{"id":17471,"date":"2020-01-17T00:00:47","date_gmt":"2020-01-17T08:00:47","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2020\/01\/17\/news-11206\/"},"modified":"2020-01-17T00:00:47","modified_gmt":"2020-01-17T08:00:47","slug":"news-11206","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2020\/01\/17\/news-11206\/","title":{"rendered":"Changing the monolith\u2014Part 2: Whose support do you need?"},"content":{"rendered":"

Credit to Author: Todd VanderArk| Date: Thu, 16 Jan 2020 18:00:28 +0000<\/strong><\/p>\n

In Changing the monolith\u2014Part 1: Building alliances for a secure culture<\/a>, I explored how security leaders can build alliances and why a commitment to change must be signaled from the top. But whose support should you recruit in the first place? In Part 2, I address considerations for the cybersecurity team itself, the organization\u2019s business leaders, and the employees whose buy-in is critical.<\/p>\n

Build the right cybersecurity team<\/h3>\n

It could be debated that the concept of a \u201cdeep generalist\u201d is an oxymoron. The analogy I frequently find myself making is you would never ask a dermatologist to perform a hip replacement. A hip replacement is best left to an orthopedic surgeon who has many hours of hands-on experience performing hip replacements. This does not lessen the importance of the dermatologist, who can quickly identify and treat potentially lethal diseases such as skin cancer.<\/p>\n

Similarly, not every cybersecurity and privacy professional is deep in all subjects such as governance<\/a>, technology, law, organizational dynamics, and emotional intelligence<\/a>. No person is born a specialist.<\/p>\n

If you are looking for someone who is excellent at threat prevention, detection, and incident response, hire someone who specializes in those specific tasks and has demonstrated experience and competency<\/strong>. Likewise, be cautious of promoting cybersecurity architects to the role of Chief Information Security Officer (CISO)<\/a> if they have not demonstrated strategic leadership with the social aptitude to connect with other senior leaders in the organization. CISOs, after all, are not technology champions as much as they are business leaders<\/a>.<\/p>\n

Keep business leaders in the conversation<\/h3>\n

Leaders can enhance their organizations\u2019 security stance by sending a top-down message across all business units that \u201csecurity begins with me.\u201d One way to send this message is to regularly brief the executive team and the board on cybersecurity and privacy risks<\/strong><\/a>.<\/p>\n

\"Image<\/a><\/p>\n

Keep business leaders accountable about security.<\/em><\/p>\n

These should not be product status reports, but briefings on key performance indicators (KPI) of risk. Business leaders must inform what the organization considers to be its top risks.<\/p>\n

Here are three ways to guide these conversations:<\/p>\n

    \n
  1. Evaluate the existing cyber-incident response plan within the context of the overall organization\u2019s business continuity plan. <\/strong>Elevate cyber-incident response plans to account for major outages, severe weather, civil unrest, and epidemics\u2014which all place similar, if not identical, stresses to the business. Ask leadership what they believe the \u201ccrown jewels\u201d to be, so you can prioritize your approach to data protection<\/a>. The team responsible for identifying the \u201ccrown jewels\u201d should include senior management from the lines of businesses and administrative functions.<\/li>\n
  2. Review the cybersecurity budget with a business case and a strategy in mind. <\/strong>Many times, security budgets take a backseat to other IT or business priorities, resulting in companies being unprepared to deal with risks and attacks. An annual review of cybersecurity budgets tied to what looks like a \u201cgood fit\u201d for the organization is recommended.<\/li>\n
  3. Reevaluate cyber insurance on an annual basis and revisit its use and requirements for the organization.<\/strong> Ensure that it\u2019s effective against attacks that could be considered \u201cacts of war,\u201d <\/em>which might otherwise not be covered by the organization\u2019s policy. Review your policy and ask: What happens if the threat actor was a nation state aiming for another nation state, placing your organization in the crossfire?<\/li>\n<\/ol>\n

    Gain buy-in through a frictionless user experience<\/h3>\n

    \u201cShadow IT<\/a>\u201d is a persistent problem when there is no sanctioned way for users to collaborate with the outside world<\/a>. Similarly, users save and hoard emails when, in response to an overly zealous data retention policy, their emails are deleted after 30 days.<\/p>\n

    Digital transformation introduces a sea of change in how cybersecurity is implemented. It\u2019s paramount to provide the user with the most frictionless user experience <\/em>available, adopting mobile-first, cloud-first philosophies<\/em>.<\/p>\n

    Ignoring the user experience in your change implementation plan will only lead users to identify clever ways to circumvent frustrating security controls. Look for ways to prioritize the user experience even while meeting security and compliance goals<\/a>.<\/p>\n

    Incremental change versus tearing off the band-aid<\/h3>\n

    Imagine slowly replacing the interior and exterior components of your existing vehicle one by one until you have a \u201cnew\u201d car. It doesn\u2019t make sense: You still have to drive the car, even while the replacements are being performed!<\/p>\n

    Similarly, I\u2019ve seen organizations take this approach in implementing change, attempting to create a modern workplace over a long period of time. However, this draws out complex, multi-platform headaches for months and years, leading to user confusion, loss of confidence in IT, and lost productivity. You wouldn\u2019t \u201cpurchase\u201d a new car this way; why take this approach for your organization?<\/p>\n

    Rather than mixing old parts with new parts, you would save money, shop time, and operational (and emotional) complexity by simply trading in your old car for a new one.<\/p>\n

    Fewer organizations take this alternative approach of \u201ctearing off the band-aid.\u201d If the user experience is frictionless, more efficient, and enhances the ease of data protection, an organization\u2019s highly motivated employee base will adapt much more easily.<\/p>\n

    Stayed tuned and stay updated<\/h3>\n

    Stay tuned for more! In my next installments, I will cover the topics of process and technology, respectively, and their role in changing the security monolith. Technology on its own solves nothing. What good are building supplies and tools without a blueprint? Similarly, process is the orchestration of the effort, and is necessary to enhance an organization\u2019s cybersecurity, privacy, compliance, and productivity.<\/p>\n

    In the meantime, bookmark the\u00a0Security blog<\/a>\u00a0to keep up with our expert coverage on security matters. Also, follow us at\u00a0@MSFTSecurity<\/a>\u00a0for the latest news and updates on cybersecurity.<\/p>\n

    The post Changing the monolith\u2014Part 2: Whose support do you need?<\/a> appeared first on Microsoft Security.<\/p>\n

    https:\/\/blogs.technet.microsoft.com\/mmpc\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

    Credit to Author: Todd VanderArk| Date: Thu, 16 Jan 2020 18:00:28 +0000<\/strong><\/p>\n

    Transformation can be a daunting task. In this series, I explore how change is possible when addressing the components of people, process, and technology that make up the organization.<\/p>\n

    The post Changing the monolith\u2014Part 2: Whose support do you need?<\/a> appeared first on Microsoft Security.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10759,10378],"tags":[12534,4500],"class_list":["post-17471","post","type-post","status-publish","format-standard","hentry","category-microsoft","category-security","tag-compliance","tag-cybersecurity"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/17471","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=17471"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/17471\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=17471"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=17471"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=17471"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}