Wednesday, November 13, 2019

Rethinking Gaps In Cyber Security Programs


Think about cyber in business terms for a second. A description of a cyber security program without a clear statement of program gaps is like a balance sheet without a liabilities statement. 




And yet, somehow, gaps seem to be an often minimized part of our conversations with executives. 


Perhaps as cyber leaders, we choose to avoid hard conversations about program gaps because we want to be positive. Maybe we avoid them because we have some level of fear of executive reaction to hearing about gaps in the cyber security program in the context of past investments. 


But the gaps are there regardless of whether we talk about them or not. 


The irony is that a cyber program's gaps and their business impacts are the currency that business leaders tend to understand most. A business leader would be loathe to fund something without understanding liabilities. The liabilities in any cyber program are the gaps. 


There is little mystery as to why we aren't supported with enough resources if we are unable to frame gaps in compelling business terms. 


How did we get here? Somewhere lost in the cyber industry noise is that every cyber security program has gaps, regardless of funding. 


Things that the program doesn’t do well.

Things that the program hasn’t scaled.

Things that the program doesn’t do at all.

Things that have shifted in the threat landscape.


Even though every cyber security program has them, gaps have somehow gained a negative connotation in the cyber realm. It's as if we believe that we can be 100% secure. 

Let's label gaps differently.


Gaps are the foundation of your priorities,

the internal change necessary in your own program,

the connective tissue from which cyber leaders will build their roadmap,

the fodder for the truth aching to be shared with executives. 


Gaps can’t be completely resourced away.  You can receive all of the funding and resources that you need for next year and your program will still have gaps and areas for improvement. Perhaps a different list but still gaps. Set expectations accordingly.


Talking about gaps isn't some learned skill. Gaps are statements of fact, just like liabilities.  But you’ll have to identify them, name them, and describe their impact. Talk about them.

Making gaps compelling takes a little more practice. 


Do it right and today’s gaps can be tomorrow’s strengths.


Follow me on Twitter for discussion and the latest blog updates: @Opinionatedsec1. Or, start your own discussion using #crazygoodcyberteams on twitter or Linkedin and I'll read it.


SEE ALSO





No comments:

Post a Comment