Recently, Tenable Network Security, with research conducted by CyberEdge Group, announced some surprising results from their annual 2017 Tenable Network Security Global Cybersecurity Assurance Report Card. Tenable surveyed 700 security practitioners from nine countries and seven industry verticals to assess the overall confidence levels of information security professionals in detecting and mitigating organizational cyber risk. The biggest takeaway from the report is the overall confidence levels score of 70% (a C- grade), a drop of six points from the year before, reflecting the frustration IT security professionals are facing from the challenges of assessing and mitigating cyber risks across a constantly evolving threat landscape.
Going from impact to solution
Despite the feeling that no amount of defense may ever fully stem the rising tide, moving back into a realm of cybersecurity confidence is possible for most organizations. The key is to bridge the gap between common cybersecurity maturity models and organizational development concepts like Stage Theory.
Stemming from the health and education industry sectors, Stage Theory is the idea that organizations pass through a series of stages as they change. The integration and growth of cybersecurity within organizations must become part of that evolution. According to Stage Theory, adoption of an innovation follows four steps, and strategies for promoting changes can be matched to points in that process.
The four steps within Stage Theory are:
- Develop an awareness of a problem and plan possible solution innovations.
- Make a decision to adopt an innovation.
- Implement the innovation, which includes redefining it, and modifying organizational structures to accommodate it.
- Finally, fully institutionalize the innovation, making it part of the organization's ongoing activities.
Cybersecurity Capability Maturity Model
Cybersecurity maturity models, on the other hand, are a little more tactical and granular than organizational theories. The Cybersecurity Capability Maturity Model (CCMM) provides an introduction to the key activities organizations must implement within their IT security program from the perspective of three main areas: process and analytics, integrated governance, and enabling technology. It also includes three levels of maturity for each activity: limited, progressing or optimizing.
Although the CCMM provides valuable information, the actual execution of this model takes excessive and ubiquitous, top-down, executive sponsorship and support as well as an organization willing to commit to the leg work of combining the organizational theory with maturity modeling.
Committing to this approach translates to pairing different leaders or "change agents" within the organization who assume leading roles during different stages with the establishment and execution of cybersecurity processes, procedures and technologies. It also requires that leaders understand that the strategies their organization uses depends on their stage of change, and whether the nature of the social environment surrounding cybersecurity is supportive or obstructive.
Bridging the gap between security teams and business leaders
The result of properly committing to this approach can change an organization from a philosophy of cybersecurity being something companies begrudgingly do, to cybersecurity becoming part of the culture. This marriage of practices can also move IT security groups out of a relaxed, ad-hoc or subservient role and into a centralized and universal function, much like marketing, human resources, operations or finance is today. This approach can also be valuable in positioning CISOs with the opportunity to report directly to the CEO, as opposed to a CISO reporting to one of the CTOs, who in turn reports to a CIO under the COO.
Cybersecurity must become part of the culture
Finally, with this shift in understanding, organizations can move from elementary, disparate or poorly implemented technologies to an enterprise IT security technology architecture capable of producing actionable intelligence, real-time analysis, predictive modeling and stronger cybersecurity confidence. Any organization that does this will find their confidence rising well above C level in the next Tenable Network Security Global Cybersecurity Assurance Report Card, and have the skills to back up their newfound confidence.