You can’t get there from here

August 26, 2015 Sam Curry

In the last few blogs, we looked at how Infrastructure breach is inevitable, but information breach isn’t; and we talked about the key to avoiding information breach was very people-centric.  Most recently, we discussed the importance of logistics and supporting people with the right infrastructure and investment.  This raises a bigger question of “how do you get to that level of maturity?” and the wider topic of corporate security maturity in general.

This is where having a model is crucial.  There is clearly an evolution (and in some cases devolution) to security maturity.  While the idiosyncrasies of powerful personalities or the peculiarities of geography and vertical play a massive role in how a company matures, there’s a general path that we can outline for how companies get more mature.  I use a simple model with four levels or steps, mentally, when talking with CISOs and for my own security department.  Without further ado, here it is:

Screen Shot 2015-08-24 at 3.02.24 PM

I’ve numbered each step here for ease of reference and discussion.  It’s worth mentioning that I’ve seen articulations from others with 3 steps or as many as 7, but I like using 4 for a few reasons.  First, the steps represent meaningful changes in org structure, perception by peers and superiors and operational behaviors.  Second, these steps may put a lot into each level but it’s a big deal to move from one to the other, usually around an institutionally “traumatic” experience like weathering a regulatory assault or surviving a breach — something that shapes up the status quo. Third, I have experience in each of these and with the “phase changes” among them; and finally each actually has a meaningful change in impact on the business with meaningful truths and guidance that are common to the collection of companies adjacent to them.

In the end, I like it and find it useful; and examining this will help companies plot their course of maturity and line themselves up to get the logistics right and hopefully “invert the spending” pyramid at least a little, which can have meaningful results.

Before continuing, it’s important to note that any company at a particular level can only really understand the journey “up” one level and always fears the backslide of one level.  If you start talking to a company at level 1 in the checklist phase or in level 2 around compliance about getting to the business risk phase, you will come across as a little crazy and as out-of-touch with reality to a certain degree.  Having said that, let’s dive into the details of each phase.

Let’s dig into each phase a bit.

The “checklist” phase is first: this represents companies that see security as a series of lists.  I have a firewall…check.  I have AV…check.  I have IDS…check.  I have strong authentication…check.  You get the picture.  In this world, security is seen as a group of technical specialists, usually subordinate to IT, who are basically a tax on the business.  Teams are small and are largely ignored and completely misunderstood by the business.  This is where we were as an industry back when security was <2% of IT spend.  I sometimes refer to CISOs (who rarely get a “C” in the title here) as “Dr. No.”  They are the ones everyone avoids because they will say “no” and are perceived generally to not understand the business.

The next and second phase is the “compliance” phase, and the usual progression from checklist to compliance is a painful one.  The business is usually painfully interrupted by Legal, by R&D or even by Auditors that they need to worry about something new that will distract the business.  It takes “Dr. No” and makes them “Dr. Oh No!”

white no smoking sign displayed on a wooden table

Regulations exist for a reason: to tell people to do something they otherwise wouldn’t do.  If you see a “don’t smoke” sign, it’s there because without it, people would smoke!  You can tell a lot about what signs (and slogans) people use and adopt.

Personally, I always worry about the colleague who has “do a good turn” or “be nice” signs up in their office…because that person needs a reminder.
This is true with regulations as well.  When they first come out, they gently correct.  Then the penalties go up.  Then the specificity goes up until results are finally me.  Everyone tries to get grandfathered early in regulatory cycles — this is the “it doesn’t apply to me” world.  And eventually the regulations catch up.

In Phase 2, security gets attention because it’s seen as a new source of cost.  Sometimes the department will move to Legal or to the CFO or even to a risk committee, which aren’t bad fates in and of themselves because checks and balances are healthy.  But it can be dangerous as a dead-end for a security team.  It can also be really rough for the security mandate because the big danger in this second phase is that security will be perceived as synonymous with being compliant, and that’s a disaster.  Regulations establish the minimum baseline for security, not the pinnacle and goal to be achieved.

The third-phase is all about “IT Risk” and usually requires something traumatic to happen as well: to get here a company normally has to have a scary incident or even a breach.  The company suddenly “gets security religion” and looks for CISOs from outside.  They bring someone in who is a “hero” to “fix” the security department.  In these phases, the department gets a massive and sometimes unhealthy influx of funding, growing by an order of magnitude or even 2!

In the IT risk phase, security begins to have a better and healthier two-way dialog with peers and superiors.  It’s at least understood that there is risk in IT and that the job of security is to reduce that…but the department isn’t really measuring it or even looking at it in a universal language or light.  This is where departmental bloat is highest.

The fourth and final phase is a business risk-centric phase.  This is where the language of security is the same as it is for other forms of risk: Operations, Finance, Legal, Physical, etc.  In other words, security grows up.  This is where security tends to shrink because it isn’t about hoarding everything with the word “security” in it.  AV updates…give that to IT.  FW rules…give that to IT.  Password resets…hey IT, can you handle that?  The real mission of a phase 4 company is twofold: first governance and monitoring and second incident management.

Governance and monitoring are important because they set the posture and policies for the company and then make those verifiable.  The energy of the department here should go into making security feed and influence universal corporate metrics and KPI.  The incident management part is the ability to actually stop bad guys: maximizing resources in terms of people, infrastructure, tools and intelligence to get results.  This is where the Human-to-Human race is run with little distraction and intense focus on the “sharp end.”

While it may seem impossible to get from a 1 or 2 to a 4 as those are too far away or even to get from a 3 to get to a 4 without a change in leadership or traumatic event, this doesn’t have to be the case.  Security leaders in a phase 1 or 2 can carve out some resources, even partial use of people’s time to focus on the key missions of a phase 4, business risk-centric company.  It will require a lot of growth and networking and soft skills on the part of a CISO but carving out 20 percent of 3 FTE resources to work on incident management and intel and even dedicating SME time to work with IT to operationalize key security functions, while sounding counter-intuitive, can produce results.

If you’re not at phase 4 and don’t want to just build an empire at phase 3, you can look to catalyze the maturation of your company.  Look to the phase 4s that you know and duplicate their functions gradually.  Produce results that the business notices and can take care of and, most importantly, make sure that you aren’t see as Dr. No or Dr. Oh No!  Perhaps the hardest thing to do for people who’ve been stuck in a phase for a long time it to suddenly be taken seriously by business peers (just as CISOs new to a company who are parachuted in have the opposite problem of proving their mojo to subordinates).  It can be done, however, and this corporate journey and quest to reach phase 4 is a tremendous motivator for us in the industry to plot our personal growth and future careers to a noble and critical narrative of what we stand for.

So even if I started with a Bert & I phrase, I’ll end this posting with “you can get there from here.”


The post You can’t get there from here appeared first on Arbor Insights - Our People, Products and Perspective.


Previous Article
Comment on Pain is inevitable; suffering is optional by You can't get there from here - Arbor Insights
Comment on Pain is inevitable; suffering is optional by You can't get there from here - Arbor Insights

[…] the last few blogs, we looked at how Infrastructure breach is...

Next Article
Threat never takes a vacation: What kind of vacation did you take this summer?
Threat never takes a vacation: What kind of vacation did you take this summer?

There are many different types of vacations to take, and many of these types...