Have you noticed that technology seems to follow a predictable cycle of decentralization, then centralization, then back to decentralization, and on it goes? The data/cyber security function within companies appears to be in, or heading into, a decentralization cycle.
Many executives are frustrated with the state of security, partly because the technology that businesses rely upon is engineered in a way that makes things inherently insecure. In the headwinds of this challenge, brilliant people and companies have figured out ways to defend corporate data and intellectual property, albeit the costs and complexity are quite high, and the results are increasingly anemic. Small companies can’t afford adequate defenses. But just like Stanley McChrystal teaches us in his book titled Team of Teams, we need to find a way to adapt in to an enemy that is out-maneuvering us, else things will just get worse.
Todd Barnum, the CISO at GoPro, adapted long ago. As I listened to him speak for a second time recently at a meeting with 30 IT executives, I believe his model is the best example of “the CISO of the future”. He calls himself an outlier and a statistical anomaly in the security space, because he has adapted his approach to the security problem in such a way that puts security decisions in the hands of business executives and fully engages every single employee. Todd’s adaptation is mostly around human behavior and the psychology of what motivates people to cooperate versus what causes an organization to reject what the CISO is trying to accomplish. If you get a chance to listen to Todd speak, there’s a good chance he’ll make you rethink the approach to security.
Here’s a fact that might cause you to think about the need to adapt your security program: Mandiant, Symantec and Verizon generally agree, that the majority of the breaches incurred by US companies is the direct result of an employee being tricked via an email. Email is the number one threat. If you are a CISO, how much of your budget and your time is dedicated to teaching employees to be harder to trick? Basic security hardware, software, and capabilities certainly need to be in place, but the number one threat isn’t addressed with expensive tools. Todd Barnum at GoPro made this point rather emphatically.
Also, consider this: a big security team at most companies will usually conform to a ratio of somewhere-around one security employee for each 500 employees at a company. No matter how much technology you buy, one person worrying about security for 500 people is not going to make a company safe. If you are a CISO, you need all employees contributing to making the company safe.
CISO's can develop communities within their organizations to share accountability and responsibility for security in ways that are cooperative and effective. Those CISOs who get business executives involved in the security of the data and systems they are custodians of, will find they can get the help they need to manage security effective.