The new cybersecurity operating model

Transcription

1 The new cybersecurity operating model Help your organization become more resilient and reach its business goals. 1 slalom.com

2 Struggling to meet security goals While the digital economy is providing major opportunities to lower costs, increase revenue, and improve customer satisfaction, it s also drastically exposing businesses to more inventive and advanced cyber attacks. This is why many companies are investing large amounts of money and resources to develop comprehensive cybersecurity roadmaps. In fact, Gartner predicts that the global spend on security will increase to $93 billion in Yet many companies are failing to meet their security goals. Why? In many cases, security organizations fail to evolve their structure and how they operate to support corporate goals. In these cases, information security (infosec) isn t a part of corporate strategy or a business enabler; it s just a supporting function and shared service. So how do you create a security operating model that makes your company more resilient and supports your business goals? By strategically building and managing infosec s relationship to the business. Here are the five key principles of a security operating model that will enable your organization to do just that. 2 slalom.com

3 1. Extend shared ownership of cyber risks across the business Business stakeholders and asset owners often share the same view: that the infosec team is responsible for managing security risks and protecting digital assets across the entire enterprise. However, this belief is instilling the wrong behaviors and culture, leading to employees with a limited understanding of cyber risks and how they re managed. And if employees don t understand risk management, the broader organization can t effectively manage cyber risks. In addition to leading by example, infosec leaders have the opportunity to define leadership, education, and communication strategies to promote shared responsibility and high performance around specific behaviors. Create a function dedicated to security awareness and training It should become a daily habit for every employee to help protect their organization against cybersecurity threats. To create this habit, they need education and training delivered in a way that sticks with them. Create a dedicated function to educate employees, contractors, and leaders across your entire enterprise on their security responsibility. These education campaigns should be a combination of communication and training tailored to different audiences. 3 slalom.com

4 Security awareness trainings are often taken online, very quickly, and immediately forgotten. Instead, organizations should incorporate gamification, like rewards and competition, into trainings and tailor the training to change specific behaviors. It s also important to develop processes to deliver cohesive and regular communication to avoid information overload and ensure that the new trainings work. As this function matures and the level of risk awareness increases, test campaigns must become more and more sophisticated to continually improve security and risk awareness. Incorporate risk awareness trainings Going a step further, infosec leaders should conduct risk awareness trainings for the most eager employees. These prompt employees to identify which activities have the highest likelihood of risks resulting in adverse events, and how to prioritize impact. By tailoring awareness trainings to incorporate risk, security leaders can help employees think in terms of problem-solving and identifying risk, not just memorizing what actions not to take. Employees can t own risks if they don t understand how risk management works. Once they start thinking about risks, however, they begin enforcing the right security behaviors and culture. 4 slalom.com

5 2. Promote the role of infosec within the enterprise Typically, infosec is seen as a technology topic. The infosec program is embedded within IT, performing tactical and operational activities often centered around compliance management. But this type of structure limits the organizational reach of infosec leaders and hinders their capacity to directly engage and collaborate with the business. The absence of business engagement has a direct impact on the ability to develop an infosec program and strategy that s tailored to support business requirements. It also creates a lack of executive awareness and support, which poses challenges for infosec leaders to elevate cybersecurity issues to the C-suite. It s important to develop a stand-alone infosec program that promotes the role of the infosec organization across the C-suite and the broader enterprise, ensuring that cybersecurity risks are fully assessed, understood, and considered as top strategic issues directly reported to the board. Infosec capabilities can therefore be aligned to the strategic priorities, and in return increase leadership understanding and sponsorship of the necessary investments required to manage the security risks. Organizations should treat cybersecurity risks the same way they do other critical business risks: by frequently briefing the C-suite on cybersecurity issues so they can make informed 5 slalom.com

6 risk decisions. In addition, executive oversight and sponsorship should focus enterprise attention and effort on cybersecurity issues by providing adequate resources (e.g., budget) to implement and monitor a comprehensive infosec strategy. " Too many industries are vulnerable to cyber attacks for employees to not think about protecting company assets, and too many businesses see their time-to-market delayed by security reviews for infosec to avoid partnering with the business." In the last few years, a proliferation of materials and guidance have surfaced to engage boards on cybersecurity topics. For example, the National Association of Corporate Directors (NACD) releases guidance on board cybersecurity leadership. One of its guiding principles explained that organizations should approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue. Sharing these resources and tips with executives will help infosec teams get executive sponsorship for their efforts. 6 slalom.com

