When I first entered the cybersecurity market in 2003, I’d already been working in the IT industry for about 16 years in storage, networking, and telecommunications previously. By the early 2000s, all three sectors had moved on from bits and bytes to focusing on how each technology could help organizations meet their business goals. Oh sure, we still talked speeds-and-feeds, but we led with things like business agility, productivity, and cost cutting. The technology was a means to an end rather than an end in itself.
When I got to the cybersecurity industry, I was surprised by what I saw. Unlike other areas of IT, cybersecurity was still deep in the weeds, focused on things like IP packets, application protocols, and malicious code. In other words, cybersecurity remained a “bottom-up” discipline as the cybersecurity team viewed the world from networks and devices “up the stack” to applications and the business.
Fast forward to 2019: The world has become a lot more dangerous based upon a wide variety of sophisticated threats. In the meantime, IT has expanded horizontally, driven by mobility, IoT devices, SaaS, cloud-based workloads, etc., thus greatly expanding the attack surface. In the meantime, business executives now recognize 2 important realities: 1) Most of their business processes are anchored by IT, and 2) A cyber-attack and/or data breach could happen at any time and lead to devastating consequences.
In the enterprise market, business executives now “get it,” and are all in on cybersecurity. For example:
- Cybersecurity is seen as a business priority, as, according to ESG research, 40% of organizations say that strengthening cybersecurity will drive the most technology spending over the next 12 months. Strengthening cybersecurity tops all other business initiatives.
- 58% of organizations will increase cybersecurity spending in 2019 while 40% will maintain the same level of spending as 2018. Clearly, business management is willing to throw money at vexing cybersecurity challenges.
In general terms, this is a good thing for cybersecurity professionals and the industry at large as it equates to more money, resources, focus, etc. As business managers become more engaged with cybersecurity, however, this focus must be accompanied by a major philosophical shift. Business people don’t care about IP packets, buffer overflows, or encryption, they care about protecting critical assets and maintaining ongoing business operations.
Based upon this fundamental and ongoing change, I believe that large organizations must embrace a “top-down” mentality toward cybersecurity management. Top-down cybersecurity starts with protecting the business mission, objectives, and processes and then aligns these priorities with the right controls and monitoring “down the stack” (i.e., the applications, servers, networks, and data/storage that support the business).
I’ll be the first to admit that top-down cybersecurity isn’t new – leading CISOs have pushed this type of agenda since CISOs were first hired. Nevertheless, I find that many organizations talk the talk, but can’t walk the walk. For example,
- 68% of organizations say that there are instances of sensitive data on their networks that they are unaware of. This indicates a gap between business processes and cybersecurity monitoring and controls.
- 62% of organizations claim that it’s difficult to measure ROI on cybersecurity spending. In this scenario, CFOs ask an obvious question: ‘What am I getting for my money?’ CISOs need real metrics to demonstrate value here.
- Cyber risk management assessments tend to be done on a periodic basis for compliance or IT audits. This is antithetical to the business need for continuous risk monitoring for driving real-time risk mitigation decisions.
Cybersecurity has become an overwhelming task where few organizations have the resources, skills, or time to keep up with the ever-growing workload. Therefore, CISOs must focus resources and energy on protecting critical assets, business processes, and IT initiatives. This is the foundation of top-down cybersecurity.
A few closing thoughts:
- Top-down cybersecurity management must be anchored by continuous risk monitoring across the extended enterprise (i.e., cloud-based workloads, mobile users, SaaS, third-parties risk management, the threat landscape, etc.).
- Top-down cybersecurity management will be built on a foundation of data security and identity management, the new security perimeters.
- Top-down cybersecurity management includes well-managed micro-segmentation.
- Organizations will need a strong cybersecurity culture and training for top-down cybersecurity to succeed.
- CISOs must work with CIOs to embed cybersecurity knowledge into the entire IT organization. Furthermore, the cybersecurity staff must work within business units to establish and enable a cooperative business/cybersecurity relationship throughout the organization.
- Top-down cybersecurity management may require a new type of CISO. Industry organizations and higher education institutions should take note.