Security experts year after year list top ten threats for security to include some aspects of technology and training. Many security leaders have a seat at the table today due to the increasing frequency of multiple attack types and channels. Working closely with security for the execution of business is a fundamental requirement business requirement today. All too often, security is trying to catch up with strategic decisions that organizational leaders make. The cyber teams may have input in the review of new technologies and emerging capabilities but are often backtracking over legacy technologies while trying to manage strategy and application of highest priorities in the organizational run.
In speaking with senior leaders about IT security, I often hear about their challenges in staffing. Building a trusted workforce with the “know how” and ability to execute from a technical perspective allows senior leadership to be enabled on focused strategy work. Far too often, senior leaders in IT security find themselves in the thick of bad situations. This consumes their time and focus but also creates additional constraints on planning for the enterprise.
- Strategic Alignment
- Emerging Technologies
- Cloud Concerns
- Tactical Response
- Architectures, Mods, and Simulation
- Large scale industry or third-party attacks
- Legacy remediation
- Shadow Operations
- Data Insight and Analytics
- Global regulation and compliance normalization
Why the CISO?
Most of the critically important functions of the CISO are human factors. In the past few years, I have seen CISO as Chief Architect and CISO as CISO/CIO. The CISO already has a wide range of responsibilities that deal with people management.
One of the most often areas missed in security is knowledge management and the operational risks of outsourcing. The value of HR working through the CISO is more visibility of the risk profile through people management. Training and competency requirements as aligned with organizational security also present a great opportunity. How many organizations have required security training that is NOT aligned with their skills or competencies?
Many people still say “the business” when speaking about IT or from the perspective of a core service model. If you are part of a company and you are working to serve in any capacity, you are part of the business. The people inside the business aren’t your “clients” even though you may feel in their service. The role of security is a business role and the nature of this role continues to evolve due to the complexity of human and technological complications. The layer of negotiation across leadership far too often inhibits organizational agility concerning security. When an attack happens, it is understood to rally the teams and fight the attack. The problem is that the average time it takes to detect a cyber attack is 206 days. I’ll say one of the reasons is that people are drowning in normal everyday work and only know to respond to attacks that are apparent and clear. Securing the threat takes operational awareness. This requires the proper level of staffing, training, accountability, and technologies.
What do you think?