Contributed by V3 Cybersecurity
The past twenty years in cybersecurity have been an incredible study in the hyper-growth and evolution of an industry. We can attribute much of the forced evolution to increasingly sophisticated threat actors, vendor expedience in getting to market, and the media for highlighting the security shortcomings of popular brands to protect client data. Had we not publicly shared the experience of threat evolution from DDoS to Ransomware and the public shaming of Target, one could argue that the cybersecurity industry would have followed a more traditional course of evolution.
During this period, technology has evolved from non-stateful network layer firewalls as the primary control, to today’s container-based application layer controls and everywhere in between. Operationally, we have gone from health and availability monitoring to User Behavior Analytics and predictive control methods using enterprise Security Information and Event Management (SIEM) technology. Incident response has effectively evolved into its own sub-industry with focus on forensics, threat hunting, and response readiness.
Despite these advancements, hyper-growth has left equally important areas of cybersecurity struggling to keep up. The most notable is the cybersecurity skills gap that continues to be a focus of the industry in trying to meet market demand. To narrow the focus, the lack of skills and experience in the Chief Information Security Officer (CISO) role is creating an unrealized blind-spot for many security programs. Even the most tenured CISOs are being challenged by the increasing demands of the role and needs of their stakeholders. Let’s explore some of the areas that CISOs we have spoken with are challenged with as the threat landscape and technology continue to evolve at record pace.
The ability to understand the effectiveness and communicate security posture effectively is one of the most challenging issues that CISO’s face today. This capability is critical when securing resources, aligning security with the organization’s risk profile, and in being able to show due care on behalf of the organization in the event of a compromise. CISO’s look to consulting firms for maturity benchmarking, conferences for peer interaction, and vendors to help understand and develop their vision. These sources, while valuable, have significant flaws and inherent bias, yet they continue to be the primary sources for communication with cybersecurity program stakeholders regarding the security posture of the organization.
The need to effectively communicate the context of cybersecurity programs is further supported by the National Association of Corporate Directors (NACD)’s “2019 Governance Outlook,” in which The NACD report specifically called out the need for boards to appropriately review the effectiveness of their organizations’ cybersecurity management programs. Knowing the level of organizational integration between regulatory requirements and cybersecurity threats landed these two issues in the top three trends concerning boards in 2019.
The good news is that there are innovative companies focused on using technology to assist cybersecurity leaders in solving their most complex problems. “In the past twenty years leading and consulting cybersecurity organizations, communicating the business context and demonstrating due care has placed CISO’s in an isolated and vulnerable position. We intend to address this issue and provide a platform that provides unparalleled transparency with live dynamic benchmarking against commonly accepted cybersecurity standards and frameworks. Our goal is to help CISO’s move toward a fully integrated cybersecurity program in which security becomes a responsibility of the organizational leadership, board, and industry,” said Jorge Conde-Berrocal, CEO of V3 Cybersecurity, Inc.
The Minerva platform by V3 Cybersecurity, Inc is positioned to disrupt the maturity assessment segment of the cybersecurity industry. The platform provides a subscription-based vehicle for dynamic and live visibility into the maturity of cybersecurity programs using accepted standards like NIST CSF, NIST 800-53, and ISO27001. The platform dynamically updates the industry benchmarks with each new client on the platform. The Maturity Engine provides the ability to take snapshots which allows for the communication of maturity over time. Additionally, the platform allows for ad hoc benchmarking based on CISO input in order to address current program maturity elements independent of the selected Standards.
“Our Research and Development team examined the maturity assessment business model and found numerous issues with the approaches used by consulting firms. These include assessment fatigue, interviewer bias, response distance, currency, and consultative captivity,” continued Jorge. The current business model is reflective of an agency focused approach to a market driven requirement. It is easy to understand why the general sentiment of CISO’s we discussed this topic with was that assessments remain a costly and necessary evil in the management of their security programs.
“The need for holistic and integrated security is the North-star for most organizations, however we continue to see organizations struggle with adopting and managing fully integrated security programs. The need for integration and visibility into the various elements of a security program are required for effective leadership today,” says Rootstrap, Inc. CEO David Jarrett. Rootstrap Inc. is a Los Angeles based development firm focused on secure code and product development.
Despite the challenges with the current assessment business models, the importance of assessments and benchmarking remain a critical pillar in the ability to demonstrate due care. This places CISO’s in a difficult position between required use of costly consultants for assessments and the lack of demonstrable evidence of organizational progress. Given the choice between poor options, CISO’s continue to hire consultants to provide some level of assurance to the organization that they are exercising due care.
This new breed of security company is focused on helping leaders manage the business of security while helping the organization’s stakeholders understand the liability and risk associated with their collective cybersecurity decisions. The ability to provide business context is the next evolution for cybersecurity programs and leaders. With the tools and intelligence being developed to address issues like benchmarking, stakeholder buy-in, organizational goal alignment, and incident exposure valuation, the cybersecurity leaders of tomorrow will no longer be isolated and viewed as hurdles for the business. Tomorrows leaders will be seen as expert communicators and educators of the implications and risks associated with decisions made by the organization.
CISO MAG does not evaluate the advertised product, service, or company, nor any of the claims made by the advertisement. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.