The cultivation of Cybersecurity leadership is no surprise to anyone. The incredible demand for experienced resources coupled with record salaries leads to pivoting of positions with relatively low tenure. Add to that a high tendency of burnout for CISOs and you have a recipe to stir the pot on a regular basis. As organizations introduce new leadership, these leaders default to the playbooks and contacts at their existing jobs, in many situations regardless of changing verticals or company sizes.
One of the largest mistakes we observeis organizations attempting to rip out existing security solutions and implement the incoming senior leaders’ “playbook”. There is no question that leveraging experience and successes in the workplace should and will be applied in their new opportunities, however, it is imperative that documented risks and current state maturity are examined first. Most IT professionals have gone through a digital transformation of sorts which begged the age-old question of build vs. buy. One area that I repeatedly see overlooked is optimization. I believe in maximizing the value out of solutions – you paid for them, are you truly using your security stack to its full potential? In virtually all cases (particularly organizations with a lower distributed maturity), the answer is an unequivocal no. As a husband of 15 years, it takes a lot of hard work and commitment to work things through as opposed to taking the easy road to divorce. As leaders emerge, the choice to divorce their existing solution providers, and value-added resellers comes first to mind.
Objective decision-making on technology solutions is lacking at nearly all organizations. A pretty interface or repeated use of terms like “Machine Learning” or “AI” look shiny and impressive to security professionals. Are your technology teams partnering with the GRC program to align with the highest identified risks? Are they involved in the decision-making? It is unlikely that a GRC program is going to be impressed by gadgets that a SOC team may lust over, however, if your budget is overly invested in mature, lower gaps in your maturity for your highest identified risks, you are bringing the wrong weapons to our never-ending gunfight.
Great programs evaluate their risks, compare them against best practices and frameworks, then prioritize. Record budgets of recent years are surely on the decline, therefore maximizing risk reduction should be your goal. Utilize your vendors to ensure you have implemented their solutions to the max potential. Many organizations now have tools that offer a scorecard of their product implementation. By better understanding the potential of the solution, organizations can make stronger decisions on where to invest to reduce risk in people, processes or technology. Do not make the mistake of falling for marketing hype and vendor booths until you understand the problems you are trying to solve.