Your long-term cyber security strategy is probably failing you

The rapidly changing and ever-evolving cyber security landscape has placed enormous amounts of pressure on the visionary CISO with long-term roadmaps, plans and investments.

With these changes within the cyber security threat landscape, it is of paramount importance that companies get fresh perspectives and insights on the cyber security threats your business faces and the potential opportunities to minimise your risk exposure.

Gone are the days of bedding down a three to five plan, hoping that the cyber threats you’re trying to address today don’t change tomorrow. Change is constant in cyber security and with it brings challenges for teams to establish long-term focus and delivery.

Companies in regulated industries and larger businesses will typically invest in an internal team to actively manage the cyber risks with a chief information security officer (CISO) at the helm. The current incarnation of the CISO position has not really been in widespread use for very long and the role has radically changed over the years:

• Where they report within the organisation;
• What background and skills they possess;
• Their overall responsibilities; and
• The desired experience for which they are hired.

These attributes vary wildly from one CISO to the next. The traditional CISO role focuses on protecting company assets, including preserving reputation, preventing downtime, securing data and financial assets and ensuring regulatory compliance. However, some companies are also using the CISO role as an external marketing ambassador to fuel visibility. So, in today’s world, it is a mixed bag. Consequently, security teams are managed very differently and there is a major performance gap that needs to be addressed.

Consistency of security teams between companies is rare. There is no gold standard or template that is used. This is partly by necessity, as every company is different, but mostly because the security industry is still in a state of flux: learning and adapting. Therefore, collective continuous improvement is spotty and difficult to transplant. Each organisation is going at it individually. Anyone who says different either has not been around very long or is trying to sell you something.

MD at CyberSec Consultants, Nathan Desfontaines, says: "Having spent much of my career, listening, helping and consulting to organisations who are frazzled by the challenges of cyber security, I have seen very few companies or governments that have a solid and realistic footing to manage cyber risks. The vast majority, no matter how big or profitable, do not. Underspending, overspending, poor investments, wasted opportunities, and most of all, a lack of focus on what matters most: identifying and sustainably achieving an optimal level of risk management that balances the costs, risks and usability for that enterprise.”

Herein lies the challenge. In order to have a sustainable cyber security risk management capability and strategy, ie, consistently effective over time, the security team must be forged and run in a way that it is agile enough to adapt to changes in cyber threats, protect the legacy and ever-evolving technology employed by the organisation and partners, comply with emerging digital regulations, and most importantly, meet the ambiguous and shifting expectations of management and shareholders. Doing this right makes it near impossible to effectively execute a long-term cyber security strategy that effectively reduces the threats of tomorrow.

“The illiterate of the 21st century will not be those who cannot read and write, but those who cannot learn, unlearn and relearn. ” – Alvin Toffler

Suffice it to say, the illiterate of the 21st century will not be the CISO who cannot build or buy, but the CISO who cannot adapt, un-adapt and re-adapt.