One of the most over-used phrases in security organizations today is “enabling the business.” It looks great on mission statements and sounds good in meetings, but what does it really mean? Common answers usually center on “protecting information” and “responding to incidents.” But are the defensive actions of a security organization truly assisting the company with growth and productivity? How can security actually help the organization accomplish more work and subsequently add revenue?
Security Operations Centers (SOC) provide businesses with the ability to see what’s going on in order to respond accordingly. SOC teams rely on the ability to learn skills and processes on-the-fly to meet expectations from stakeholders across the business and combat an ever evolving persistent cyber threat. One of the critical contributors to any SOC’s success is skill availability. While technical experts and vendors have done great work building cybersecurity solutions, a SOC is nothing without the right people.
The last week or so marks what I would describe as an unprecedented shift in the impact of cyber attacks with the Sony breach. I run from the constant fear, uncertainty and doubt (FUD) that gets circulated and recirculated by vendors and media outlets but I see this attack and more specifically the impact as different for several reasons. The Sony attack is also a call to action for the government of the United States to get their act together on cyber security and DO something to help American businesses large and small better defend themselves.
When I was a CISO for a global defense company, I realized that a company of any significant size or complexity could never “do” security for themselves. Why can’t big companies go it alone? Partly because of specific resources and expertise that is not resident in-house and partly because of all the things that compete with delivering security, namely projects, politics, personalities, egos and all the other fun stuff that comes with being in a big company. Political correctness and all of the other impediments of a big company naturally get in the way of delivering actual security. Executives have pet projects that compete with core mission requirements and day to day security falls behind.
All checked in @RSA 2013 here in San Francisco!
Siobhan Gorman of the Wall Street Journal wrote yesterday that “Fortune 500 companies in a range of industries back a system of voluntary cybersecurity standards”. The topic of cybersecurity standards being voluntary or mandatory often sparks lively debate, but unfortunately it’s the wrong discussion.