Building a more strategic and holistic approach to cybersecurity.
Media mention
Forbes: Don’t go chasing cyber tools: Overlooking cybersecurity talent and strategy can cost you
One of the biggest cyber blunders companies make is overinvesting in cyber tools and underinvesting in strategy and talent. How can organizations know what security controls they need without an overall cybersecurity program and game plan?
Buying tools can provide business leaders with the illusion of securing their digital terrain but, in reality, this approach may be nothing more than an overpriced “security blanket.”
If I may share a story to illustrate this point: my father-in-law and I recently built a shelf from a single sheet of plywood. I know absolutely nothing about woodworking, but under his tutelage, we used the right power tools (and his skill set) to create a functional shelf. Sure, I could have bought the same tools and materials to attempt to build it myself, but the end result would have been a disaster. His skilled leadership and processes enabled proper tool usage to achieve the desired vision.
In applying this lesson to the cybersecurity landscape, organizations chase tools for a variety of reasons, but sometimes without a skilled “father-in-law” or strategy driving the security program. It is important for organizations to have smart technology leadership informing tool acquisition from the top-down, rather than allowing vendors to dictate their strategy from the outside-in. Investing in an overall technology and cyber strategy that aligns with the business is a key component of a holistic approach to rational cybersecurity.
Several systemic issues can contribute to an organization’s scattershot approach to tools instead of an overall strategy. Cyber threats can spark fear, uncertainty and doubt (“FUD”) in an organization’s technology or leadership teams. A vendor might leverage FUD by pushing a “next-gen-blockchain-zero-trust-artificial-intelligence” widget that can solve all the things. In this scenario, there is a natural instinct to buy the tool rather than sensibly considering how the tool fits into the organization’s overall defensive posture. FUD can be an effective motivator but not a thoughtful one.
Another factor is regulatory compliance. Penalties for non-compliance can be steep, which can make buying “check-the-box” tools attractive. However, many organizations are learning (the hard way) that a hodgepodge of misconfigured cyber tools may have met regulatory compliance but did not prevent a breach.
We’ve highlighted some justifications that naturally lead organizations to chase cyber tools. But, how can organizations actually start building a more strategic and holistic approach to cybersecurity?
First, evaluate if you have the right leadership in place. Is it even clear who is in charge of cybersecurity? Someone smart needs to be at the helm with the budget and human capital and given the authority to secure the organization. This includes a seat in the boardroom (or at least direct buy-in from the C-suite). Cyber leadership can no longer be relegated to the server room.
Then, technologists can start addressing the cyber security strategy by reviewing the following questions:
Lastly, business leaders are increasingly understanding that cybersecurity is not a problem that can ever be truly “solved.” Rather, it is an ongoing risk that needs to be managed just like any other business risk.
An organization empowered by strategy can confidently seek the cyber tools that adequately address the applicable risks. Once an organization’s technology leadership understands what they need to protect, they can start buying the right tools for their tool chest. This flips the power dynamic, where vendors aren’t pushing an agenda, but the other way around.
Armed with a strong cybersecurity strategy, business leadership can be in the driver’s seat on where to invest in security, taking back their power in order to truly understand how best to protect their organization.