When speaking to companies about their cybersecurity I often begin by asking them where they are today and what challenges they know that they’re facing. In a 30 minute conversation it is not unusual for the customer to speak about their environment for the first 10 or 15 minutes about the items that they are confident in and then the conversation tends to slow down and often stop an uneasy silence. I then ask the unspoken question of “what keeps you up at night?” or “what do you not have that you know you should?” the conversation then becomes a little bit more about budget and priority and unfortunately everything does cost money and especially when The IT manager or CISO is working hard to undo their security tech debt, everything cannot be fixed all at once. This is where hope does become part of the strategy.
I get it! I think most people who’ve been in those shoes, get it. At this point I believe we all have to extend a measure of grace to the security professional in this position. I make sure they understand the gaps and have identified them and then attempt to help create a road map to close these gaps over the next 12 to 18 months but in the interim we are hoping they will not be hit by an attack. The challenge for this comes from executive management above the security professional. So many of these professionals have pointed out gaps and identified them clearly to the decision makers and in many cases have made the budgetary request to cover those identified gaps but the budget either isn’t there or there is an unwillingness to free up the money. Sadly after a successful attack these budgets are often released.
So how do we fix this? One way that I have been trying to assist these security professionals is by offering my services not just to them but to those decision makers above them that may not be savvy to the gap and how much that gap exposes them and more importantly increases corporate risk. Even if all we are doing is trying to accelerate the road map, this should serve the corporate need to protect itself and its reputation. As we transition cyber security away from just being an IT issue and make it a corporate risk issue, I believe these conversations will be easier for security professionals to do their job and protect their charges.