If you’re a CISO grappling with security integration – which is the polite term for “how do I make this mass of stuff we’ve acquired work together and how do I plug the holes?” – then you probably heard about the industry’s move toward standardization and breathed a sigh of relief.
The Open Security Schema Framework (OCSF) – a common data standard for cybersecurity information sharing, launched in August by an industry consortium of leading tech and security companies, sounds like the solution we’ve been waiting for.
And it will be – when it starts to deliver. The consortium has the right goal: enable better communication among the elements of the security suite – which in turn should help close gaps between applications and make the whole system more resilient and responsive.
The problem is that the move toward standardization will take time to pay off. And in my conversations with CISOs, what I’m hearing is: despite economic uncertainty, digital transformation continues to drive a strong and immediate need for security and resiliency investments now.
So, in light of Cybersecurity Awareness month and the importance around this topic, let’s discuss what do we do in the meantime?
My answer: Clean house.
The heart of the problem is not a lack of standards but too much stuff
We’re grappling with a vulcanized structure of tools that don’t connect. How’s that?
It’s not as though security professionals meant this to happen – and that’s sort of the point. So first, it helps to understand how we got to this cluttered situation.
Most organizations’ solutions are disconnected precisely because as security professionals, we’ve experienced a boom in offerings in recent years, but we just haven’t approached them all that strategically. In the day-to-day reality of corporate security, the security team responded to crises, met the terms of each regulatory or compliance demand – and did it by, in each situation, acquiring the least expensive, most narrowly defined solution possible. Or they got the solution as part of a bundle, and it may or may not have been implemented. Either way, the security stack is too commonly the result of a series of such decisions, made under pressure and often without the CISO’s involvement.
It’s for those reasons that organizations now find themselves with a complex patchwork of tools that don’t connect or are too niche. And there’s a drastic shortage of people trained to use them. It’s the security equivalent of a house cluttered with nice appliances we bought that are now piled up. Do we really need that Cuisinart, the one we never use? On the other hand, we don’t seem to have a complete set of knives.
The kitchen metaphor makes light of the problem, but the consequences are serious – holes and blind spots pose real, imminent threats to the heart of our businesses. Leaders are all too aware of the problem and are acknowledging their liability at the board level. Eighty-eight percent of boards now see cybersecurity more as a business risk than a technology risk, according to a Gartner survey. In other words, ad hoc solutions have created a strategic problem.
Standardization is the long-term solution. The OCSF is cause for celebration. It validates the problem, and it sets the course toward better interoperability, better control, and fewer gaps.
But in the present, we still have a house cluttered with appliances. We need to clean it out.
To put security on a sound footing, rationalize, streamline – and throw out the chaff
Now is the time to look critically inward, evaluate our security-buying habits and make the strongest case to change them. That means auditing the current security stack, identifying gaps and the redundancies, and then creating a go-forward plan that includes a resolution to stop buying so much or so tactically, and a methodical series of course-correction steps.
And as we keep an eye on economic uncertainty around the globe – which is something I know many of us have lived through before – we can use this time to find the breathing room to analyze and make these improvements. We need to integrate our remaining tools and identify strategic outcomes that are linked to the organization’s growth plan.
With the security suite rationalized and strengthened, we will be in a vastly better place when standards take shape.
The future is one of escalating threats. Meet them with a streamlined stack
So, my advice is – don’t wait for standardization. Act now. Work hard – and work smart –to put the security house in order. You’ll be ready to reap the future benefits of standardization, and to make sure your company is buttoned up, buttoned down and well protected for escalating threats as they arrive.