7 3. Move from a compliance management to a strategic advisory role Security, compliance, and risk are three discrete efforts, but are often conflated under the same program. When not communicated correctly to the rest of the organization, they can all feel like compliance. If organizations drive their security and risk initiatives from a compliance perspective, it takes on a requirements-heavy approach, which won t necessarily increase security resilience. When a risk-based approach drives security initiatives, resource alignment is more likely to be well balanced, by focusing on the high-priority risks. It s also easier for employees across the rest of the business to understand why some security activities are more important than others. Moving to a risk-based approach isn t a new concept, but organizations still struggle with realigning traditional security efforts within this context. Organizations that strike the balance well frame their infosec organizations as consultative practices that support the rest of the business. Like any consultant, however, infosec has to resist the temptation to give guidance or instructions without taking the time to understand the complexity of the business drivers. The ideal result of a consultative practice is when the organization is able to strategically manage security risk. It can also identify and communicate clear justifications for accepting certain risks in their environment, and support organizing teams and resources to address their most critical risks first. Security is included as a requirement alongside other functional requirements for application builds and design sprints. And the business starts to internalize that 7 slalom.com

8 products are brittle and may incur technical debt, unless security becomes part of the design. So how does infosec become a strategic advisor to the rest of the business? First, infosec must accept that its role is to help the business build and run. Infosec must understand where security goals differ from goals of development teams or infrastructure teams. Infosec should work with business units to map enterprise security risks to organizations and specific roles who will become partners in owning the risks. This change is an outgrowth of executive and often boardlevel involvement to set the tone and priorities around cyber risk as part of an organization s larger business risk management programs. 4. Empower external engagement Infosec needs to be able to clearly articulate its narrative (i.e., mission, direction, and strategic objectives) to elicit action from its stakeholders. The cybersecurity and technology landscape is changing so quickly that an organization should have a strategy for how it wants its security approach to be seen and perceived, and to drive industry relations among other external business partners and stakeholders. One of the most powerful ways an organization can share its security priorities and influence others is through engaging 8 slalom.com

9 external partners, like universities, research labs, and industry groups. Organizations in highly regulated spaces can find themselves in victim mode, struggling to understand new policies, regulatory requirements, and pushing back against regulators. Organizations that provide critical infrastructure services may also be the target of orchestrated attack campaigns occurring across entire industries. This can create a reactive security culture, where infosec gets in the habit of scrambling to respond to new requirements and therefore struggles to keep up with competitors and peers. " It should become a daily habit for every employee to help protect their organization against cybersecurity threats. To create this habit, they need education and training delivered in a way that sticks with them." Also, organizations may have some resources set aside to buy memberships into information sharing and analysis centers (ISACs), and participate in conferences, but may not always have a strategy behind the spend. The result is minimal understanding of the effect these investments have on the rest of the organization. To combat this, create a specific security engagement function for addressing this reactive versus proactive struggle. 9 slalom.com

10 Establish a dedicated function whether it s part of one person s job description or a small team within infosec to create a strategy for driving external priorities and influencing sector-wide policies and regulations. Being able to show a return on investment is key to the success of the external engagement function. To make engagement successful, infosec must define its desired engagement outcomes for each stakeholder, and how those goals support the vision of the broader organization and the infosec function. By conducting rigorous stakeholder analysis to identify barriers and mutual opportunities, infosec can then prioritize which stakeholders it needs to spend the most time influencing, partnering with, or educating. For example, we worked with a leading utility company to perform a detailed external stakeholder assessment. We reviewed over 30 stakeholders, ranging from government and regulatory agencies to research institutes, based on defined assessment criteria and scoring metrics. The results of the assessment were used to define the overall engagement strategy, enabling the infocsec team to lead and influence security discussions and activities across the industry in the U.S. 5. Enable business integration and cross-functional collaboration Risk and security management capabilities should be distributed and embedded within the enterprise. Specifically, infosec professionals should be dedicated to one or multiple business units while being part of a central infosec team. This creates a greater cross-functional integration and enables the 10 slalom.com

