I had an opportunity to speak to the ISSA Nashville Group a few weeks back about "Trends in Automating Cybersecurity Management". I wanted to share some of my thoughts from the event.
As we have been speaking with CIOs and IT Leaders, one of the interesting trends related to cybersecurity is the goal of being "security focused" versus being "compliance focused". There are many regulatory frameworks available that provide organizations a recipe for creating a compliance framework. Apptega, in fact has a growing list of these frameworks to chose from within our product. However, if an organization is purely doing the exercise in the spirit of compliance they run the risk of developing a "check the box" mentality. What is the minimum we have to do to get the auditors out the door with our regulatory attestation completed?
The problem with this "Compliance First" approach is it doesn't build a sound security culture that is embraced by the entire organization. Borrowing a phase from Hillary Clinton, "It Takes A Village"...to build a sound cybersecurity posture. In order to combat this behavior, there has to be a "tone set from the top" approach to the company culture that is focused on a strong security and compliance culture. No longer is security just the job of a compliance professional. Everyone in the organization has to take ownership of behaviors that represent sound security practice. This includes end users being trained and educated on the latest Phishing schemes, to HR practicing sound Hiring and Background Screening, to people monitoring the physical security of their locations and following the "See Something Say Something" philosophy with regards to unusual behavior.
As organizations are designing, managing and reporting on their cybersecurity posture, there are some key changes that we are seeing. First, the era of Web 2.0 and the Consumerization of IT are having an impact on the systems people want to use to manage their programs. No longer are users willing to accept complex, overly burdensome solutions to help them address their operational goals. Users have an expectation to have products that follow clean and easy to navigate design elements without requiring extensive training and support. Gone are the days of people being shipped off to a week of training to learn how to navigate complex solutions.
Thinking back to the "It Takes a Village to Build a Sound Cybersecurity Posture" narrative. If you are going to ask users from across the organization to participate in reporting and taking ownership of components of your program, you better make it easy for them to engage in the tool you are going to use to manage the process.
Check out some more Trends in Automating Cybersecurity Management by downloading our latest e-Book.