The big chill
Most often we focus on the proactive things that organisations and individuals can do to improve their cyber security. This article focuses on the forces and factors that work in opposition to security, compliance and risk management.
Collectively these things have a Chilling effect on (or in other ways impair) the implementation of security.
Mixed messages: This is the classic case of an organisations leadership saying one thing and doing another. Specific examples of this include Application Development, Cloud and Infrastructure projects, and Infrastructure change management.
The issue here is simple, when a team (project, development, cloud or infrastructure etc) are under pressure (budget, timeframe, scope, resourcing, etc) and security has not been set as a priority, assumptions are often made that it is a nice to have, out of scope, someone else's responsibility.
When you go to the senior stakeholder, project sponsor or steering committee and ask them whether they would like to have:
Compliant solutions that support their organisational goals and obligations
Their information and technology risks properly understood and managed
A fit for purpose, robust, reliable and resilient environment
Confidence in achieving the stated goals of the project
A safe workplace with a happy and committed workforce
I am yet to have any answer "No"
Why is it then that organisations are so bad at translating and cascading these messages?
We all understand the importance of health and safety both in and out of the workplace, why is it so difficult for people to connect the dots between this type of risk management and others (like cyber security).
Pace of change: We all know that with increased speed and load comes a decrease in accuracy and quality. Adapting security to a quickly changing Business, Project, Threat, Opportunity or Technology can sometimes be like playing whack-a-mole whilst skiing on one foot whilst playing the banjo.
With many organisations struggling to find and keep security expertise, it is not surprising that even the most well-resourced security teams can buckle under the increasing workload.
Most operational teams are (or should be) focused on the running, maintaining, supporting & monitoring the current environment. These teams establish deep knowledge of the business, the technology environment and what 'normal' looks like from a security perspective.
Project teams are usually focused on the future and are oriented to a faster pace of change, integrating new technologies that are often alien to the organisation. It is not surprising that leveraging specialised and experienced resources that are outcome and time oriented is a common method of resourcing for projects.
Lack of resources and investment in security: Even when the message of security is clear and there is organisational support to integrate security, obtaining resources or a budget for expensive expertise can mean that security gets sidelined, left behind, de-emphasised or risk-accepted.
Typical models for addressing this include:
1) Recruitment - obtain the deepest, broadest set of security skills you can afford - then prepare for the knife-fight with the rest of the business community to keep them.
2) Growing your own - obtain raw (junior) talent from the market and mentor, nurture them to become loyal and skilled security personnel.
3) Rental - obtain 'point in time' security talent with unique or deep skills for a defined period or outcome at a high price tag - remembering that like rolling stones, they will be moving on.
4) Partnering - build a longer term relationship with an organisation that can provide a service or capability within a defined timeframe or criteria.
The vicious cycle: the combination of these factors illustrates the problem.
As businesses if we now say:
You should engage security -> This leads to reduced risk for the business -> increased demand on poorly resourced security teams and as a result -> delayed outcomes (or budget blowouts) for the business leading to -> frustration with the security team leading to -> reduced engagement with the security team.
So what's the answer? - in our experience, it usually comes down to a number of key things:
Project and Change management forecasting: Consideration for required talent in early planning. If you are building an office tower, you plan to engage expertise at the right time, and engage expertise that is geared appropriately - i.e. project-oriented resources are objective/deliverable based vs operational resources that are usually scalable, resilient.
Flexible resourcing models: As your needs may change in demand (up and down) or skillsets (Architect->Design->Implementation->Operations->Assurance), having the ability to adapt through flexible resourcing means delivering on time and budget. This also provides a more diverse career path for internal security teams.
Knowledge and skills management: Anyone who has managed complex business or technology environments will understand that continuity of knowledge and timely access to focused, relevant and localised skills requires the development of repeatable processes and automation wherever possible.
Strong governance and leadership: Even the best laid plans, architecture, policies & standards can amount to little without practical implementation, integration, monitoring and supervision. In addition to structure, this often requires cultural change and must be supported by initial and ongoing education, training and awareness.
If you would like to get some help to achieve some of the goals above don't hesitate to get in touch.
Author: Clinton Smith