Open in app

Sign in

Write

Sign in

Is Your Cyber Team Trying To Own Too Much?

Opinionated Security
CISO & Cyber Leaders
Published in
5 min readJan 27, 2020

A great thread on Twitter recently asked, “what would be the first 3 things you’d do if a company hires you to help them improve their security?” Obviously, there were lot of thoughtful responses and perspectives. Many great potential work items for cyber teams were included.

Some of the top 3 things that twitter users suggested that a cyber leader should do first included the following:

  • asset management
  • patching
  • network segmentation and documentation
  • backups
  • data classification.

All these are relevant to the infosec conversation and items to consider. While all sound, I’m not sure that they answer the specific question of what the cyber leader should do.

What didn’t appear to be clear to a lot of participants in the thread is that, in most organizations, cyber security teams don’t (and shouldn’t) own any of these. We may govern the outcome of some of these, consume the output of others, and coordinate so that we benefit from still others, but owning and driving these business processes ourselves? I don’t think so.

Let’s face it. Cyber leaders like to own things. However, trying to own every process that needs to be secured isn’t a high probability path to success.

Wait. What?!?

Organizations are built on business processes. Every business process has a business process owner. The owner may be clear and tacit or de facto and unaware of their ownership but there always is an owner.

We, as cyber practitioners, want to do a good job and can set ourselves for failure by trying to own (or actually owning) too much. By “too much”, I mean, “processes that aren’t ours to own.”

We’ve confused “ownership” in many cases with some closely related but very different terms such as the following:

  • delegation
  • governance
  • consumption
  • beneficial outcomes

Let’s use an organization that uses active directory and has separate information security and IAM functions. Who is the likely owner for access control? I’m sure that 90% are thinking, “that’s an odd question, IAM owns access control because they own AD”.

But AD isn’t a business process, it’s a tool. It’s a tool that models the organization in terms of people management. So, if you think about it, a case can (and should be) made that HR owns access control as part of its people management responsibilities and access control is actually a delegated responsibility to IAM. The IAM team then performs day-to-day management of privileges as an extension of HR’s people management process.

In my organization, infosec has both a governance function for IAM and is a heavy consumer of IAM delegated access control information. We don’t “own” access control from a business perspective.

Another counter-example would be a cyber team that believes that they “own” asset management. It’s a broad business process that includes plenty of non-security related activities like issuing hardware to users, tagging equipment, and maintaining systems.

There are huge swatches of the asset management process, data classification, and the rest that have nothing to do with cyber security. Does the cyber team really want to own these processes? Of course not. Cyber teams want to be sure of things like the hardware and apps inventory is current. In other words, consume high quality and high fidelity information around assets and their current state. In this case, the team is likely confusing their need to consume asset inventory information with “ownership”.

If you want to formally own a business process, you’ll have to own the entire business process, not just the part that your team needs to consume. If a business process is assigned to your team because people have confused the technical security controls with the much larger business process requirements (PCI DSS is a common example), the cyber team needs to sure that enough resources are explicitly assigned and budgeted to own the entire business process.

A cyber team regardless of size has enough work to do with the few business processes that we do actually own. Infosec team usually don’t have enough resources for those processes that we legitimately own. There really is no sense in trying to own more especially when the incremental requirements are unfunded.

The wise cyber leader scopes their work to match the resources that they’ve been given. As much as we, as cyber practitioners, want to own those other processes, we don’t…and shouldn’t. We can do any of the following to still get we need

  • help other teams understand and prioritize work from which the larger organization’s security would benefit
  • provide input to other team to more clearly define requirements and identify existing maturity gaps that prevent security from maximizing whatever needs to be consumed across the two teams

A scalable and effective approach to turning broken processes into security wins is through sharpening focus on standards definition and engagement with the true business process owner. This moves the business under the umbrella of the security program while scaling the execution of security requirements to the rightful owner. Infosec might be an internal “consultant” to the rightful business process owner or it may be a consumer of the outcome of the business process.

To successfully consume information, cyber teams will have to define the information they need as well as the standards and desired quality of that information that will meet security’s needs. They’ll also need to identify the rightful business process owner. Once identified, the path to scaling security is through engagement with the business process owner to achieve the outcomes that we want.

Cyber teams will have to develop skills that will ensure high quality outcomes with the actual business process owner: executive communications, negotiations, story telling, and goal setting. These aren’t skills traditionally associated with cyber security but are key and essential for helping business process owners manage changes and drive those changes into the DNA of the business process. There is a lot more that senior cyber leaders need to make a cyber program successful than incident response, application security, or red team skills.

There will be times when the infosec team isn’t getting what they need from the business process. If the true business process owner isn’t adequately staffed to properly perform the process they own, the cyber team should communicate this shortfall with the executive team and risk committee as well as the impact on security. Imagine the power of that communication to the executive team when the cyber security team lobbies for resources on behalf of a business process owner. There is goodwill all around and everyone wins.

Everyone has their job to do. Stretching a cyber teams resources to make up for another team’s shortfall or lack of focus isn’t a path to success. So, if you are trying to improve an organization’s security, leverage the business owners to help you accomplish your goals. That doesn’t mean that you need to own everything in which you need changed.

Scale your cyber resources every way that you can.

That’s the path to security.

I’m currently a CISO that believes that marketing content trying to sell products and services have replaced real thought leadership that comes from senior cyber leaders actually in the arena and owning their programs. For more insights into how cyber leaders can best enable the business they protect and build rock solid cyber programs, please follow me on Twitter at @opinionatedsec1

Cybersecurity
Ciso
Business Strategy

--

--

Opinionated Security
CISO & Cyber Leaders

Written by Opinionated Security

65 Followers
Editor for

Tony Grey * CISO for an insurance company * grew team from 3 to 22 * led large software teams at Microsoft * blogs about cyber leadership & program development

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams