One might think that the common problems in cyber security
programs are that teams aren’t resourced correctly and that the business
doesn’t support the cyber security program. Could be but maybe we’ve confused the symptoms of being broken with
the underlying root causes.
Some of those possible root causes?
Vague security goals
and objectives.
Lack of understanding
and consensus by executives.
Solutions before
analysis.
Poor execution.
Stitched together, we get the following:
Non-committed leadership
applying large amounts of money and resources to solutions before analysis to poorly
execute against vague security goals and objectives that have a lack of
understanding and consensus.
Does that sound like any security programs that you are
familiar with? Based on various recent blog posts, podcasts, and conference
topics, I’d guess that these might be common descriptions.
Can you blame organizations for not resourcing or supporting programs if this is true? When a security program is always flailing about chasing the
latest shiny thing or state actor APT, less time and resources are available to
expend on the beautiful basics of cyber security.
You know, the things that
have a high likelihood of happening.
So dig deeper into your own program. Where can we bring more clarity? Where can we better define gaps. How can we build more consensus?
Perhaps, rather than complaining, we will find that we have more fundamental things to fix in cyber security first.
Perhaps, rather than complaining, we will find that we have more fundamental things to fix in cyber security first.
Follow me on Twitter
for discussion and the latest blog updates: @Opinionatedsec1. Or, start your
own discussion using #crazygoodcyberteams on twitter or Linkedin and I'll read
it.
SEE ALSO
No comments:
Post a Comment