I just wrote-up the following for someone in the Communications Sector. It’s entirely stream-of-consciousness and un-edited, so forgive the language and grammar shoddiness, but as far as content goes, I think it sums up very well how I think of cybersecurity at an organizational (as opposed to industry/sector/national) level right now:
The vulnerabilities hackers exploit are created in the design, implementation, operation, or control of your business’s strategy, resource allocation, capability maturity, and value chain. These vulnerabilities, created by your business decisions, allow hackers to repurpose your business and infrastructure – in part or entirely – to their own ends.
Therefore, cybersecurity can be said to be “The management of all business decisions made by your organization in a way which will inhibit malicious actors from using technology to repurpose your infrastructure or value chain for their own ends.”
While much of the focus on security has been on security specific controls and roles, those controls and roles only help to temporarily mitigate security problems. True improvement in effectiveness and lowered costs will only come if the rest of the business manages decisions in a way that reduces the number of business and technological vulnerabilities that your security programs must account for. These vulnerabilities can be introduced in typically “non-security” areas of your business such as product release timing, IT product selection, change management discipline, cross-team communication, business process design, policy compliance culture, service and product feature selection.
And, so, use of security Frameworks such as the new NIST Voluntary framework, while important, only accounts for security control at one layer of several interdependent layers of control and will not, by itself, successfully protect your organization. Business leadership priorities, business capability management, business process and IT architecture, operations, education and culture management, and classic “cybersecurity” must be paid equal attention and be tightly integrated.
A tight integration of these areas will not only reduce the overall number of vulnerabilities being introduced that are exploitable by hackers, but will also allow the organization to more effectively identify and pivot toward defending against new threats and attack vectors. Without this overall business maturity, no threat data will ever be actionable because there is simply too much area for your security teams and programs to cover. However, with the entire business working together to minimize exposure, your security team will be able to use threat based intelligence from external organizations to help them understand what gaps remain, mitigate those threats in the short term, and then inform business leadership of areas of vulnerability which might require longer term strategic organizational change to mitigate.
Ultimately, this should be seen as the development of two risk management life-cycles: One which looks at long term threats to your organization resulting from vulnerabilities created by organizational decision making, and another which focuses on short term tactical threats to your infrastructure. These two risk management life cycles can then inform each other without replacing each other.
In the longer term, business management lifecycle, typical “barriers” such as operational, market, consumer, technology and policy considerations should be considered “cybersecurity vulnerabilities” to be managed. Metrics could include such measurements as “number of times a security control was pushed to a later release in order to accommodate product release commitments made by marketing.” Security improvement initiatives could focus on changing organizational processes and decision making to the point where product release commitments and security control introduction were in conflict less often.