In the most basic sense, cyber security is the practice of protecting information on interconnected computers. Yet it’s easy for organizations to become overwhelmed by the technical minutiae. Usually this happens when they get bogged down in the seemingly random ‘stuff’ they think their cyber security program requires and stuck in a ‘stop all bad things at all costs mentality’.
The problem is almost always a disproportionate emphasis on tactics over strategy. We often hear comments like, “that’s what we’ve always done”, “a vendor recommended it” or, “we heard it was best practice.” And when that crops up, it almost always underscores a lack of context.
While it’s true that implementing and overseeing an effective cyber security program requires specialization and expertise – organizational leaders can still play a pivotal role in steering the direction, goals and culture. In most cases that simply requires stepping back and embracing a shift in perspective.
Controls Focus
Whether they’re worried about compliance, trying to meet regulatory obligations or simply don’t know any different, this is the ‘stuff’ that most leaders find themselves caught up in.
It’s also what’s likely to come to mind when most early-stage organizations think of cyber security.
Controls are the policies, procedures, hardware and software intended to protect an organization against potential threats. They’re useful for detecting incidents, responding to incidents and recovering from breaches. They’re certainly important. But what they don’t reveal is precisely what each control is doing, how it’s protecting the business and how well it’s functioning.
Threats Focus
If there’s one focus to view cyber security through, this would be the most useful. When you understand your threats, the vulnerabilities in your environment and the risk that results, it’s significantly easier to take a calculated approach to protecting your information.
Sometimes a specific control, such as a firewall, is the best way to offset a threat. But in this case, the organization can leverage that control in a calculated and common-sense manner. They know what the limits of the control are, what threats it will and won’t help against.
Process Focus
Cyber security is fluid. New threats emerge all the time. The functionality and effectiveness of existing controls wanes over time. Behaviours shift. A process focus embraces a culture of constant improvement and drives toward program maturity.
Some process-driven questions include: Do existing controls function as intended? Do organizational processes and procedures effectively support the control? What has changed in the business or risk environment to shift our threat exposure?
A Balanced Approach
A business-oriented cyber security program requires the right mix of all three focuses. The goal of leadership is to move the company from any one section of the Venn diagram above toward the middle.
There will be times when the organization needs to shift in one direction or another (i.e. heavy controls focus to achieve compliance in a narrow timeframe). But when an organization is aware of their focus at any given time, it’s easier to recognize the skew and emphasize a threat or process focus to bring things back into balance.