Back in the 1990s, it made perfect sense for security to be an IT function. Corporate networks had a hard perimeter, firewalls were the foundation of IT Security, Kevin Mitnick was the face of corporate hacking, and corporate owned laptops – and Palm Pilots – were a status symbol. These days, enterprise-computing environments are global, borderless, fully mobile, and extremely complex. Despite all this change, the cyber security function has yet to scale and evolve accordingly.
With record breaking breaches occurring on a regular basis it’s clear that corporate cyber security requires a major overhaul. The good news is that the needed changes do not require magic fairy dust or genie lamps. They require the confidence and willingness to re-engineer corporate organizational charts and business processes to account for how quickly enterprise computing environments – and the threat landscape – have evolved. And a great first step towards modernizing corporate cyber security is to consider “divorcing” it from IT.
Modern day IT organizations are primarily service-oriented, tasked with managing and maintaining the infrastructure and technology resources workers rely on to do their jobs. As such, the mindset of IT operations is all about time and productivity: The time it takes to resolve and close a ticket, the time and cost of delivering and maintaining applications and other resources quickly and reliably, and ensuring end-user satisfaction.
Today’s threat landscape requires security professionals to adopt a post-breach mindset and assume their organization has already been compromised. Security professionals must adopt the mindset of a detective, never taking anything at face value, looking for links between malicious events and intent behind seemingly innocent ones, in order to solve a crime that has already occurred. If security teams continue to operate in a culture dominated by the IT mindset, they will be more likely to miss important clues and hinder the ability to detect cyber-attacks,
Too often, when Security reports to IT, we find the IT mentality interferes with security processes and priorities. These days, there is little to no common ground between keeping IT systems up and running for authorized users and monitoring them for signs of compromise by smart, stealthy criminals. Identifying and securing an already compromised system requires the capability to differentiate malicious activity from normal behavior, and hackers are very good at making their activity look normal. The only way to find them is through a combination of new technologies and human judgment.
Being a subdivision of the IT department makes security blind to important business processes and to decision making at the corporate and department level. For example, security teams often don’t have visibility into planning processes in HR, Marketing, and R&D departments, making them, at best, late to know about technologies that are being deployed and project sunder development, and at worst, blind to the risks that already exist.
Even on their own home ground - the IT department - security rarely gets to review investments early enough. Being late for the game, security teams have no other choice than acting as showstoppers to reduce risk. Bringing security in earlier to the planning stage will enable them to identify and mitigate IT risk pre-deployment, transforming security from “the folks who say no,” to those who enable the business to move forward with minimal risk.
Today’s security pros are no longer sentries guarding clear, digital borders – they are risk managers and strategists. As such, it makes sense for them to sit outside of IT and be involved in strategic planning. Ideally they would be affiliated with those functions that oversee and manage business risk and report into the CFO or CEO (or both). The only way the security team can foresee information security risks across the entire organization is to have full visibility into all enterprise risk vectors, including those the organization has little to no control over (e.g. cloud service providers, business partners, customers, etc.).
With barely a week passing without a data breach making headlines, business leaders are finally paying attention to cyber security. Many organizations have recently started inviting CISOs to boardroom discussions. But this is only the start of making security the priority it should be. Organizations must be willing to integrate security to every aspect of operations in order to better address the complexity of today’s cyber threats.