11 entire enterprise to be aligned on top security risks. Infosec can then take an active role in strategic planning activities, strengthening organizational alignment by understanding and supporting the broader business roadmap and helping align it to the company risk tolerance. When infosec and the business are aligned, it benefits both. Business units get dedicated security resources that understand their strategic objectives and business needs, and security can deepen its business integration, providing security solutions that fulfil both risk management and business strategies. For example, assigning a security engineer to support web development or security devices in distributed retail stores helps that individual develop trusted relationships and learn critical requirements at a detailed level. This level of knowledge then enables him or her to provide more targeted support and advocate for that group within infosec. It also enables security requirements to be included in product design meetings, sprint plans, or strategic roadmaps. However, many organizations don t have the capacity within the security team to focus on several lines of business. When this is the case, organizations can still create assignments for security members to focus on specific parts of the business and develop deeper specialties in those areas. They can also look into supplementing security teams with volunteers security champions from parts of the business who want to maintain an open channel of communication with the infosec 11 slalom.com

12 team and start to spread best practices within their own teams as their level of security knowledge grows. Because different parts of the business move forward at different speeds, distributing risk and security responsibility across the organization and equipping teams to feel that they own their own risks becomes crucial to meeting the challenge of under-resourced security teams. Success: How do you know if it s working? The ultimate goal of this new security operating model is to achieve a greater level of integration between infosec and the business. As organizations pursue this goal, they have to get to a greater level of transparency and performance reporting to prove that the new model is effectively managing risk. Organizations starting out with traditionally siloed infosec groups can begin with simple engagement metrics as infosec seeks to partner better with the business. These metrics can track the degree of proactive outreach from the business to infosec for questions and consultation, and where in the project (or product) lifecycle these forms of outreach occur. Ultimately, effective metrics depend on data quality and meaningful reduction in risk. But unfortunately, the most compelling metrics around risk reduction often can t be tracked because the data is too difficult to collect. Organizations can start with an exercise of identifying what data is available, how reliable it is, and the level of effort required to remediate data availability/quality issues. 12 slalom.com

13 This exercise is valuable for infosec to understand the overall health of the data landscape they rely on to perform their duties. It can also be used as a catalyst to drive accountability from asset owners to increase overall data quality. As your infosec team matures and adopts the new operating model, it has to continually review and assess metrics to ensure their relevance in decision-making and to track business outcomes, such as risk mitigation and security awareness. A win for security and the business Too many industries are vulnerable to cyber attacks for employees to not think about protecting company assets, and too many businesses see their time-to-market delayed by security reviews for infosec to avoid partnering with the business. Infosec teams should invest in better internal and external partnerships internally to ensure the longevity and success of the company, and externally to glean important cybersecurity information and influence the broader security landscape to drive changes in regulations, policies, research, standards, and frameworks development. The result: organizations that will be able to reach their business goals faster and more securely than ever before. 13 slalom.com

14 About the author Raph Casadel is a solution principal within Slalom s business advisory services practice in San Francisco. Raph has over eight years of international management consulting experience translating broad organizational vision into how business should be structured and operate to meet their strategic objectives. He s passionate about building effective organizational change through operating model design and implementation. Adrienne Allen, who is no longer with Slalom, co-wrote this piece. 14 slalom.com

15 About Slalom Slalom is a purpose-driven consulting firm that helps companies solve business problems and build for the future, with solutions spanning business advisory, customer experience, technology, and analytics. We partner with companies to push the boundaries of what s possible together. Founded in 2001 and headquartered in Seattle, WA, Slalom has grown organically to over 5,000 employees. We were named one of Fortune s 100 Best Companies to Work For in 2018 and are regularly recognized by our employees as a best place to work. You can find us in 27 cities across the U.S., U.K., and Canada. Learn more at slalom.com Slalom, LLC. All rights reserved. slalom.com