They don’t. That’s because there is no magic prioritization for cyber security. Risk management, defending the network, capability building, and regulatory requirements all need to be balanced and prioritized for a given organization.
No single cloth to cut. Teams of unmatched fabric.
The more a business is regulated - the more the cyber security prioritization is pre-determined. But easy arithmetic tells us that most organizations are lightly regulated. Or less.
So there is white space around prioritization for most organizations. A white space potentially filled with significant differences of opinion about the plan forward.
The larger gaps being between startup execs and a newly hired compliance focused senior cyber leader. Or vice versa with a startup CISO transferring to a highly regulated industry.
The result?
Some friction with aligning with business objectives and flexibly getting to a safe “yes”
A lack of alignment that lengthens the learning curve and lessens effectiveness.
A potential mismatch.
The two year point is where a security program should really start gaining traction. That said, I read someplace that senior security practitioners last an average of two years.
Two years invested in a cyber security program that isn’t aligned won’t be missed by other execs. Perhaps mismatched is all they’ve ever known. But you know that frequently starting the cyber plan over is likely not high on the CEO’s list of corporate priorities.
Our job is to find security practitioners that prioritize the things that are high on the CEO’s list. That will make the executive team pay attention.
A chance to build a legacy to staple to a resume.
Follow me on Twitter for discussion and the latest blog updates: @Opinionatedsec1
SEE ALSO
The Security Control Distraction
A Cyber Security Metaphor
The Cloud Security Automation Realization
No comments:
Post a Comment