Arbor: You cant get there from here
There is an evolution (and in some cases, devolution) to security maturity. While the idiosyncrasies of powerful personalities or the peculiarities of geography and vertical play a massive role in how a company matures, there’s a general path that can be outlined for how companies get more mature. The straightforward model below consisting of four levels or steps, can be used, mentally, when talking with chief information security offers (CISOs) and their departments:
Each step is numbered for ease of reference and discussions, and represents meaningful changes in organisational structure, perception by peers and superiors and operational behaviours. It is important to move from one step to the other, especially around an institutionally “traumatic” experience like weathering a regulatory assault or surviving a breach – something that shapes up the status quo. Also, each step has a significant change in impact on the business, with meaningful truths and guidance that are common to the collection of companies adjacent to them.d line themselves up to get the logistics right and hopefully “invert the spending” pyramid at least a little, which can have telling results.
Examining each step will assist companies to plot their course of maturity and line themselves up to get the logistics right and hopefully “invert the spending” pyramid at least a little, which can have telling results.
The “checklist” phase is first: this represents companies that see security as a series of lists. I have a firewall…check. I have AV…check. I have IDS…check. I have strong authentication…check. In this world, security is seen as a group of technical specialists, usually subordinate to IT, who are basically a tax on the business. Teams are small and are largely ignored and completely misunderstood by the business. This is where we were as an industry back when security was less than two percent of IT spend. I sometimes refer to CISOs as “Dr. No.” They are the ones everyone avoids because they will say “no” and are perceived generally to not understand the business.
The next and second phase is the “compliance” phase, and the usual progression from checklist to compliance is a painful one. The business is usually distressingly informed by legal, R&D or even auditors that they need to worry about something new that will distract the business. It takes “Dr. No” and makes them “Dr. Oh No!”
In phase two, security gets attention because it’s seen as a new source of cost. Sometimes the department will move to legal or to the CFO or even to a risk committee, which aren’t bad fates in and of themselves because checks and balances are healthy. But it can be dangerous as a dead-end for a security team. It can also be really rough for the security mandate because the big danger in this second phase is that security will be perceived as synonymous with being compliant, and that’s a disaster. Regulations establish the minimum baseline for security, not the pinnacle and goal to be achieved.
The third-phase is all about “IT risk” and usually requires something traumatic to happen as well: to get here, a company normally has to have had a scary incident or even a breach. The company suddenly “gets security religion” and looks for CISOs from outside. They bring someone in who is a “hero” to “fix” the security department. In these phases, the department gets a massive and sometimes unhealthy influx of funding, growing by an order of magnitude.
In the IT risk phase, security begins to have a better and healthier two-way dialogue with peers and superiors. It’s at least understood that there is risk in IT and that the job of security is to reduce that, but the department isn’t really measuring it or even looking at it in a universal language or light. This is where departmental bloat is at its highest.
The fourth and final phase is a business risk-centric phase. This is where the language of security is the same as it is for other forms of risk: operations, finance, legal, physical, and more. In other words, security grows up. This is where security tends to shrink because it isn’t about hoarding everything with the word “security” in it. AV updates…give that to IT. FW rules…give that to IT. Password resets…hey IT, can you handle that? The real mission of a phase four company is twofold: first governance and monitoring and second incident management.
Governance and monitoring are important because they set the posture and policies for the company and then make those verifiable. The energy of the department here should go into making security feed and influence universal corporate metrics and KPIs. The incident management part is the ability to actually stop bad guys: maximising resources in terms of people, infrastructure, tools and intelligence to get results. This is where the human-to-human race is run with little distraction and intense focus on the “sharp end”.
While it may seem impossible to get from a one or two to a four – as those are too far away – or even to get from a three to get to a four without a change in leadership or traumatic event, this doesn’t have to be the case. Security leaders in a phase one or two can carve out some resources, even partial use of people’s time to focus on the key missions of a phase four, business risk-centric company. It will require a lot of growth and networking and soft skills on the part of a CISO but carving out 20 percent of three full-time equivalent resources to work on incident management and intelligence and even dedicating subject matter experts’ time to work with IT to operationalise key security functions, while sounding counter-intuitive, can produce results.
If you’re not at phase four and don’t want to build an empire at phase three, you can look to catalyse the maturation of your company. Look to the phase fours that you know and duplicate their functions gradually. Produce results that the business notices and can take care of and, most importantly, make sure that you aren’t seen as “Dr. No” or “Dr. Oh No!”. Perhaps the hardest thing to do for people who’ve been stuck in a phase for a long time it to suddenly be taken seriously by business peers. It can be done, however, and this corporate journey and quest to reach phase four is a tremendous motivator for us in the industry to plot our personal growth and future careers to a noble and critical narrative of what we stand for. You can get there from here.
By Sam Curry, chief technology and security officer: Arbor Networks