When tactics get in the way of strategy

Buying the latest antivirus software or firewall can help bolster enterprise cybersecurity, but don’t confuse tactical responses to cyberattacks with strategy.

To be sure, tactics and strategy are inextricably intertwined and both are crucial components of any cyberplan. But there’s a temptation to conflate the two, a misunderstanding that dooms organizations to play a losing game of catch up.

This is more than a minor semantic distinction. If tactics are not moored to a broader organizational strategy, IT is always going to wind up applying security fixes only after the damage is already done.

Cybercriminals constantly change the terms of engagement and technologies in response to obstacles that defenders erect in their way. CSOs now find themselves battling against a multiplicity of actors - including nation state actors, cybercriminals, hacktivists, and non-state “for-hire groups - who are on the cutting edge when it comes to techniques and procedures.

Organizations can’t make progress in this escalating war of attrition if they simply hunker down behind their traditional security perimeters and respond to new threats on an ad hoc basis.

What’s more, the traditional thinking about perimeter security and how to protect an organization’s digital assets is also evolving. With the advent of cloud computing, for example, data no longer resides just within the corporate data center. Cybersecurity now requires broader strategic discussions about what assets to prioritize based upon their value to the organization.

Don’t blame this on IT

Former French Prime Minister Georges Clemenceau had it right when he famously noted a century ago that war is too important to be left to the generals. By the same measure, cybersecurity is just too important to entrust to the folks in charge of the IT department any more.

That’s not a knock against IT, which naturally is going to approach the world of cyberthreats through the lens of their own experience and defend against threats to technology by deploying technology on an as-needed basis. There’s nothing necessarily wrong with IT’s adoption of a tactical approach. But this is where the C-suite has to take charge and weave cybersecurity tactics into the fabric of a larger corporate strategy.

Avoiding the disconnect

In the end, business and IT leaders need to jointly articulate the organization’s overall security priorities. Once they have agreed upon a plan, IT can come up with a technology implementation roadmap to plug any security holes with the necessary hardware and software.

We’re at a juncture in history where the consequences of a crippling cyberattack can ruin a business, and it’s not hyperbole to note that any organization is only a few hacks away from disaster. CEOs and their boards don’t have a choice: Either they align risk-management with overall strategy or they entrust their organizations’ future to fate.

Charles Cooper has covered technology and business for the past three decades. All opinions expressed are his own. AT&T has sponsored this blog post.

Copyright © 2016 IDG Communications, Inc.