As previously discussed, we are where we’ve been with cybersecurity, and something must change. I presented problems around lack of agility or thinking outside of the box for cyber defenders. Professionals working in information security tend to react rather than foresee challenges. There are a number of actions to take that could shift the balance of power between attackers and defenders. To begin, we must acknowledge that we have a problem. Next, executive engagement must be involved at a deeper level. Finally, by shifting the technical vision, defenders can take a drastic step forward.
When individuals and enterprises understand a problem exists, they have the opportunity to isolate, address and resolve. Our profession must take this first step. After acknowledging the problem, we need a real change in vision and implementation from executive leaders. Rather than just spend money and delegate to subordinates, executives must understand the impact cybersecurity has on the business as a whole. Additionally, enterprises need to investigate, understand and properly deploy technologies that will solve their particular challenges. We need to shift our focus from an external position to an internal view. Solutions exist, and if organizations properly deploy them, information security could see a reduction in quantity and severity of attacks.
Human nature tends to move forward with perpetual motion. Unique individuals such as Benjamin Franklin, Thomas Edison, Elon Musk and so many more saw the need to address challenges from different perspectives. As information security professionals, we continue down the same paths hoping to reach a different goal. It is time this profession came to terms with the fact that we need to make substantial changes. I challenge readers to see what’s happening and realize that attackers are more aggressive, and we are failing to stem the tide. Recognize a problem exists and shift mindsets to tackle from varying and unique perspectives. Stop going along to get along, and name the problem.
After understanding a problem exists, leaders must lead. Rather than pushing problems to subordinates, departments or business units, executives need to step in and play a regular and involved role with information security. CEOs must have security on their agendas regularly and engage the entire C-Suite. Every member of the executive staff plays a role in cyber defenses, and until businesses put this fact to work, little will change. Leaders should create measurable, attainable and relevant goals for their organization. No longer can we rely on the CIO or CISO to protect the organization, everyone must engage, understand, act and lead.
New technologies exist that play a major role in defending internal networks. Business must begin focusing on these segments and how data traverses therein. While we must understand and defend against external attacks, focus should shift toward internal threats. In implementing technologies such as software defined networks (SDN), network function virtualization (NFV), network segmentation, data classification, data management, among others, organizations can substantially enhance their defensive postures. Business must understand that proper, effective and rapid deployment must follow technology acquisition. Buying a solution only protects an organization with proper deployment. While this sounds obvious and intuitive, all too often my clients buy technology only to see it become “shelf ware.” Understand the need, procure the proper product and then deploy to receive its benefit.
People learn the most when they are uncomfortable. Change causes struggle and creates anxiety, fear and numerous other feelings most people would rather avoid. Cybersecurity professionals must accept the challenge and change. This will most likely create other issues in the business, and that should not discourage acting. Staff will have to retrain. Certain employees will have to learn more complex technology, which may create additional anxiety and fear. Some individuals may even lose their jobs. While these outcomes appear painful, and some may believe unnecessary, we must act. Taking on challenges and struggles invariably leads to growth. Growing cybersecurity maturity creates benefit for the business, consumers and third parties involved with the organization bold enough to act. If we do what we have always done, we will stay where we are, and that is not a good place.
The comments, suggestions and statements in this article are my own and don’t necessarily represent IBM’s positions, strategies or opinions.