Any organization that wishes to understand and mature their defenses against cyber attacks must understand that cybersecurity is not a chain that tethers an organization; cybersecurity is glue that penetrates every pore in every crack of every surface within an organization. Cybersecurity must be transparent, equitable throughout an organization, and measurable and should not be used as an initiation point for punitive actions towards incidents that occurred from ignorance. People make mistakes and should not fear loosing job, title, or reputation for being human.
Transparency in cybersecurity means ensuring all employees, contractors, and customers have readily available and easy access to current requirements, standards and guidance, cybersecurity is actively promoted through awareness campaigns, and current threats and issues are known to everyone. Transparency does not mean the fine details of investigations, response procedures, or operationally sensitive information is publicly available.
Equitable cybersecurity means all departments means all departments are held to the same standard. This does not mean that every department receives the same level of security. All departments must use the same information classifications, sensitivity levels, number of reviews with commensurate complexity, and training to name a few areas.
Cybersecurity must be measurable in all ways. This means developing metrics that clearly define the movement of security maturity over time as well as the day-to-day effectiveness of security operations. There are standard sets of ‘best practice’ metrics that can be used to build trend analyses but often department or organization specific metrics must be defined and tracked.
Errors due to being human should be tracked and managed as part of the metrics portion of the security strategy but should not be used as a basis for punitive actions against employees or contractors. The successful tracking of security errors often requires the disclosure of the error by the one whom created it. If there is a steady rise in error rates a root-cause analysis should be conducted to reduce the rate to an acceptable level. If people are afraid that reporting an error may end a career there may be far less cooperation in error management. Errors happen, should be expected, and a blame-free self-reporting/reporting infrastructure should be created to manage issues. If errors are not transparently reported or employees are afraid of punitive actions they may try to cover-up a mistake witch results in a major breach, substantial losses, collusion, and/or other issues.
cybersecurity is the glue the penetrates every pore in every crevice of every surface in an organization. It will hold the organization together through turmoil and attack if properly applied; however, all too often cybersecurity is seen as a chain that tethers independent units together in an infrastructure of blame and responsibility shifting that can be corrosive and toxic. Cybersecurity must be transparent, equitable throughout an organization, and measurable and should not be used as an initiation point for punitive actions.
ANTHKOAndrew Kosakowski’s Official Digital Presence