Here’s a scenario we’ve all encountered: You go to a nice restaurant to enjoy a meal and the whole experience turns sour. The service is terrible, your entrée arrives before your salad, and your food is overcooked and virtually inedible.
When you explain all of these issues with the restaurant manager, she apologizes and proceeds to respond with her own problems—a waiter quit, the cook called in sick that day making it difficult to keep up with business, and several big parties disrupted workflow in the kitchen.
Yes, you may be sympathetic, but these issues really aren’t your problem. You want to enjoy a good meal and you are willing to pay good money for fine dining so that’s what you expected. You really don’t care about the restaurant’s internal problems and you absolutely don’t want them to interfere with your experience.
So why am I writing about this culinary conundrum? Unfortunately, my dining experience example has a fair amount in common with the way enterprises manage cybersecurity. In too many cases, internal organizational walls, problems, and legacy baggage actually interfere with the efficacy of security defenses as well as security operations efficiency.
The internal friction I’m referring manifests itself in several ways as cybersecurity best practices are interrupted by:
- Organizational turf battles. Security teams are often seen as counterproductive to application development, networking, and IT operations teams. Security and networking teams debate about which network security technologies to buy and where network security controls should reside. The infosec and applications development teams each own little pieces of identity and access management (IAM) and don’t collaborate enough on an end-to-end strategy. Security teams inform IT operations about vulnerabilities but have little say about when and how to address them. Yup, disparate IT groups adhere to infosec requirements but may want carte blanche with regard to selecting their own tools, prioritizing activities, and balancing security needs against their own objectives. When this happens, cybersecurity best practices morph from a requirement to a discretionary chore and IT risk escalates.
- Security budget horse trading. Security is about addressing risk across the organization. Alternatively, the cybersecurity budgeting process translates organizational risk into budget dollars that are then distributed into various technology group buckets. This causes problems when security needs cross organizational lines. For example, preventing, detecting, and responding to modern malware threats demands cross-functional cooperative solutions that encompass endpoints, networks, security analytics, and threat intelligence. Because of legacy budgeting processes however, too many companies address anti-malware on an a la carte basis. This is clearly a sub-optimal approach at best.
- Risky shadow IT. Security vulnerabilities cascade every time business managers make IT decisions on their own—without the right level of cybersecurity consultation and oversight. This happened over the past few years with IT initiatives like server virtualization, BYOD, and cloud computing. When IT initiatives are thrown over the proverbial wall and the security team is forced to play catch-up, everyone is at risk.
This situation is akin to some of the contributing factors leading to the 9/11 attacks; namely the lack of cooperation between various law enforcement and intelligence agencies. To break down these walls, President Bush created the Department of Homeland Security (DHS), established threat intelligence centers, and bolstered funding from cross department education, training, and communications.
I realize that cybersecurity isn’t national security and this IT situation is nothing new, but the fact remains that organizational intransigence makes organizations far more vulnerable to cyber-attacks. Like President Bush, CEOs should no longer tolerate the tired old excuse of, “that’s the way we’ve always done things around here.” Alternatively, CEOs, CIOs, and CISOs should aggressively identify areas where the organizational status quo is getting in the way of strong cybersecurity hygiene and tear down these legacy walls as soon as possible.
If you are like me, you really don’t care about a restaurant’s internal woes when your dining experience turns into a customer service nightmare. Similarly, regulators and customers won’t be very understanding when a devastating data breach could have been averted with a more holistic approach toward cybersecurity across budgets, processes, and the organization. Excuses are excuses.