Careers & People

11/20/2018
02:30 PM
Troy Mattern
Troy Mattern
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Cybersecurity at the Core

For too long, cybersecurity has been looked at as one team's responsibility. If we maintain that mentality, we will fail.

Leaders around the globe are not naive regarding the impact cyberattacks have on a business. From affecting the bottom line to losing your customer's trust, recovering from a cyberattack isn't easy. When an organization succumbs to an attack, nearly every business unit is affected, costing the business, on average, $3.86 million. While most CSOs and CISOs want to be the ones to prevent and fix this, they must realize they can't take this on alone. There is a strong argument to be made that cybersecurity needs to go beyond the CSOs, CISOs, and their teams. Security needs to be a companywide effort and embraced as part of the company's core culture.

Most have heard the saying "Culture eats strategy for breakfast," and CISOs around the world know how true it is. The adage carries over to the security world in a basic way. Any security strategy or plan you're trying to implement will be held back by the people you depend on if the culture does not support it.

Today, many companies are struggling to embrace a culture of security. Only 5% of organizations believe that no gap exists between their current cybersecurity culture and their desired cybersecurity culture, according to a recent survey put out by ISACA. This means that a whopping 95% of organizations see a disconnect between the culture they have and the culture they want. So, what can businesses do?

Accept That Your Security Team Can't Do It Alone
One of the challenges in cybersecurity is that most organizations take the approach of having one security team and thinki that one team can address all cybersecurity threats and needs. In reality, cybersecurity goes far beyond just the security team. Products and corporate assets are never "owned" by the cybersecurity team, and those who do own them likely have very different objectives than the security team.

Security needs to become something that all departments think about. That doesn't mean sales or engineers need to become technical experts in security, but they do need to start bridging the gap by asking questions, understanding the risks, and knowing how they fit into the solution. In fact, that is what must happen if we want to succeed.

Establish Relationships with Different Business Units
Security leaders will always be the biggest cheerleaders for cybersecurity, but when other departments openly embrace it, their teams will follow. Security teams must enlist the support of departments including human resources, communications, marketing, product development, legal, and more. While not all will sign on, most reasonable leaders will recognize how doing so helps the company achieve its objectives.

Spend time talking to the different department leaders to find where your interests align and how you can work together for mutual benefit. For example, product quality and security are often viewed and measured as two different elements owned by two separate departments. However, customers don't see it that way. If a product is high in quality but lacks security, it ultimately isn't a high-quality product.

Likewise, customer privacy can't exist without security, and a sales team that can't speak to the security of their products can't understand and help manage customer risk. Businesses need to start to make those types of connections, and it will happen more naturally when cybersecurity is engrained in the culture.

Get Buy-in from the C-Suite
Studies show that top executives and boards of directors see cybersecurity as a top issue facing companies. The question is: Are leaders taking action or expecting their CISO to fix the problem? We've found the answer requires both. In another role, we were able to get the C-suite to establish security goals as part of their annual objectives. These goals were ones that the C-suite, not just the CISOs, were measured against. That was a successful cultural change.

It's time that we recognize security for what it is: a business and leadership concern. Executives must prioritize security in the same way they do all other business risks. They must recognize that not all the actions to address the risk will begin with the CISO. In fact, they are likely to find most do not. The CISO needs to develop the strategy, guide and advise throughout the process, provide measures, teach, and coach, but the CISO can help the most by accepting that they cannot be the one that does it all, regardless of the size of the team. Without leadership from the top, cybersecurity will remained siloed and viewed as a specialized technical issue rather than the cultural one it is.

For too long, cybersecurity has been looked at as one team's responsibility. If we maintain that mentality, we will fail. Cybersecurity needs to be a part of a culture, and security needs to be at the core of the company, lead by executives. It's no longer good enough for the security department to be the last stop on a checklist of things to do — we need a team approach instead.

