Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

The Security Program Approach is Hard, But Necessary

As part of my day job, I have the distinct pleasure of studying enterprise security programs – or at least slices of them – in their native habitat. I spend time with CISOs and other security leaders at many different levels to understand, learn from and aggregate the successes, failures and lessons from these security program elements. Before I even embarked on this role, I was known to lament the difficulty of putting together a solid security program.

As part of my day job, I have the distinct pleasure of studying enterprise security programs – or at least slices of them – in their native habitat. I spend time with CISOs and other security leaders at many different levels to understand, learn from and aggregate the successes, failures and lessons from these security program elements. Before I even embarked on this role, I was known to lament the difficulty of putting together a solid security program. Now, after just over a year in this role, I fully recognize the problem is much larger than I could ever have imagined.

The team I lead is fueled by classical research, which means we go out “into the field” to study various aspects and components of security programs. We take something like cloud security and figure out how companies are putting a program around securing their cloud consumption and what others can learn from their successes and failures. It is in this field work that I’ve noticed some undeniable patterns.

CISO LeadershipFirst, there is a general perception problem with the security program approach. Security today must be agile and adaptive, and security programs – at least the way many of us see them – are none of those. The perception is that a security program approach is slow, requires heavy investment in resources and is rigid. Agility and ability to adapt aren’t high on the list of things security programs are good at. But why not?

I believe that part of that misconception is tied to some of these hundred-plus page control frameworks that require enormous time commitments to implement and, once they’re in place, require an act of Congress to modify. Whether you’re following ISO, NIST or SANS, the program frameworks have largely failed us. Either they’re too prescriptive and don’t apply, or they’re too loose and don’t really say anything; or sometimes they’re so long that by the time you’re done reading you forgot why you started in the first place.

Your security program should be like a fine tailored suit – it should fit you well, imperfections and all, while allowing for your movement and give a little when you have a second helping of mom’s chicken parmesan.

The second thing I have noticed during my time in the field is there is a belief that using a program approach requires a significant staffing model for your security team. However, this simply is not true. I have talked with several CISOs who are happy to share their success stories of building a security program, with several well-operationalized sub-components as well as a blend of staff, contractors and trusted partners. The model works, and while it does not universally apply, there are solid ways to get value.

Most of a company’s security program elements should have three pieces – those you build, those you buy and those for which you find a partner to help you manage. You can’t do it all yourself— mainly because it’s not possible in most cases—but you shouldn’t give it all to someone else either. There are healthy mixes, which depend on the type of enterprise, market vertical and revenue model.

Finally, there is the one that causes the most sleep loss – the “all we need is widgets” approach. I’ve always been leery of those who disparage vendors. Your solution providers speed up time-to-value, and increase your scale and repeatability. This bears repeating, and I can attest to the fact that it is mostly true. When I talk to an organization and ask them how they’re handling their enterprise vulnerability reporting or threat intelligence, and they tell me they have it handled because they have purchased the Magic Security Widget 10,000, it gives me pause.

Solution providers are just as complicit in this situation as anyone else though. We’ve been inundated for a decade and a half on the buyer side by marketing pitches that have promised us miracles, yet we continue to struggle. As a result, security professionals fell into one of two reactions. Either they bought into this “widget first” thinking and started piling on the shiny boxes, or they become snarky and skeptical. A widget – even if it’s best of its breed – without purpose or a strategy around it will fail to deliver value. I can virtually guarantee you this.

Advertisement. Scroll to continue reading.

Centering your defenses on a widget that promises you the world is a recipe for disaster. We advocate that strong program approach which takes into account the human and process aspects of the tool, and then ensures the space between inputs and outputs is not magic. In many large enterprises is it an order of magnitude easier to drop a tool into place and start using it without taking the time to design a program around it. The perception that you get to value faster is false and leads to failures.

The program approach then is the more difficult path. It’s potentially more time consuming, resource intensive and costly than the alternative. Then again the alternative is just to jump in and “do something.” I’m sure you’ve heard that one before. “Just do something” is a short-term fix that often leads to big long-term problems.

Whether you’re a believer or a skeptic, the program approach to security challenges is the only way. Planning, implementing then maturing and measuring are slower and more resource-intensive in the near term but, ultimately, pay dividends in the long term. It just takes patience and a little experience – and if you have neither of those you can always learn directly from others before you. The alternative, sadly, is more of status quo.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem