Aristotle once postulated “horror vacui” (nature abhors a vacuum). His idea was that empty or unfilled spaces are unnatural as they go against the laws of nature and physics. Interestingly, this applies to information security strategy as well.
The Role of a Chief Information Security Officer
Arguably the most fundamental role of a Chief Information Security Officer (CISO) is to establish, and continually evolve, a strategy to effectively manage information-related risk in a manner that is consistent with management’s expectations and in accordance with relevant legal and contractual obligations.
One might expect that an organization without a CISO would lack a strategy. But nature prevents this from happening, most frequently in one of two ways;
- No strategy is in itself a strategy… it’s just a bad one.
- Your cyber security strategy is shaped/defined by your most trusted information technology suppliers.
An information security strategy is a set of guidelines created to reach a specific business goal. Without a coherent strategy, a small business has no roadmap to follow when making critical decisions on purchasing, implementing and operating IT systems in a manner consistent with effective risk management. Needless to say, the consequences of not having a comprehensive information strategy will eventually be severe.
Technically, having “no strategy” isn’t really possible, because “strategy” by definition is having well-defined guidelines that are leveraged to make effective decisions. “No strategy” is thus actually a non-coherent strategy that is defined by each decision.
IT Vendor Defined Strategy
Good IT vendors and partners are integral to the design, implementation, operation, and maintenance of our computing infrastructure. With security features being an integral part of all IT solutions, and most IT solutions vendors also building and selling information security products and solutions, it is next to inevitable that your IT vendor(s) will shape your information security strategy.
Ideally, your information security strategy defines the requirements that drive your IT purchasing decisions, which then shape your security implementation strategy. Far from ideal is your IT vendor defining your security strategy based on the products that they have available to sell to you.
Benefits of a vCISO Strategy
Pivot Point Security just started working in a vCISO role with a 100-person “insurance company.” During our onboarding, we spend some time looking at ongoing and proposed/budgeted projects that impact information security. If there isn’t a defined strategy, the strategy can clearly be inferred from ongoing and planned projects.
In this particular case, the project plan was essentially a SOW for the implementation of a number of security products from a nationally recognized IT service provider. For the most part, the planned projects in our vCISO strategy were reasonable and appropriate to the organization and its risk profile—with one notable exception, a proposed co-sourced SIEM tool.
The tool and service proposed was an industry-leading tool, it just wasn’t appropriate to this particular organization’s requirements and capacity to effectively operationalize it. At a cost of nearly $14,000 per month, it also felt like a million-dollar corral for a $10,000 horse.
During the onboarding, we also determined that the organization was not aware of a recent state information security law that mandated a number of information security controls of note that they needed to implement within the next year. We shifted the co-sourced SIEM tool to a simpler model that fully met the requirements, saving almost $10,000 per month. About half of that savings was repurposed to address the new regulations.
IT vendors defining security strategy is remarkably common. Unfortunately, them filling this empty space is fraught with challenges that can have a significant impact on your organization’s security posture and bottom line. Caveat emptor.