New CISO means new security strategy ...but should it?
During a recent discussion with a CEO of a Health System, he mentioned he had lost faith in his leadership and security team because the cybersecurity strategy keeps changing. “Every time there is a change in leadership, the cybersecurity strategy changes.”
Sound familiar?
The new CISO joins. Eager to show value, they propose a new cybersecurity strategy that promises to be better than the existing strategy. Everyone is excited for change. Executives and management, lacking adequate cybersecurity knowledge, support the change. Two years later, the CISO leaves, new CISO joins, the cycle repeats - it’s a wonder anything gets done!
Why does the cybersecurity strategy keep changing?
Simple. The organization’s security goals have not been clearly defined. This responsibility should not be left to the CISO. Cybersecurity accountability and responsibility begins with the executive team and the board.
How do you stop the cycle?
Set your cybersecurity goal(s).
Clear goal(s) provide a decision-making framework for the organization. The main goals of cybersecurity are to successfully safeguard the confidentiality of data, preserve the integrity of data, and promote the availability of information to the appropriate authorized individuals. Without clear goals, each incoming CISO is left to their own interpretation of what is best for the organization.
Keep in mind that action plans such as achieving a security certification, aimed to demonstrate compliance to legal and/or industry standards, are not goals for cybersecurity but rather an outcome. Organizations that confuse the two, perform a lot of tasks that do nothing to enhance their cybersecurity processes.
Pick a security framework that best suits the organizations cybersecurity goals, risks, industry, and overall mission.
Security frameworks outline the organization’s approach to cybersecurity risk. Selecting a framework (such as NIST CSF, HITRUST CSF, COBIT, COSO, ISO, SANS, NIST 800-53, NIST 800-171, PCI, HIPAA, etc.) that closely matches the overall goals and mission of the organization is the most efficient way to describe the foundational controls; measure and monitor meaningful security metrics; assess and manage relevant risks; and demonstrate compliance.
The framework should describe the control objectives (the “WHAT”) and not the people, processes, and techniques (the “HOW”). The control objectives will rarely change unless there is a major change in the business or technology; however, how things are done should adapt to the current state of threats, risks, and business mission.
Hold the executive team and board accountable and responsible for selecting and supporting goal and strategies.
The executive team and board should fully understand the goals, strategies, and risks of cybersecurity - how else will they make strategic decisions about handling data? Uninformed leaders have decision making blind spots and tend to be swayed by "new shiny strategies" that wastes time or leads to confusion, disorganization, and lack of competence.
Once defined, the cybersecurity goals and expectations should be communicated across the entire organization in a clear and consistent manner. A disconnected leadership team sends the wrong message to the entire organization that can lead to general disregard of cybersecurity.
Drive for results.
Regardless of which framework you chose, if the processes are not implemented, results are not monitored and managed, and corrective actions are not implemented timely, the framework is of little value.
The executive team should require managers and security leaders to develop action plans that meet the overall goals and continually report progress. This will help the organization track progress against measurable goals and develop a strategic roadmap that can withstand leadership changes.
Ask for basis for change.
Changes should be substantiated so next time a new strategy is proposed, I urge everyone to ask WHY?
A change should result in different outcomes. What will be different?
Accountability and responsibility are key…
These steps are not technical nor do they require deep cyber expertise. Any organization can take these steps to strategize, implement, and transform their security operations. Organization without the adequate internal resources and skills should consider combining internal and outside specialized assistance to define and implement the right goals and strategies.
Where Secliance can help:
Secliance can help you define goals and develop actionable strategies that balance security and compliance goals.
Contact us at support@secliance.com.