Does Cybersecurity culture eat Cybersecurity strategy for breakfast?
Peter Drucker said, "Culture eats strategy for breakfast". This idea has since been adopted by many successful corporate leaders over the years, and many organizations use this as a competitive advantage in their business. My question to you is; Is this also applicable within the Cybersecurity space? Will a Cybersecurity team with a strong culture have a better chance to defend their organization than a team with a clear strategy?
If only life where that simple…
As always, there are no easy ways to success. Certainly, one can be “successful” (read ‘lucky’) in any given situation, and that single success can be attributed to almost anything. But over time, you will need several things to ensure that your Cybersecurity function has what it needs to defend your organization.
Here is my checklist for the foundation in building a successful Cybersecurity unit.
Your Cybersecurity strategy is what helps you make the right long-term decisions. Answer questions like; should we build our own Security Operations Center, or should we outsource? Should we consolidate, or can we manage/afford buying tools and services from different suppliers?
To avoid spending time and energy on defense efforts that don’t have the right output, your Cybersecurity unit needs an established method to guide their work. Threat Defense Lifecycle devides the work into four operational phases; Protect, Detect, Respond, Adapt. You need the ability to Protect your assets, Detect breaches, Respond to incidents, and Adapt to changes in the threat landscape.
A cybersecurity incident can have many different characteristics depending on the target and the drivers behind it. But one way of helping to understand an attack is The Cyber Kill Chain® (developed by Lockhead Martin). It is a framework that visualizes how a typical cyber-attack is executed. In each step of The Cyber Kill Chain you as a defender need both knowledge, tools, processes and focus to be able to brake the chain. Try to have all of the Abilities above in each step of the Kill Chain.
Your Cybersecurity staff will need different tools to give them all abilities necessary to address all phases of an attack. At the same time, the threat landscape is so extensive that it is impossible to depend on manual labor to defend your organization. You will need to build a Cybersecurity platform with solutions that integrate into each other and allow you to automate a big part of your day to day work. Needless to say, your platform must be able to detect new and previously unseen threats.
5. People and Culture
All of the above is fairly easy to realize compared to finding and keeping the right people. There is a great shortage of skilled personnel on the market and keeping the ones you find is key. Also, knowledge is perishable in Cybersecurity. It is therefore important that people have the time to continuously develop their skills in order to stay on top. Establish a culture that encourages people to be dedicated and engage with passion into their work. If people feel excitement and pride in what they do, you will benefit immensely when all hell breaks loose.
If you are one of the few fortunate that can combine the right People and Culture with Strategy, Tactics, Abilities and Tools within your security operations, you are better prepared than most organizations, and have a stronger position to realize your business objectives. Just remember this:
- There are no “silver bullets” to solve all your worries. The threat landscape is far too complex and the adversary to well financed for that.
- There are no “self-playing pianos”. All tools need some interaction and maintenance, and if they are not being cared for, they will be easy to outsmart.
- If you are a digitalized business, Cybersecurity is business critical. And if it is not seen that way, IT WILL FAIL!