Security operations · 3 MIN READ · BRETT WILSON · NOV 17, 2023 · TAGS: MDR
Effective security programs are never as simple as protecting critical systems from threats.
This is a guest post by Brett Wilson, Founder & Managing Partner of IOmergent
Imagine your CFO inquires about why cloud costs came in nearly double what the team projected last month. A threat actor exploited a common Kubernetes misconfiguration and launched crypto-mining operations in a cluster that was spun up to support a new application offering. An informal investigation gives way to a declared security incident and the associated costs. You’ve invested in controls and smart people, how did this happen? At least your data was encrypted and incident responders found no evidence of exfiltration. A rush to launch the new application while your best DevOps resource was on personal leave is the best explanation.
In the case above, if you’re the kind of shop that works fast, accepts risks and relies on your ability to respond quickly, you have blind spots that prevent rapid detection and response. Alternately, if you’re the kind of shop that relies on good DevOps and code hygiene, you’re simply resource constrained. Both scenarios are indicative of information security being out of phase with business objectives and the company’s need to up its cybersecurity game.
It does not have to come to an incident like the one described above. Most companies reach multiple inflection points over time, when existing security measures no longer suffice. These can manifest in various ways, including increased threats and a higher likelihood of a security breach, evolving compliance regulations, or the simple expansion of the digital footprint. B2B companies can reach a tipping point simply under the effects of relentless pressure to demonstrate an acceptable level of security and earn customer trust. (We go into more detail on the role security audits play in this process here.)
Effective security requires an active, introspective, and continuously adapting approach. Threats constantly evolve, becoming more sophisticated every day, making it difficult for any company to keep up. Modern technology stacks change nearly as fast and rarely become less complex. What worked in the past (as recently as a few months ago—or weeks, even) may no longer be effective today, especially as companies grow.
So what are executive leaders to do? The answer can include adding new security tools, looking for outside help, adopting a new strategy, or bringing in a new chief information security officer (CISO). Even companies mature in other technology and operational areas might struggle when deciding what path to take on their security journey.
IOmergent advises its clients to ground security decision making in current and detailed understanding of business objectives. Only then can a company create or reshape a security program to support those objectives and deliver security capabilities that align with what the org hopes to achieve. For example, if a company is moving via revenue growth toward its objectives, it could mean making investments in advanced security capabilities and services that mitigate risk, support scale and remain sustainable through procedure, metrics and continuous evaluation.
To optimize security investments, leaders must know where their risks lie and understand their level of exposure. They must understand their current level of security maturity and prioritize closing gaps to minimize their risks. Thorough point-in-time assessments can help realign security with the business. However, ongoing leadership, measurement, and executive engagement are necessary to prevent security from once again falling out of phase with the business. Even when there is a strong CISO on the management team, a third party can bring independent perspective, benchmark similar organizations, and assist in facilitating clear-eyed discussions about budgets and planning.
If an org is not ready to hire an executive security leader, or had a CISO in the recent past who did not mesh with the culture, a fractional or interim security executive can help you design and run a sustainable security program that is aligned with your business strategy and risk tolerance. They can assume management of internal resources or bring experts with them to bridge and operate your program until your business is ready to hire a new full time CISO.
We believe that effective security programs and strategies are about a lot more than simply protecting critical systems from threats. They also create business resilience and adaptability that can put the org in a stronger position to compete in their industry.
When this is done effectively, cybersecurity moves from being “good enough for right now,” to an enabler of growth, and by extension, success.
Visit IOmergent.com for more information about how to elevate your cybersecurity capabilities.
IOmergent is part of the Expel Partner Program. To learn more about the Expel Partner Program, or to become an Expel partner, visit the webpage.