While many of us that worked in IT know, this is not an uncommon reality. Businesses take a downturn and outcomes the “peanut butter knife” with finance about to spread the budget cuts evenly across all departments without much regard for longer-term implications. Within IT, of course, this becomes even more of a complex problem.
Going Public With Financial News Also Draws More Attention From Hacker Community
Hackers and cyber criminals also read the news. They know which organizations have financial setbacks. Many hacker groups will even approach social engineering to see if anyone in IT or SecOps knows if any layoffs are coming. If an organization announced any change in financial condition, an increase in attack vectors, coordinated attacks again their systems, and cybersecurity attacks against their employees should be expected.
Cost of Breach Could Be Greater Than The Expected Cost Savings
IBM’s annual Cost of a Data Breach study revealed a single data breach could cost a company up to $3.29 million, a 12 percent increase from the cost of violations from the previous year. That $3.29, even with cyber insurance, is still a significant hit to the organization’s bottom line. The CISO should be the ultimate authority when reducing cybersecurity operations, personnel, and budgets. If the CEO requires a 20% reduction across the whole organization, reducing security only puts the company at risk for a breach that could make far more financially impactful than a drop in sales.
When considering the cost of a breach for a moment, the need for a transformation model makes more sense than we realize.
Technology Producers and Corporate Consumers
As a technology sales professional for almost 26 years, the fastest way to close a deal is to find a way to attach your product or service to a group within the client’s organization with the need, budget, and relevancy. Will your solution solve their business problem while staying with the budget allocated for the specific project? Is this project top of mind with the CIO equality to the business group requesting your solution? What is the risk to the corporate consumer if the platform has several potential vulnerabilities and exploits? Does the technology producer have the needed resources to sustain operational technology expectations even during budget cuts?
In simple terms, we define the business group as the “consumer” of the technology and IT as the “producer.” One group consumes the technology while the other one is the enabler. A company with 4000 employees needs centralized content management, a supply chain portal, and a sales/commission system. IT is working with technology providers to develop and enable the consumers to leverage the platform to solve their business needs.
Based on the CEO/CIO dialog, if the company has mandated a reduction of its expenses and headcount, then reducing the number of licenses by 20% would meet this budget reduction requirement.
How does information security fit into the producer/consumer model? In some cases, yes, information security does fit into this in several ways:
- a. Number of consumers requiring multi-factor authentication for Zero-trust access
- b. The number of endpoints required to have EDR/XDR security
- c. The number of users required to receive patch and service pack updates
- d. Number of endpoints that require backup for compliance
These areas of information security align well with the 20% reduction requirement.
However, what about the rest of the information security capabilities? This provokes the dialog about redefining information security as a utility for the corporation and not a member of the IT department begins to make more sense.
Information Security as a Utility
IT and building maintenance focus on ensuring everything is working and ready for use, whether the HVAC system or network infrastructure. Similar to facilities, when a corporation decides to locate its new office in a new city, facilities work with the leaders to define the size of the business, power/cooling requirement, and the number of parking spots. Etc.
Once the faculty is completed, IT learns the data center size, the number of employees, the expected amount of power/cooling and network drops, and WIFI expectations. Once the network teams with APP Dev deploy the network, other elements, including information security, begin to enable their solutions.
Moving Information Security Into Its Department
Following the same business model for a moment as facilities, information security teams, separate from IT, layout the same parameters ahead of IT to ensure all critical infrastructure systems, including the network, applications, and users, meet corporate security standards well ahead of any deployment from the technology producer group.
Examples of Information Security Utility Modeling
- Information Security sets specific mandates around how the network needs to be built to compile with ISO 27001, PCI-DSS, NIST-800, Fedramp, etc.
- Information Security mandates network containment, VLAN, and routing approved protocols.
- Information Security mandates that EDR/XDR endpoint security needs to be deployed before any end-user consumption.
- Information Security mandates all rules and processes around all remote access before any services have been enabled.
- Information Security delivers its utility layer services in line with network and applications teams.
The new Information security standalone department model aligns well with organizations that have embraced the DevOps model. Information security becomes a traveler across several scrums through product development. Information security brings its approved frameworks into the various sprints to help ensure governance and compliance are built into the fabric.
While this line of thinking isn’t new, the idea of an equal Chief information security officer and Chief information officer corporate alignment even when it comes to budgets and cross-charging models helps remove information security from classic budget cuts and reductions. Even with headcount and cost-cutting, the organization must maintain the highest protection.
How Threat Modeling Becomes The Audit and Governance
Organizations that successfully have moved information security to a separate department can now leverage threat modeling as the unified auditing and compliance workstream. With every sprint within the agile model, an element of threat modeling includes:
- Point-in-time pen testing
- Continuous vulnerability scanning
- Updating the composite risk scoring
- Set the prioritization of remediation, along with automated retesting
Separation of duties between SecOps, NetSecOps, and DevOps is achieved and supported by the threat modeling audit and compliance workflow.
Culture of Security
While many in business still believe that “sales run the company” or “engineering and product run this place.” Getting hit with a significant cybersecurity event will have a significant impact on sales and product confidence. Cybersecurity arguable “should be the companies top priority.”
In the new world, we live in, cybersecurity is the brand of the company, the culture, and the saving grace of the data. The information security department and the C-level position should be equal to other C-levels, not a footnote on the budget line item.