In 2014, ESG published a research report on network security. Cybersecurity professionals working at enterprise organizations (i.e., more than 1,000 employees) were asked to identify some of their biggest network security challenges. The data revealed that:
- 28% said that their organizations had too many overlapping controls and processes which caused numerous problems.
- 27% said that their cybersecurity staff was too busy responding to alerts/events so it does not spend enough time with training, planning, or network security strategy.
- 26% said that their organizations’ security policies were too complex and so they can’t be enforced with current security processes or controls.
There is a common theme here. Network security challenges are really centered on operations rather than technology. Given this, I did a bit of research to see whether cybersecurity process issues were similar to other operations problems and if CISOS could learn anything from the groundbreaking work done in the 20th century by business operations guru, W. Edwards Deming, sometimes referred to as the Father of the Quality Evolution in manufacturing.
Sure enough, Deming’s body of work really does align with today’s common cybersecurity operations problems. Deming stated: “If you can’t describe what you are doing as a process, you don’t know what you are doing.” So if there are too many overlapping controls and processes as described above, then it is safe to assume that there is no standard operating procedure and thus the cybersecurity team doesn’t know what it is doing.
Deming is also quoted as saying, “If you don’t know how to run an efficient operation, new machinery will just give you new problems with operations and maintenance. The sure way to increase productivity is to better administrate man and machine.” From a cybersecurity perspective, this means that adding new layers of defense or security analytics won’t help if the overall workflow and process is haphazard or ineffective.
Of course, Deming didn’t just comment on operations problems; rather, he worked his entire life to fix them. To that end, Deming’s famous 14 points, originally presented in his 1982 book, Out of the Crisis, offer some guidance on operational improvements that can certainly be applied to cybersecurity. Here are a few of Deming’s points and my suggestions of how they can be applied to cybersecurity improvement:
- Create and communicate to all employees a statement of the aims and purposes of the company. CISOs can take this to heart by educating the entire organization about the roles and responsibilities of the cybersecurity team. Note that I’m not talking about cybersecurity training here, I’m talking about letting all employees know what cybersecurity means to the organization and how strong cybersecurity is everyone’s job.
- Work to constantly improve quality and productivity. CISOs should establish quality and productivity metrics for the entire cybersecurity team. To achieve and improve on these goals, CISOs must cheerlead, enlist the support of business management, and give the cybersecurity team the tools and training they need to succeed. Oh yeah, and they have to measure everything.
- Institute on-the-job training. This one is extremely important since it can be impossible to hire new cybersecurity talent. CISOs must provide opportunities for senior employees to continuously expand their cybersecurity knowledgebase with the right training and incentives. Senior staff should also be called upon to mentor junior personnel.
- Strive to reduce inter-departmental conflict. Another biggie as the cybersecurity team is often at loggerheads with IT operations, business managers, and application developers. These walls need to come down to drive security into the IT infrastructure, business applications, and corporate culture.
- Adapt to the new philosophy of the day--industries and economics are always changing. Boy is this one spot on! The threat landscape is always changing and new IT initiatives constantly expand the attack surface. Cybersecurity needs to avoid complacency and adapt constantly. CISOs must remind and educate business executives and IT peers as threats and tasks evolve and the cybersecurity strategy veers left and right to mitigate risk.
Deming’s philosophies depend upon honesty, integrity, and hard work, but as the good Doctor stated, "It is not enough to just do your best or work hard. You must know what to work on.” CISOs would be wise to take this advice to heart and truly assess and measure the effectiveness of their current cybersecurity people and processes before deploying any new “silver bullet” cybersecurity technology.