As the number of connected devices on networks and subsequent threats increase at a rate that is practically immeasurable, many organizations are making the mistake of fighting fire with fire. They are meeting complexity with complexity — a moment-to-moment tactical response that reduces their cybersecurity to an inefficient collection of vendors, protocols and operating systems. At best, the data that serves as their most valuable asset is surrounded by a bolted-on security architecture that grows increasingly more difficult and costly to integrate and maintain. At worst, they have created the equivalent of a sieve — a network that leaves gaps through which bad actors can slip in and out, at times without detection.
In the endless sprint to mitigate rapidly emerging threats and new attacks as they reveal themselves in real time, many organizations have actually made themselves less safe. More than ever, a good rule of thumb is, “If it is not seamless, it is not secure.” But it is increasingly difficult to create that seamlessness with a reactive approach that is more tactical than strategic.
There are many contributing factors to how we got here — from the wild proliferation of mobile, to the increasing sophistication of attacks for profit and malice alike, to the explosion of security vendors top-heavy on marketing and latest-greatest solutions but light on alignment, to a C-suite scrambling to stay afloat in a monsoon of data and a digital global marketplace.
There is one thing that is not responsible, though: This is not the result of a lack of insight or understanding on the part of CISOs.
A C-level position still in its relative infancy, the CISO role arose three to five years ago as a solution to the stark new realities of cybersecurity — which is like hiring a fire chief after the wildfires are raging out of control and directing him to build a fire department to put them out.
Or, more specifically, it is like hiring a fire chief with wildfires already raging while also telling him that access to water and oversight of its use must be obtained from the utility chief. And he must seek prior authorization from the traffic chief if he wants to race to the scene of the fire and have other vehicles yield to his sirens. And if he makes it to the scene in time, he must receive collaborative consensus to determine which burning infrastructures he should protect and which teams he may use to save them.
This may sound absurd, but it is a disconcertingly accurate metaphor for how cybersecurity is internally structured at many organizations.
With hands tied by the inheritance of a patchwork security network, and threats raging all around them, CISOs are often placed in an impossible position. Though doing their best to secure their organizations’ systems, the speed and volume of today’s data and threats have placed them in a winless double bind. Everything is moving so fast that it is difficult to pull away from the whack-a-mole approach of the present to stave off attacks and patch vulnerabilities. But each time they do, there is the realization that they are winning battles and losing wars.
There is no greater threat to an organization’s data than the complexities that have arisen in the duplicative range of vendors and products that form many enterprise network security solutions. It is not hyperbole to say that many networks house more than 50 different security products and vendors — some overlapping, others leaving wide gaps unprotected and many not able to communicate with each other to align protection when a threat is detected.
Add to that a disconcerting lack of cybersecurity talent that the industry is facing and the internal politics of protecting a network overseen and directed by a separate C-suite executive who may have conflicting directives and incentives for success.
While threat analysts — and new security vendors that are making the industry feel more like a rush-hour subway — are quick to attribute the explosion in attacks and damage caused to the evolving sophistication and automation of bad actors, external threats alone are not the sole cause. And often, they are not even the major cause.
Are threat assessment and mitigation absolutely critical to effective cybersecurity? Undeniably. Is it possible to maintain effective cybersecurity protocols and practices through threat mitigation alone? Absolutely not.
As today’s networks become increasingly over-engineered and under-protected, the only people who will benefit from more internal security complexity are vendors and hackers. That is in no way an equivalency between the two. But it is the result a mindset that offers short-term solutions and gains at the expense of the long-term health and security of data.
So where to begin?
Quite simply, with simplicity. We can’t allow our love of technology and innovation to work against us. It is too easy, especially as threat levels escalate in severity, to search for yet another product or service to save us and be distracted at the expense of sound business principles like clarity, alignment and efficiency.
All the vision and cutting-edge tools cannot make a difference if organizational confusion and conflict reign supreme. There are many advantages of compartmentalization within the network itself. But that conversation is premature if there is compartmentalization among the executives of an organization.
Effective cybersecurity must begin with C-suite decision makers and how they structure and align leadership roles and resources. As if there is not already enough on their plates, today’s CISOs must coordinate between themselves, the CIOs and the CEOs of their companies. While that may at times feel like another challenge onto itself, it is the only way they will have the resources, cooperation and mandate to fight the fires that will continue to rage around them. There is simply too much at stake to experiment with going it alone. CISOs must lead the conversation, internally and externally, that will create the clarity and alignment that is increasingly fundamental to effective cybersecurity today.