I’d like to conduct a quick thought experiment. Before you continue reading, pause for a moment and conjure up an image of the person you think is most likely to be in charge of cybersecurity in any given modern-day company. What is the person’s title? What is the focus of their job or role? What does their day-to-day look like?
Take just a minute to think about this person and what type of interactions you’ve had together – if any.
Ready? OK let’s continue.
The security character you imagined (let’s call him “Security Guy”) is smart and people trust him. Security Guy knows a lot about computers and technology, and is adept at troubleshooting network issues, maintaining uptime and generally keeping the technology side of the house running. If you’re a Corporate Executive or you sit on the Board, you’ve probably seen presentations from him on the state of security. He’ll use stats and figures that show how many threats were stopped by your endpoint monitoring technology, the volume of activity in your SIEM system, and the average response time for software patch deployment.
His presentation sounds technologically advanced because it is. It will sound reassuring because you have no other choice but to assume that it is. The truth is that this man – as qualified, intelligent and trustworthy as he is – cannot secure your organization because cybersecurity is not a technology problem.
The Emerging Realization
The real problem with security is that assuming that cybersecurity is the exclusive domain of technologists. This assumption is terrifically dangerous because it ignores the vast majority of failure points in an organization – the workforce. Don’t get me wrong – the security technologies available today are critically important and very, very good at what they do. But a mature and robust security program is built of far more than just technology.
For example, think about the role human resources should play in providing training for the workforce. Do the leaders in HR and Security collaborate to ensure that the workforce is trained appropriately? Is the HR director a common attendee at meetings about the state of security awareness? This is an important dynamic to understand!
What about procurement? Do managers understand how to properly vet a supplier who will have access to critical company IT assets? If access if given, what processes exist to control which assets the vendors will be using?
And of fundamental importance – has the risk management function taken account of these critical IT assets? Do risk managers maintain a list of people who can access them?
Human resources, procurement, risk management should be well informed and actively involved in creating the firm’s security posture. If they aren’t, then your organization is operating with significant blind spots in a risky environment. It is time to expand the scope of cybersecurity to the other critical stakeholders in your firm.
Adopting a framework to probe these areas is a significant step toward identifying blind spots. Frameworks like NIST, known as “The Framework” and regarded as a gold standard, and C2M2 from the Department of Energy both offer general guidance that can be tailored to a company’s specific needs.
Technology is absolutely necessary to address the cybersecurity problem, but it isn’t adequate to solve it. That requires standards-based assessment, monitoring, and management processes that give boards and management a clear picture about how to mitigate risk most effectively.
Taken together these two frameworks comprise the backbone of Cybernance’s governance platform – the Cybergovernance Maturity Oversight Model (CMOM).