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Troy Mattern is the Vice President for Product and Services Cybersecurity at Motorola Solutions. Having joined Motorola Solutions in June 2017, he leads all policy, strategy, and prioritization for cybersecurity efforts pertaining to Motorola Solutions Products and Services. ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
troymattern
50%
50%
troymattern,
User Rank: Author
11/26/2018 | 12:54:09 PM
Re: Why CYBER security?
I've heard the "Cybersecurity" vs "Information Security" debate and know some people think there is real value in sorting it out.  However, I don't think this is where we should be spending time.  I tend to fall into the camp that thinks the train has left the station on this.  Why? Because our Boards and the C-Suites are hearing "Cyber" and that is what has them concerned.  From regulatory bodies, to news articles and their own peers it is "cyber" they are being bombarded with.  Therefore, I tend to think there is more value in using that term then in trying to get them, or our community, to use another one.  That said, if "information security" works for your C-suite, run with it. Where I think the danger comes is when experts paint the issue as a technical one only, or when they allow the belief that only the security team can or should address it.  The security team should be the source of the strategy, but that strategy should be looking at what the whole organization needs to do, not just those who work for the CISO. 

I am a strong believer of transparency and making it clear what the security team can and should do, but also what we can't do and where the rest of the organization needs to help if we are to succeed.   When we are able to show those limitations then I think it becomes easier to address the cyber = technology = I don't understand it = someone else's problem.  That is why I like painting this as risk management.  In most, though certainly not all, organizations when a corporate risk is identified, and the treatment plan is agreed to, there are actions in that plan which end up being the responsibility of teams across the business to deliver.   Example: If there is a regulatory risk about the disposal of certain wastes then product production, procurement, facilities and the compliance team are all involved in the treatment plan for that risk.  Business get that, yet too often in cyber, or information security, it falls exclusively on the security team.   Sometimes that is the business failing to understand the team sport we are playing, sometimes it is the security leadership thinking they have to do it by themselves.  Regardless of the reason, if we don't change, we will fail.  

What's more is in many cases the security program will costs less and will be more effective when the treatment plan involves more than just the security team.  Often, security teams try to compensate with more staff or technology when partnerships are more effective.  I've kept my own team relatively small by the standards of most companies our size, but in partnering across the business with champions who are organic to others, I have more than 4X as many security representatives, and growing, in various departments than in my own team.  The best part is many of those are in the teams that actually do own the assets that affect our risk.   Those champions are the only way we could have effectively scaled, helped influence local culture and continue to drive the behaviors we decided as a company we want.  However, without buy in from across the business segments we could never have implemented such a large champion program and it would have taken us much longer at much greater cost to have impact.  I also doubt that impact would have been as meaningful.  
eatondave
100%
0%
eatondave,
User Rank: Strategist
11/21/2018 | 3:46:54 AM
Why CYBER security?
Surely part of the problem stems from the name. To many (most?) people outside of our bubble cyber=technology=I don't understand it=someone else's problem.

As someone said on another post "cyber" scores lots of ninja points, but I'm unconvinced moving to cyber security from information security actually moved our cause along very far, although i'm sure it's resulted in many more sales of shiny things.
'PowerSnitch' Hacks Androids via Power Banks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/8/2018
The Case for a Human Security Officer
Ira Winkler, CISSP, President, Secure Mentem,  12/5/2018
Windows 10 Security Questions Prove Easy for Attackers to Exploit
Kelly Sheridan, Staff Editor, Dark Reading,  12/5/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-8651
PUBLISHED: 2018-12-12
A cross site scripting vulnerability exists when Microsoft Dynamics NAV does not properly sanitize a specially crafted web request to an affected Dynamics NAV server, aka "Microsoft Dynamics NAV Cross Site Scripting Vulnerability." This affects Microsoft Dynamics NAV.
CVE-2018-8652
PUBLISHED: 2018-12-12
A Cross-site Scripting (XSS) vulnerability exists when Windows Azure Pack does not properly sanitize user-provided input, aka "Windows Azure Pack Cross Site Scripting Vulnerability." This affects Windows Azure Pack Rollup 13.1.
CVE-2018-8617
PUBLISHED: 2018-12-12
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-8583, CVE-2018-8...
CVE-2018-8618
PUBLISHED: 2018-12-12
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-8583, CVE-2018-8...
CVE-2018-8619
PUBLISHED: 2018-12-12
A remote code execution vulnerability exists when the Internet Explorer VBScript execution policy does not properly restrict VBScript under specific conditions, aka "Internet Explorer Remote Code Execution Vulnerability." This affects Internet Explorer 9, Internet Explorer 11, Internet Exp...