching business operations protection program. Tomorrow’s security leaders will be required to effectively and efficiently integrate people, process and leading edge technologies to ensure a consistently relevant security posture for the business. This requires business acumen and the ability to think critically to solve complex problems. The time is now for security leaders of tomorrow to approach security as a business problem first, followed by the supportive skill sets, business processes and technologies required for securing the enterprise.

InfoSec Advisory, LLC

Cybersecurity Services

Contract – Chief Information Security Officer (CISO)

  • Full time, interim and fractional
  • Cybersecurity strategy, programs & projects
  • Third party security management
  • Security budget planning & alignment

Value

 

  • Enhanced collaboration and communication
  • Aligned cybersecurity practices with business objectives
  • Client focused and vendor agnostic
  • Effective and efficient cybersecurity investment

Board Cybersecurity Advisory

  • Cybersecurity, risk management specialist
  • Business & technology experience
  • Practical cybersecurity business advice
  • Bridge the gap between high-tech & business

 

  • Cybersecurity knowledge transfer with less tech talk
  • Increase Board cybersecurity knowledge
  • Enhance risk management decisions
  • Increase competitive advantage

Credentials

  • Certified Chief Information Security Officer (CCISO)
  • Certified Information Systems Security Professional (CISSP)
  • B.S. Electronics Engineering; Network Systems Engineering
  • MS. Technology Management; Strategy, Finance, Tech Transfer
  • Executive Certificate in Non-Profit Governance (IECG)
  • US Navy Veteran

Clients

  • Public School Retirement Systems of Missouri (PSRS/PEERS)
  • Employers Direct Insurance Company
  • Sonoma County Sheriff’s Department
  • FEMA Region VII
  • Mid-America Regional Council (MARC)
  • Medtrak Services
  • Auto Trade Center

Contact


James M. Myers

(817)491-2452 (O)

(310) 686-9094 (C)

james@infosecadvisory.com

Visit us on the web at:


https://infosecadvisory.com

The Cybersecurity Human Resources War

The Cybersecurity Human Resources War

By

James M. Myers B.S., MS, CCISO, CISSP, ITIL

Does your company, organization or enterprise have a difficult time keeping security leaders and practitioners? Does your security team have a reputation as a revolving door of talent? If so, then your business security paradigm must change to meet the prolific demand of talented security professionals. Gone are the days where the new employee expects and/or believes he/she will be working 10, 20, or 30 years for the same company. The new employee does not expect to work for the same company no more than two to three years. Employees are the most valuable asset to the business, and they are the most expensive. The demand for security professionals is extremely high!

Market demand for security professionals is the highest in history. There are approximately 1.2M non-filled cybersecurity positions across the world, with approximately 220,000 of them inside the United States. From a basic LinkedIn search, there are 8,106 open CISO jobs in the United States. These current numbers are growing on a monthly basis with consistent annual increases. The demand for skilled security leaders and practitioners is here to stay for at least the next 5 years.

Unfortunately for senior management, there are large proportions of dismayed/disgruntled employees. Consider the following content taken from a Bloomberg news article dated April 15, 2015:

“Half of all U.S. employees have at some point in their career quit their jobs to get away from their boss, according to a new Gallup study of 7,272 adults. If workers loathe their higher-ups, the feeling may be mutual. Gallup also found that managers weren’t thrilled with their work situation, either. Just 35 percent of U.S. managers said they felt engaged on the job. Fifty-one percent said they weren’t engaged, and 14 percent confessed that they actively tune out at work.” For the more senior employees earning annual salaries of $125,000 or above, the numbers listed above are less.

Couple the shortage of skilled cybersecurity workers with a large percentage of dismayed/ disgruntled employees, the business of effectively securing your business is under duress. What does a CISO have to do to keep his/her valued security practitioners?

Today’s new security employees are looking for security leaders who can instill dynamic and creative change to grow the business. They want the opportunity to cross pollinate their skill sets across the enterprise. They want to be treated with respect and dignity. They want a defined and achievable career path to growth within the company. And they want to be paid according to market demands.

Keeping skilled cybersecurity practitioners requires strong leadership at the CISO position. The new CISO leader must have strong business acumen, know how to collaborate with people vertically and horizontally within the enterprise, and be an outstanding critical thinking technologist. The requirements of today’s CISO are as critical as any other C-Suite professional. For the business to realize an effective security posture through proactive employee engagement, it’s time to present an open seat at the corporate table for the new CISO leader.