Many years ago, I was deeply involved in consulting with a client who had just experienced a major security breach. This high-profile organization with very sensitive data and a reputation was dragged through the gutter in the media frenzy that followed the disclosure. I became part of the “clean-up on Aisle 6 crew,” as we called ourselves.
This traumatic corporate event caused the client to take drastic action. One such result was opening the corporate purse strings for any cybersecurity technology and services. The CISO was asked to provide a list of everything he had ever hoped for, and it would be made manifest. I remember the day I saw the list.
Sam, the CISO, walked over to the desk I had been assigned.
“Here are all the products I purchased for our new corporate security stack.”
I let out a long, low whistle as I flipped through the pages. The total was somewhere north of $15 million.
“I need them all installed and operational this coming year.”
“I hate to be the one to break it to you, but that’s not going to happen - even if you fire me and find someone who promises to do it. Look, I’m just going to be candid. You can throw large sums of money at this problem, but the long pole in this tent is the human factor involved. You can replace your entire identity and access management schema, upgrade all your firewalls, implement a new governance, risk, and compliance platform, and build out a new security operations center. Still, your organization cannot simply absorb that much change in such a short time. Even if it was possible to have teams of vendor experts plugging boxes into your data center, the systems these new tools are replacing will need to be overhauled, new policies written, training developed and provided, and entire processes built and rebuilt. I’m seeing at least a five-year evolution on these pages. Your organization couldn’t begin to absorb these drastic changes in a year.”
He looked downcast.
“I guess I didn’t think of that.”
I offered him a cup of coffee. “It’s not really a technology problem nor a security team problem. You were breached by a process failure exacerbated by employees trying their best. Now, we need to build you a plan for maturing your entire cybersecurity program - a roadmap, so to speak.”
He stared into his coffee cup momentarily, then looked up and asked, “When will this be done? My bosses will surely want to know that. It will be hard to sell them on a five-year plan. Wouldn’t there be lots of changes along the way?”
“Not only will there be lots of changes,” I replied, “you may decide you need to scrap the whole plan a year or two into it and rewrite your entire roadmap. Technology changes, companies change, processes change and don’t forget the employees. A five-year roadmap shows your leadership. You have thought this out strategically, even as you recognize it may require adaptation and perhaps even a complete revision before the end of that time. Your cybersecurity program will never be ‘done.’ Security is a journey, not a destination.”
“Well, how am I going to convince my bosses of that,” he asked.
“You know the situation here better than I do. I will be happy to support you in any way I can. But the onus is on you to explain your program and how you plan to spend all this money they are throwing at you. I know someone up the chain thought this investment in security could be taken as a one-time expense, but buying these products is only table stakes. The real investments will be in the processes and people.”
Sam thanked me for the coffee and got up to leave. “In case this meeting with my leadership doesn’t go so well, are you hiring?"
