CISOs Must “Think Different”

Remember the “Think Different” advertising campaign from Apple?  It ran from 1997 to 2000 and featured bigger-than-life personalities like Buckminster Fuller, Martin Luther King, and Pablo Picasso. 

The “Think Different” ads coincided with Steve Jobs’s return to Apple and exemplify his somewhat contrarian and analytical mindset.  In a PBS interview, Jobs offered this philosophical insight about life:

“The minute that you understand that you can poke life and actually something will, you know if you push in, something will pop out the other side, that you can change it, you can mold it. That’s maybe the most important thing. It’s to shake off this erroneous notion that life is there and you’re just gonna live in it, versus embrace it, change it, improve it, make your mark upon it.

I think that’s very important and however you learn that, once you learn it, you’ll want to change life and make it better, cause it’s kind of messed up, in a lot of ways. Once you learn that, you’ll never be the same again.”

Jobs’s playful observation about life is actually sage advice for CISOs circa 2014.  Since the early days of computer security, many cybersecurity practitioners have developed a set of aphorisms they live by like best-of-breed security products, an emphasis on endpoint and perimeter defenses, and an aversion toward automated enforcement.  Yes, these concepts are still worth considering but it’s clear that cyber criminals have become adept at circumventing status quo ideals and defenses.

To paraphrase Steve Jobs, CISOs must ‘shake off their erroneous notion that cybersecurity is there … versus embrace it, change it, mold it, improve it, and make their mark upon it.’  This requires that they “think different” about:

1.  The security organization and processes.  Many security organizations today resemble a production line.  Security events and tasks roll down a conveyer belt while each security staff member performs their individual duties.  Unfortunately, this has led to a dependence on individuals, manual processes, specialized tools, and limited cooperation.  Rather than continue this inefficient cybersecurity churn, CISOs should instead seek out the lessons learned from “Lean Manufacturing” most closely associated with the Toyota Total Production System (TPS).  TPS really stressed a focus on process flow, teamwork, consensus building, and continuous improvement.  CISOs can use these concepts to improve workflow.  For example, the handoff between the security and IT operations team is often fraught with process issues, redundant tasks, and wasted time.  These bottlenecks must be identified and fixed. 

2.  Cybersecurity systems.  Here’s another lesson from lean manufacturing – the whole is greater than the sum of its parts.  I actually wrote a blog with this title recently but here’s a synopsis.  Each individual employee, process, and tool is important on its own, but it is far more important that each discrete puzzle piece contributes to the entire cybersecurity system in a harmonious and cooperative way.  CISOs didn’t really follow this thinking in the past and often built their organizations, processes, and technical infrastructure from the bottom-up based upon individual point tools and other assorted technologies.  Even if this model still works today, security professionals must realize that it is a non-scalable kludge at best.  CISOs must “think different” by setting strategy and goals from the top-down henceforth and then create the cybersecurity systems with common archetypes and goals. 

3.  Personnel.  The cybersecurity skills shortage is acute, global, and this situation won’t change anytime soon.  This means that CISOs must put way more effort into working with Universities and cybersecurity training organizations, participating in STEM programs, hiring and training junior people, and investing in their senior high-value cybersecurity employees.  This will demand an honest assessment of security skills and an inclusive culture across the security and IT organization, so CISOs may want to enlist some help from HR experts trained in organizational development.  Finally, CISOs should set goals for outsourcing security two types of security tasks:  a) Pedestrian tasks like vulnerability scanning, email security, or web filtering that could easily be offloaded to a SaaS provider, and b) Complex High-IQ tasks like security analytics and incident detection where the existing staff may lack skills or adequate staffing to succeed on its own.  The ultimate goal is to make the security staff work smarter, not harder. 

4.  Skills development.  Cornell Computer Science professor Fred Schneider has long advocated a broad education for cybersecurity professionals that includes technical, mathematics, business, legal, organizational, and International studies as part of the curriculum.  Makes sense to me as today’s CISOs need the right chops in each of these areas.  I know a lot of CISOs and they tend to come from one of three areas:  IT, law enforcement, or military/intelligence.  A good foundation but not enough.  CISO managers (i.e. CIOs, COOs, etc.) should encourage and reward their security executives for a commitment to continuous education that helps them become better business managers, risk managers, and cybersecurity leaders. 

5.  Security technology.  I realize that my first 4 points sound rather academic but this one is as practical and necessary as it gets.  CISOs must question all of their preconceived beliefs about security technology moving forward for one simple reason – the old model no longer works.  This means that CISOs must push their teams to scrutinize every technical decision, bone up on the latest innovation, and explore creative alternatives at all times.  As above, they must also emphasize the benefits of a collective security architecture over the individual contributions of individual point tools.  Just look at what’s happened to security technology in the past few years alone:  FireEye refreshed the anti-malware market, Palo Alto Networks reinvented the definition of firewall, and Splunk provided a new model for security data management, data queries, rule creation, and dashboards.  In the meantime, companies like Blue Coat, Cisco, HP, IBM, McAfee, and RSA Security gobbled up a bunch of security innovators (ArcSight, NetWitness, QRadar, Solera Networks, Sourcefire, Stonesoft, etc.) to refresh their portfolios and security coverage.  CISOs need to “think different” about seurity technology to protect the business – not just IT assets.   

I really miss Steve Jobs – I kind of grew up with him in the industry and he really had a knack for looking at the world in unique ways.  CISOs need to take a page from Steve Jobs and “think different” about what they do and how they do it.  The bad guys know every line of the existing playbook and how to overcome everything we relied on in the past.  Given this new reality, it’s high time that CISOs “think different” and embrace cybersecurity creativity, innovation, and continuous improvement.