“Security is 80% organization and 20% technology!” This a common motto for professionals who understand that tools cannot solve (never solved?) all cybersecurity issues. A long time ago, Bruce Schneier said, “If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.”
How can we manage and organize Cybersecurity in the age of Shadow IT, Cloud and IoT while regulatory pressure to protect personal data and critical infrastructures is higher than ever?
CONCEPT: STRUCTURES / FUNCTIONS / CULTURES
Talking about Organization transformation is a 3 dimension journey dealing with structures (boxes, hierarchies), functions (jobs, roles) and cultures (business, countries, generations). You are usually focused on the first one and often forget the latest! No matter where are the security positions in a chart. Today, we must deal with new jobs (see table 1) and roles putting culture at the heart of the transformation. In particular, 3 generations are working together in our companies today … with very different understanding of digital and … risk management!
A Platform based Organization should replace “boxes and hierarchies” with a “network of platforms[1]”. What are the platforms? Let’s make a few proposals.
SCOPE: SECURITY / PRIVACY / SAFETY
With digital trends and disruptions, organizations have to face new challenges which are not (only) related to increasing threats and regulations or security requirements from clients. You have to be more agile and cost effective. You also have to manage Digital Risks including business processes and Cloud Services at the heart of it and (Cyber) Security and Privacy as the 2 faces of the same medal. We must now deal with Digital Security including (Cyber) Security, Privacy and Safety, IT, OT and IoT, Governance and Education, Regulation and Compliance, Technologies and Solutions.
A platform based Digital Security Organization should rely on the following three key “responsibility” domains to provide stakeholders with the best accountability system
- ASSESSMENT: RISK / MATURITY / COSTS
Something that cannot be measured does not exist. In terms of Cybersecurity, professionals must be focused on Risk (of course!), Maturity (and not security!) and Costs (consistently with risks and maturity). You cannot measure security since it is like a “feeling”. But you can assess the resources (people, tools, services) used to feel (or be) secure and safe. Maturity assessment can rely on standards and questionnaires but workshops are the most efficient way to share data and validate what is really implemented or missing. Assessing risks and costs is still a challenge from a financial perspective. But professionals must keep on improving their practices and investigate cyber insurance (if not done).
A Platform based Digital Security Organization should rely on these 3 key “assessment” domains to provide stakeholders with the best insights on risks, maturity and expenditures.
2. IMPLEMENTATION: STRATEGY / PROTECTION / MONITORING
This could be the easiest part but interfaces are not easy to manage. In particular, the design part (architecture, technology selection) is very closed to protection and monitoring but it is a strategic issue too. In addition, incident / crisis management and forensics are a key aspect of “monitoring services” but they are closed to business and decision making process. We can define 12 key roles to manage globally and efficiently digital risks (see table).
A platform based Digital Security Organization should rely on these 3 “management” categories and 12 roles to provide stakeholders with best and the cost effective “insourced / outsourced” balance.
3. POWERS: CLIENTS / PROVIDERS / (INTER) NATIONAL BODIES
Digital is a “game without frontiers”. All companies (public and private) are “clients” for IT and security providers. But they also provide (more and more) digital services to their clients (B2B or B2C) that must be secured and trusted!
A Platform based Digital Security Organization should rely on these 3 “power” categories to establish strong and trusted relationships for instance to discuss regulations and standards, to share information on threats and incidents, etc.
CONCLUSION: MOVE FORWARD PROFESSIONALISATION
Digital security is the new era of IT + Information + Cyber Security. This domain is still brand new (started in the 90s) and must develop professionalization throughout disruptive models.
We need more professionals and more skilled experts everywhere on the planet. Training and education remains a big challenge. But being global, strong, agile and efficient is a key issue too.
Should a Platform based Digital Security Organization help?
What we are sure of: Advantage is still to the attacker.
[1] A platform is a “structure” independent service that groups a community of people / professionals providing a single and specific service to its clients (internal or external to the organization).