What digital change means for cybersecurity: Rip up the playbook and take risks
Regulations and checklists prohibit CISOs from doing things. Urban legend or truth?
The real value of having a playbook is knowing when to scrap it. When companies are connected in a supply chain-like manner, turmoil for one could mean trouble for all.
All digital innovation involves cybersecurity. Companies say they want to take risks, but are shackled by standards and potential threats. To alleviate inhibitors of innovation, read between the lines of a regulations' checklist.
Companies just beginning to adopt cybersecurity are more likely to have their boards responsible for processes as opposed to leaders who appoint responsibility to a CISO, according to an ESI ThoughtLab survey of 1,300 international executives with knowledge of their companies' cybersecurity maturation.
While CISOs shouldn't carry all the responsibility for security, they are the beacon of security strategy and implementation. A company's infrastructure can suffer without a security leader.
The majority of digital beginners, 68%, are also cybersecurity beginners and only 3% are cybersecurity leaders. But cybersecurity is a unique function because it cannot be siloed in individual companies and the leaders need to start paying attention to the beginners they're partners with.
Companies are reliant on their partners' security maturation because, as supply chain attacks have showcased in the last year, one partners' cyberattack is another partners' problem too.
Malware presents the largest impact on businesses for 81% of respondents and over the next two years supply chain and web application attacks are expected to increase their business impact, according to the report.
"We get frustrated by partners who are a little behind the curve," said John Felker, director, National Cybersecurity and Communications Integration Center at the Department of Homeland Security, while speaking at the Symantec Symposium in Washington Tuesday.
Run, then walk
While digital innovation is ushering in mostly positive change, 56% of respondents agree new technologies like AI, IoT and blockchain have the largest impact on their security. But the speed of their digital transformation is only a security issue for one-fourth of respondents.
Taking risks is sometimes a big ask for companies because leadership fears security will be compromised. But the majority of respondents agreed that the speed of their transformation has proven to have low impact.
This process can be hard when frameworks, like The National Institute of Standards and Technology (NIST) are treated like gospel instead of guidelines.
The pillars of NIST include identify, protect, detect, respond and recover. About 27% of companies score the highest with protect but score the lowest with recover, according to the report.
But in a perfect IT and security world, Felker would ask for some inconsistencies in standards like NIST need to be addressed. Frameworks and standards like NIST at times impose a security checklist that can disrupt the speed of risk-taking, he said.
Organizations need their CISOs to stop giving "the Heisman" and not "hide behind some regulation," Felker said. It's "urban legend" that regulations and checklists prohibit CISOs from doing things.
Once a checklist becomes too long, it actually stalls innovation and has the potential to make things less safe, according to Felker. Companies just need to know that the data in new developments is already safe and that they won't aggravate other things in the network. Then approved risk can happen.
Experimenting with rapid deployments cultivated from DevOps is important. Waiting for security to catch up sometimes feels too debilitating and can actually cause security to slip.
It feels like "I'm running with scissors and not getting cut," said Lauren Knaughsenberger, director of cyberspace innovation in the U.S. Air Force, while speaking at the Symantec Symposium.
Knaughsenberger treats agile software development for security like the FDA treats beef inspection; she doesn't examine every piece that is produced for approval. "We don't inspect every piece of meat, we inspect the process," she said.
Security experts require clear network visibility and security accountability for this process to work.
Where to look for threats
When delving into digital innovation and change, there are three components to assess: IT, security and the user, said Felker. Getting everyone in the same room, from developers to security personnel, is key to making necessary tradeoffs.
Operations and functions may take the backseat to security at times, but when cybercrime is estimated to cost the world about $6 trillion by 2021, it's a tradeoff leadership will most likely be willing to make, according to Cybersecurity Ventures.
These precautions are recommended because at the receiving end of all change is the user and non-technical employees. The greatest cybersecurity risk for 87% of respondents is untrained employees, followed by unsophisticated hackers and cybercriminals, according to the report.
Untrained employees are usually an indication of a company culture that's unsupportive or knowledgeable of cybersecurity. Defining security protocols, customizing training by departmental risk and creating "table top" exercises can shift employee mentality to a more sophisticated view of security.
Even cybersecurity professionals need coaching from cyber defense veterans, according to Knaughsenberger. It's easy for newer security professionals to get hung up in checklists and leave creativity to suffer.
Follow Samantha Ann Schwartz on Twitter