How to reboot a broken or outdated security strategy

CISOs talk about how they identify when they need a new security strategy and the process of developing it and selling the reboot to stakeholders.

virtual puzzle cube / problem-solving / solution / strategy
WhyFrameStudio

An enterprise security strategy should be like a weather report: subject to frequent updates. Allowing a security plan to fall out of sync with current and emerging threats, as well as evolving enterprise technologies and interests, can open the door to financial and reputational catastrophes.

Many elements contribute to a comprehensive security strategy and just as many factors can break or outdate a once-formidable security blueprint. "People, process, and technology are the key areas," says Greg Carrico, senior cybersecurity manager at business and technology consulting firm Capgemini North America. "Companies that don't maintain a pulse on current events, process automation, review cycles and current technical skillsets may continue to struggle with the protection of their most critical items without even realizing that threat actors have set their proverbial sights on them."

Indicators of an ineffective security strategy

The best security plans are crisp, relevant, and easily understood by everyone across the entire enterprise. "Your strategy needs to be feasible, acceptable, suitable, affordable, and understandable," says Brigadier General (retired) Gregory J. Touhill, the first federal CISO and currently an adjunct professor at Carnegie Mellon University's Heinz College of Information Systems and Public Policy. "As a military commander, I knew our strategy was outdated or ineffective when my troops couldn’t articulate it to me," he says. "When the troops don’t know your strategy, or how they are contributing to it, that is a major alarm bell."

An obvious sign of an outdated security strategy is an overall lack of relevance. "To ensure that critical security resources are helping to meet key strategic objectives, it's imperative for the security strategy to be directly aligned to the core components in an organization's business strategy," says Brennan P. Baybeck, an Oracle vice president and CISO for customer services.

Another key indication of an outdated security plan is it’s driven by compliance. "Although compliance can be an important and necessary component in many security strategies, it should not be used to drive the overall security strategy, even in organizations with smaller programs and limited resources," Baybeck warns.

A faulty security plan can usually be quickly revealed with a little basic discovery and conversations with associates about the enterprise's current security culture and internal accountability measures. "Key indicators include a heavy reliance on policies with a lack of security budget and tooling," says Annalea Ilg, CISO at business transformation advisory firm Involta. Other indicators include a lack of security management, poor documentation, and a failure to embrace holistic security.

Another sign of an outdated security plan is when an organization continually finds itself struggling reactively to threats, says George Freeman, a fraud and identity solutions consultant with LexisNexis Risk Solutions Government. "For example, an organization's defense-in-depth security strategy commonly finds itself running out of resources battling threats that keep appearing on its internal protected networks," he notes.

Align security strategy with risk

Any planned security strategy reboot should be designed to remain in step with an organization's current risk outlook. "There are various factors that may cause an organization to change their risk appetite and tolerance, so it's important for cybersecurity leaders to understand these factors and adjust their strategy accordingly," advises Sounil Yu, CISO-in-residence at YL Ventures, a cybersecurity-focused venture capital firm.

Factors that are particularly relevant to cybersecurity planning include changes to the current business, technology, or threat environment. "When one or more of these factors have changed, and the strategy did not anticipate the changes, signs emerge to suggest that the strategy is outdated and needs to be rebooted," Yu explains.

Security reboot planning and preparation 

Identifying which security strategies and tactics are working and which are failing is typically the first step in launching a security reboot. The process continues with pinpointing the organization's current and planned needs and objectives, and then determining how the new security strategy will help achieve those goals. "Make sure you're developing communication channels with functional owners ... and understand their priorities," says Tom Conklin, CISO for data management platform provider Fivetran.

Brian Phillips, director of global security strategy at office visitor management technology developer Traction Guest, says he's found it useful to think creatively while planning from the ground up. "Forget about what systems you use and how you do things today," he suggests. Focus instead on what will be available to you tomorrow and build the new security strategy around that objective. "We should never let systems dictate our procedures or strategy," he adds. "A good security application will adhere to your process."

The rebooting initiative should partner with all enterprise business teams, not just IT and security leaders and personnel. "These days, every business team makes decisions and implements technical projects that have an impact on company security," observes Ben Waugh, CSO for healthcare technology provider Redox. "You should start by partnering with every one of these teams to understand how they work, what their needs are, and how they can be most impactful to the business."

To gain maximum insight into current and future enterprise security needs, Ben de Bont, CISO at workflow management platform developer ServiceNow, recommends conducting an anonymous survey of security team members at all levels to gauge satisfaction, collect details on current and potential obstacles, and solicit improvement ideas. "It's also important to communicate with your line-of-business leaders about their goals and intentions, and how security requirements, such as privacy obligations, regulations, and the attack surface, might change as a result of the reboot."

Yu urges reboot planners to seek advice from the widest possible range of stakeholders. "This is especially important for cybersecurity, since it involves challenges to long-held assumptions," he says. Obtaining input from as many relevant sources as possible helps to facilitate buy-in, while also ensuring that planners have obtained perspectives from knowledgeable individuals who might have otherwise been overlooked. With any revised strategy, people typically want to know why the changes are necessary. Deep stakeholder research will help dampen fears while encouraging plan support and compliance.

Ilg suggests organizing the reboot strategy along operational, tactical, and strategic lines. "You must bring people along on the journey," she says. "Pull together a team from different departments to help you implement ... a formal project timeline and milestones." Ilg recommends building enterprise-wide support by explaining why the reboot strategy is necessary and where it's headed. "If you can't figure out how to get buy-in, the strategy will be a constant uphill battle." 

Selling a security reboot to stakeholders

A popular way to sell a security reboot to management is by showing how the strategy will position the organization to increase revenue or qualify for new revenue opportunities, says Jeremy Haas, a former CIA and US Air Force cybersecurity expert, currently CTO and CISO at LookingGlass Cyber Solutions. When strong security is presented as a method of market differentiation, it becomes a sales enabler rather than an overhead cost, he explains. "We see this often when organizations are serving customers in highly regulated industries, like financials, healthcare, or government."

Touhill believes that the best way to sell a rebooted security strategy to enterprise leaders is to support the case with meaningful and verifiable data. "Boards and senior leaders are traditionally swayed by compelling data and testimonials/expert recommendations," he says. "Building alliances within the organization is helpful in recruiting other senior leaders in the organization to speak in support of the new strategy."

A reboot is usually best received when security is presented to line-of-business leaders as a solutions enabler, Carrico says. "Demonstrating how the security program provides peace of mind to the end user, be it an internal employee or a customer of the company ... creates positive outcomes."

When making the pitch, don't attempt to snowball leadership with cryptic technical explanations, Ilg advises. "Speak in management terms and communicate what success looks like, along with the mission, vision, and relevance to the company," she says.

Copyright © 2021 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline