This blog is not going to try to scare you with real world stories of hackers taking over a company’s network and dragging it to its knees. For that, you can watch the USA Network’s critically acclaimed series, Mr. Robot (and you really should watch every episode). The intent of this blog is to demonstrate the importance security plays as a business capability in your company.
— Sticky Password (@stickypassword) October 17, 2015
Simply stated, business capabilities are the things a company does to be a successful business. You have strategic capabilities that differentiate you from your competitors, such as your strategic vision or the products and services you offer. You also have enabling capabilities; these are the capabilities that are required to support your company’s ability to perform your strategic capabilities. Examples of enabling capabilities are managing taxes or processing accounts payable and expense reimbursements. These are things you have to do well, but don’t have to be the best at (in your industry), because being the best usually will not impact your bottom line. Without being sufficiently competent at the enablers, though, you can be as strategic as you want, but it will get you nowhere.
One of these enabling business capabilities is managing enterprise risk. Typically, people think of enterprise risk as being financial risk, compliance risk or legal risk. But managing risk from a security perspective is equally as important.
— Sticky Password (@stickypassword) October 7, 2015
It is all too common for compromises in security to destroy careers and companies. You can usually trace these tragic events back to a crucial error: a reluctance to manage the security function similarly to other forms of risk. By including cyber security in the larger picture of enterprise risk management, there would arguably be fewer compromises and certainly fewer surprises at the C-level and at the Board level. Just because cyber security involves technology, does not mean that it should be limited to the IT department. We are now seeing IT Directors and even VP levels willingly give up the security function because they do not think along those lines, and they don’t want the career liability.
Managing enterprise security risk is a business capability. It is an enabling capability, one you have to do well consistently, but it’s not an area in which you have to be an industry leader, i.e. you don’t need to win any awards for implementing your security strategy. It is not only an IT issue because it integrates with almost every business capability.
You cannot improve a business capability without breaking it down to its people, processes, technology (tools) and information (PPTI). People are anyone who is responsible for performing tasks within a process, leveraging the technology and using the information to carry out the business capability. Processes are the activities performed by the people and the technology. Information is what is generated and used for the capability. You cannot assess the PPTI without having something to compare it to. For example, you cannot sell more widgets than your competitor until you compare widgets. Fortunately, in the security world, there are many people who have created and executed to very reasonable and effective security strategies. Standards have been created from collaborations between these pacesetters. They are there for you to use and easy to come by. For example, the Payment Card Industry Data Security Standard (PCI DSS) caught a lot of grief early on for its ambiguity, but it has quickly matured and is a good standard for most even if you don’t deal with payment card data. We have seen others start with SANS’ Top Critical Controls for Effective Cyber Defense.
It’s important that you select an appropriate match for your company. As your company grows and changes, you will discover that your requirements also change. Your ultimate goal may be compliance with ISO 27002, but whatever your security goal, you need to take the steps to determine how to get there and what to do. Here are 10 steps to help you do that.
- Choose a reference point. You may not have much in place, but you have something – that’s your reference! (If you didn’t, you would have a Chinese flag hanging outside your door by now.)
- Perform an assessment of the capability against your chosen reference point. If you have strong process or audit people in-house, they may be able to pull this off with some assistance. If not, hire a reliable security consultancy that has experience with companies of your size to perform the assessment. A capability is made up of people, process, technology (tools) and information. You have to assess yourself in all four facets.
- Prepare for the results. Emotional fortitude is the key here. It will not be pretty. The only companies we have seen do well with the initial assessment are the ones that already have some experience in this area because they’ve had to follow some sort of industry regulations (i.e. a legal gun to their head). Unless you feel you have done an amazing job at previously articulating security requirements to your IT team, you really cannot put the blame on them for the initial status. (To be clear, this is not the time to make an example of someone.)
- Share the results. Build alliances internally. Create a governance structure to oversee the execution of the plan. Remember, this involves the entire company, not just one area. This is not something you want to fail at, and acting as a lone wolf to fix this is a recipe for failure.
- Create a plan. This is not an overnight thing. Collaborate with other business units. You need analytical minds, creative minds and financial minds. You need to keep change management at the forefront. If there are glaring gaps, mend those first. There isn’t a one size fits all solution. You will have to have a process to cost out what it will take to mitigate risks, prioritize them and manage them just like any other business project. This is a business capability. On a scale of 1 -5 (1 being low, 5 being high), you may be a 1 now, but in six months you want to be a 2, in a year a 3. You may not need to be a 5 because it would be prohibitively expensive, but at the very least, you do need to continuously improve and keep pace with threats. Create the roadmap, break up the milestones into manageable horizons, review after each horizon, readjust and continue.
- Ensure it is part of the culture. Your organization has to believe in the cause going forward. It has to be part of the hiring process. It has to be incorporated in an employee’s review. It has to be a topic at Board meetings. To some degree, it even has to be a requirement for every vendor relationship you have. This is easier said than done, but it is necessary.
- Buying a bunch of software tools is not execution! As previously mentioned, a capability is made up of people, processes, technology (tools) and information. You have assessed yourself in these four areas and you must improve to some degree in all of these areas. Your planning should incorporate all of these. If you install a new tool and no one is there to use it, you missed on the people facet. If there is new information generated from the tool and nothing to leverage that information, you failed on the information facet. You get the gist. Execute thoroughly.
- Claim victories along the way. Executing the security strategy is no walk in the park, so celebrate even small successes like you would other company accomplishments.
- Remain vigilant. Threats are often the same, but attack tactics change. The bad actors are more organized these days. By keeping your organization’s security posture top-of-mind, you will help ensure it doesn’t get lost in the daily shuffle. Of course, it is a tireless task, and you will have to reprioritize as the threat landscape changes, as you develop new business models, as you grow…
- Continue to respect it as a business capability. Business capabilities are constantly refined. Know the other capabilities it supports, as well as the ones that provide input into it. Those complimentary capabilities may need adjustments, as well. Make sure that security risk is an integral part of the enterprise risk formula in the organization. That will help ensure its stays engrained in the culture.
A cyber security program is not an IT project! It is a business capability that is driven by a sound strategy that aligns with the overall corporate strategy. It is a business capability that is measured and refined as often as necessary. It is measured just like other areas of the business. It is important and you will find that it enables so many other business capabilities. For example, can you imagine even trying to manage your financials without any consideration for security?
A cyber security program is not a byproduct of IT! That wouldn’t be fair to IT, or the business. It is a part of your business and it needs the attention of the business. You not only have to do it adequately, just like your corporate taxes, you have to provide evidence that you did it correctly, just like your corporate taxes. If you treat it as a business capability, you will see positive results and in the end, sleep better at night (unless you binge watched the entire first season of Mr. Robot).
About the author
Solis Security, Inc. is a cyber security consulting firm headquartered in Austin, Texas. Initially focused on supporting community and regional banks in the early 2000’s, Solis Security is now providing strategic security direction to organizations in different verticals while also supplying the people and tools to see that the strategy is carried out fully.