Make Cybersecurity a Team Sport
By Frederick Scholl, Cybersecurity Program Director, Quinnipiac University
Last month’s National Cybersecurity Awareness theme was “See Yourself in Cyber”. I interpreted this to encourage more people to engage with security and not just be “awareness trained”. How can CISO’s make use of this theme to improve security in their organizations? I see the opportunity to build two-way communication across the business. Part one is engaging business teams when building out security controls. Part two is ensuring business leaders understand their role in security defense. Both activities should overlap in time.
The 2023 IT Trends survey by the Society for Information Management (SIM) highlights this need. The SIM report highlights IT management’s top concerns as (1) cybersecurity and (2) alignment with the business. On the other hand, IT executives reported that their cybersecurity readiness had improved by less than 2% year over year. Despite the high level of concern, we still have not found the cybersecurity Rosetta stone.
Too often in the past, security controls have been implemented to meet compliance requirements. This started with SOX (2002), followed by PCI DSS (2004) and HIPAA (2005); today, there are many more standards and frameworks to choose from. After the CISO and compliance officer design the needed controls, we head off to business units to make them aware of what they need to do. Sometimes we forget that humans need to operate these controls. No wonder that 82% of breaches involve the human element (Verizon Data Breach Report 2022); of this number, 13% involve configuration errors.
In summary, as CISO’s implement a team approach to cybersecurity, they can expect three benefits: more buy in from business executives, to prioritize security; more reliable and effective security controls (better execution); and more cooperation across silos to get controls implemented in the first place.
A framework like the popular CSF (Framework for Improving Critical Infrastructure Cybersecurity) has 108 controls to implement. But each control is operated by a human. Too often, we choose cool security designs and products over control efficiency. Remember that control effectiveness is the product of control design and efficiency. Some of the frameworks, like CSF, may even be too general to be effective. You can align with CSF but still have controls that are not repeatable (i.e., running at Tier 1 or Tier 2). It is true that controls may be automated or even make use of AI. But until the technology becomes static, and cybercriminals no longer change their playbooks, we will need to rely on human operation and oversight.
It is too late to re-engineer all security controls in a business. But when designing new systems or controls or software, there is still time to use a more human centric approach. The “Design Thinking” methodology is just such an approach. It focuses on empathy with the human participant, brainstorming and using iterations when implementing new systems or controls. How often is this process used when implementing security controls? Not often. One exception was a local banking security executive who recently described to me using this approach when rolling out new MFA controls. Users were polled to provide feedback on the control utility from their point of view.
Another common situation is that CISO’s do not have sufficient staff for effective risk management. The latest ISC2 Workforce Report (2022) finds that 49% of organizations have a “significant” shortage of cybersecurity staff to prevent and troubleshoot security issues. More broadly, ISC2 reports that the cybersecurity workforce gap in the US increased by 9% year over year. On the other hand, Helen Patton, in an interesting post on Medium (“Why Business Aligned Cybersecurity Means Less Cybersecurity”), argues that security professionals should learn to do more with less. Sort of like Tom Sawyer, who engaged his friends to whitewash the fence, security professionals can and must engage in business and internal audits to support risk management processes.
Doing this is made easier by using the IIA Three Lines Model (2020). The three lines being (1) business operations, (2) security and risk and (3) internal audit. Formerly the “Three Lines of Defense” model, the revision emphasizes collaboration between cybersecurity and business and IT operations. The latter two functions run the security controls under the guidance of the CISO role. Internal Audit can also be engaged to provide advice and counsel on matters not being audited. So rather than searching for non-existent cyber professionals, make your business managers active partners in securing value in the organization. At my university, we have developed short form cybersecurity training programs in healthcare and finance, focused on enabling business managers to more effectively play their part in risk management. In summary, as CISO’s implement a team approach to cybersecurity, they can expect three benefits: more buy in from business executives, to prioritize security; more reliable and effective security controls (better execution); and more cooperation across silos to get controls implemented in the first place.