Top Ten Reasons to Justify the Need for a Cyber Security Organization

1.       The rapid evolution of technology has hastened society’s transformation to a digital culture. The speed of this change has led to disparities in the levels of appropriate security and assurance for organizations as information has become and continues to be the most valued corporate gem.

2.       From the beginning of the digital revolution, public, private, and academic organizations have all dedicated resources to developing the IT security field of practice—and have made significant progress.

3.       The openness and quantity of the systems connected to the Internet creates and ever expanding attack surface – wherever there is something of value, there will be those wishing to acquire that value.

4.       The convergence of image, voice and data communications systems and the reliance of organizations on those systems coupled with the emerging threat of sophisticated adversaries and criminals seeking to compromise those systems underscores the need for a cyber security and assurance function that is risk-based.

5.       The shared infrastructures, services, and information between government and industry demonstrate the need for an innovative model of the roles, responsibilities, and competencies required for organizations to staff cyber security and assurance professionals.

6.       The National Strategy to Secure Cyberspace, which provides direction for strengthening cyber security was created to “engage and empower Americans to secure the portions of cyberspace that they own, operate, control, or with which they interact,” and acknowledged that “securing cyberspace is a difficult strategic challenge that requires coordinated and focused effort from our entire society, the Federal government, State and local governments, the private sector, and the American people.”

7.       The ability to collect and analyze information regarding attacks and/or malware utilized to breach controls in information systems is required in order to understand the threats: who they are, what their intent is, and what capabilities they have; gives organizations a fighting chance at protecting systems and information. 

8.       Every organization needs someone and some entity (an authoritative source) to lead the effort at providing identification and aggregation of exploitable weaknesses in information systems and information. Who in our organization today is equipped to perform these tasks? Prioritization of countermeasures allows organizations to release high quality products that are ‘control’ cost effective.

9.       Solutions that contain or resolve risks through analysis of threat activity and vulnerability data which provide timely and accurate responses cannot be performed by the uninitiated. The skills required to mitigate based upon business drivers is sometimes difficult to implement as it is time consuming and tedious, but prioritization coupled with understanding the threats and vulnerabilities assists in forming an effective mitigation strategy that must be communicated to organizational decision makers for disposition.

10.   The ability for a trusted and authoritative source to mature and develop the defense of critical information systems and information by compelling or influencing changes in organizational policy, or procedure allows organizations to review the threats, vulnerabilities exploited, attacks and overall system posture to implement policy and technology changes that assist in protecting the organizational gem.

(If you haven’t done it by now ….)