Do the World’s Largest Firms Really Have Appalling Security?

Posted on Posted in CISO as a Service, Technology Angle Blog

Dr. Prescott Winter, former CIO and CTO of the NSA makes that exact point in a recent keynote address and article. I had the unique pleasure of working with Dr. Winter at HP, where we collaborated to devise new techniques and capabilities that enable companies, large and small, to do a better job of defending themselves and protecting sensitive data.

Dr. Winter knows what he’s talking about when he gives the Fortune 100 companies a bad grade for security. And the solution to the problem involves architecting the security program for speed and adaptability, utilizing best-of-breed tools and essentially weaving security into the DNA of the work people do daily so the basic security activities are being considered along with each change.

Together with Aaron Wilson, former security architect at HP, we discovered that while leveraging brilliant tools from vendors such as Splunk and HP is critically important, it’s only one of many levers that need to be used.  Many companies have great people, buy great security products, and follow great frameworks…but they all still get hacked.  The problem is so complex that you certainly need great people, frameworks and technology, but just as importantly you need to find a way to ensure your people are engaged and empowered to do the right things, easily.  Security problems and the bad guys are continuing to adapt at an alarming rate; therefore, so must your security program and the way you approach the challenge.

There are pillars of the security foundation that always need to be in place, such as doing a great job of keeping track of assets, and keeping limited resources focused on protecting the highest risk assets.  The trick is enabling the security program to adapt around those pillars, and even reinvent itself as needed, in order to keep up with the speed of change.

In summary, here’s the problem.  Companies seem to generally fall into one of two categories, both of which leave critical assets far too vulnerable.  They either have anemic security programs incapable of dealing with today’s threats, or they have complexity disasters that disable people from being engaged with each other to do the basics really well.  The CIOs and CISOs that can keep a sharp edge at cutting through the noise and confusion to do the following three things well, will do a much better of securing their company’s assets than those who don’t:

  1. Clarify the problem their companies need to solve
  2. Use the wonderful capabilities available to them, including great people, frameworks and technologies
  3. This third item is the toughest of all to do consistently well.  Find a way to simplify what people do so they actually have a chance of succeeding, and create a management capability across the organization that ensures people are working in harmony to do the basics well.