“Reviving an Ineffective or Outdated Security Strategy” Security Reboot Guide


Enterprise security strategies should be like weather forecasts. This is a story that needs to be updated frequently. If your security plan doesn't match the threats that arise, new threats, changing enterprise technologies, and interests, it can have catastrophic consequences for your reputation or finances. 

There are so many factors that contribute to a comprehensive security strategy, and at the same time, there are many that can defeat or obsolete a once-solid security blueprint. “People, processes, and technology are key areas,” said Greg Carrico, senior North American cybersecurity manager for management and technology consulting firm Capgemini. Companies that don't keep pace with current events, process automation, evaluation cycles, and current technology capabilities will continue to struggle to protect what matters most without being aware of the attacker's targeting."

This signals that your security strategy is not effective

A security plan that is clear, relevant, and easily understood by everyone across the enterprise is the best security plan. Gregory Touhill, a reserve brigadier general who served as the first CISO of the US federal government and is currently a part-time professor at Carnegie Mellon University's Heinz Information Systems and Public Policy College, said, “The strategy is reasonable, Must be understandable. As a military commander, I saw that my subordinates couldn't explain the strategy to me, and I realized that our strategy was outdated and ineffective. "It's a sign of a major 'warning' if your commanding 'unit' doesn't understand the strategy or how to contribute to it." 

One of the obvious signs that a security strategy is out of date is the overall lack of relevance. Brennan Baybeck, CISO and VP of Customer Service at Oracle, emphasized, "To help your core security resources achieve critical strategic goals, your security strategy must align directly with the key components that make up your organization's business strategy." 

Another sign that a security strategy is out of date is that compliance is becoming a driving factor. “While compliance can be an important and essential element in many security strategies, it shouldn't be used as an element that drives and drives a security strategy,” Baybeck said. "This is true for organizations with limited programs and limited resources." 

Usually, a few basic investigations and conversations related to the company's current culture and internal accountability measures can quickly uncover flawed security plans. "The security budget and whether you are heavily reliant on a policy that lacks tools can also be an important indicator of the problem," said Analea Ilg, CISO of Business Transformation Consulting Firm Involta. Other inadequate security management, insufficient documentation, and not accepting overall security are also indicators of problems. 

According to George Freeman, fraud and fraud and identity solutions consultant at LexisNexis Risk Solutions Government, the continued struggle of organizations to respond to threats also indicates that security plans are out of date. It's a signal. "An example of an organization's defense-in-depth security strategy often lacks resources to contain the constantly emerging threats on the internal protected network," Primer said. 

Security strategy for your risk

When creating a plan to 'reboot' your security strategy, you should plan it in line with your organization's current risk outlook. “There are a number of factors and factors that change the risk appetite and tolerance of an organization,” said Sunil Yu, executive CISO at YL Ventures, a venture capital firm focused on cybersecurity. It is important for the cybersecurity officer to identify these factors and adjust the strategy accordingly.” 

A factor of particular relevance to cybersecurity planning is the change in the current business, technology, and threat landscape. “Assume that one or more of these factors have changed, and the strategy did not anticipate such a change. This is a sign that the strategy is out of date and needs to be 'rebooted'.” 

Plan and prepare for a secure reboot

Knowing what works and what strategies aren't is the first step in a secure reboot. Then, after pinpointing the organization's current and planned needs and objectives, a new security strategy is determined to help achieve these goals. "You need to build a communication channel to talk to your business leaders and understand their priorities," said Tom Conklin, CISO of Data Management Platform Provider Fivetran. 

Brian Phillips, director of global security strategy for office visitor management technology developer Traction Guest, says it was useful to think creatively while planning from scratch. "It's a good idea to forget the system you're using and the way you do it," Phillips advised. Instead, he explained that the focus should be on what is available in the future, and on developing a new security strategy around that goal. “You shouldn't let the system decide on a procedure or strategy. A good security application will meet the process it utilizes.” 

Rebooting your security strategy requires working with IT and security officers, employees, and all business units. “Recently, all business units are deciding and implementing technology projects that affect corporate security,” said Ben War, CISO at healthcare technology company Redox. "So you need to understand how you work with your business units, how they work and what they need, and how they can have the greatest impact on the business."

CISO Bend Bond of ServiceNow, a developer of workflow management platform, recommends conducting anonymous surveys of security team members at all levels to gain maximum insight into current and future enterprise security requirements. Said good. It collects detailed information on current and future obstacles, evaluates employee satisfaction, and collects feedback on what needs to be improved. "It's also important to communicate with your business leaders and how their security requirements, such as their goals and intent, privacy obligations and regulations, and attack surface, will change as a result of a secure reboot," Bont said.

Anyone planning a secure reboot should gather advice and feedback from as many stakeholders as possible. YL's Yu said, “This is a particularly important part of cybersecurity. This is because it involves challenging a family that has been around for a long time.” Gathering feedback from as many relevant parties as possible also helps with acceptance. In addition, it helps planners to reflect the thoughts and perspectives of experts in areas that may be overlooked. When changing strategies, people want to know why these changes are necessary. It is advisable to do an in-depth study and investigation of interests. Because it helps reduce fear and promotes planning support and compliance. 

Ilg proposes to establish a secure reboot strategy in line with operations, tactics, and strategies. “You have to get people on this journey. Forming a team of people from different departments can help in implementing strategies, such as formal project schedules and interim goals.” In particular, the security reboot strategy should be made so that it is supported across the enterprise by explaining why it is necessary and where it is going. He added that if we don't figure out how to drive acceptance, there will continue to be challenged in promoting and implementing the strategy.  

Convince stakeholders of the need for security reloading

According to Jeremy Haas, CTO and CISO at LookingGlass Cyber ​​Solutions, who has worked as a cybersecurity expert for the CIA and the U.S. Air Force, one of the most popular methods to persuade executives of the need for a secure reboot is: It's a way of describing how a strategy enhances an organization's positioning to expand revenue or new revenue-generating opportunities. When strong security is presented as a market differentiation method, security is not a cost but a business implementation and enhancement factor. "It is especially important in organizations that provide services to customers in the government sector or in highly regulated industries such as finance and healthcare," Haas said. 

Touhill said the best way to convince corporate leaders to convince a secure reboot strategy is to support evidence with meaningful, verifiable data. "Boards and senior executives tend to be convinced by compelling data, evidence, and expert recommendations," said Touhill. Partnerships are also important. "Use other senior executives in the organization to speak out to support the new strategy." 

The security reboot strategy is most effectively embraced when collaboration leaders see security as a factor in implementing and enhancing solutions. "It's good to demonstrate how security programs reassure and convince end-users, such as internal employees and customers," Tuheel said. This produces positive results.”

Ilg said that when explaining and persuading, it is better to refrain from difficult technical explanations. You should also use the term "management management" that you can understand. Based on this, the relationship between performance, mission, vision, and company is explained.”

Post a Comment

0 Comments