Driving True Empowerment for Security Teams

Driving True Empowerment for Security Teams
Author: Ed Moyle, CISSP
Date Published: 1 June 2020

Traditional wisdom tells us that organizational commitment is important to the practice of security. Meaning, for an organization to establish and maintain a robust security posture, the organization needs to have what COBIT refers to as the right “tone at the top” – in this case, one that engenders and facilitates security.

This is perhaps an obvious truism, but one on which part 2 of ISACA’s 2020 State of Cybersecurity report sheds new light. As many will remember, for the past few years ISACA has presented the annual State of Cybersecurity from the point of view of two “domains”: domain one (outlined in part 1 of the report) that outlines the state of the profession from a resource viewpoint, highlighting trends around staff, budget, skills, and organization – and domain two (outlined in part 2 of the report) that focuses on the threat landscape, countermeasures, and practices employed in organizations.

Both are interesting, of course, but this year new insights came to light that relate to how these two “domains” inter-relate – notably, how the staffing and organization of security teams impact outcomes. There are two data points that I think it is useful to draw your attention to because together they can teach us an important lesson that can sometimes be easy to overlook and difficult to demonstrate empirically.

Insights
The first observation I’ll draw your attention to comes from looking at the impacts of staffing challenges.  Specifically, what happens when organizations can’t or don’t hire the right security staff? It would stand to reason that performance of a security program would be degraded in some way when staffing challenges are present. After all, this is true of any other task we’d undertake. For example, if I want to bake bread and fail to add enough of a critical ingredient, I’m bound to wind up with less than an ideal outcome.

It’s no surprise then that outcomes would be less than optimal in organizations that have demonstrable staffing challenges. And in fact, we can see correlation in the data. This year, data from the survey suggest that volume of attacks experienced by the organization appears to correlate with reduced ability to hire. Organizations that took longer to hire had more attacks than those that didn’t; those that took the least time to hire had the fewest attacks, while those that were unable to fill open positions had the most of all groups.

The second insight I’ll draw your attention to is the impact that reporting structure has on the program – specifically, where in the organization the security function reports correlates with confidence in the effectiveness of security in that organization. The most confident organizations were those where the security function reports into a dedicated individual: the CISO. Other models, for example, where the security function reported into the CFO, CIO, board, or even the CEO, had comparatively reduced confidence relative to those where security reports into a dedicated, C-Suite position.

Accountability and Commitment
These are two interesting insights, but there are some caveats. The first is that they appear to correlate, but we don’t know that either implies a causal relationship. It is tempting to fall into the logical fallacy of assuming causation from correlation (“cum hoc ergo propter hoc”). It could be that there’s direct causation – or it could be instead that there is some tertiary factor (unmeasured in the report) that is responsible for the correlation.

The second caveat is that the mechanisms are unknown, meaning, the data doesn’t tell us why these correlations exist. Looking at staffing for example, it could be that inability to hire staff makes control failures more likely, or it could be that reduced staff allow vulnerabilities to be introduced at a greater rate. It could even work in the opposite way than we think. For example, it could be that staffing challenges favor automated approaches to security tasks (including monitoring), which in turn make certain attacks more visible. Is that probable? No. But it’s possible – and since we don’t know what the mechanism is, we can’t rule it out.

Despite these caveats, the data are a useful jumping-off point for analysis and hypothesis. In particular, I think they’re interesting as a reminder about something that we’ve known all along but that can sometimes be easy to let slip (specifically, accountability and organizational commitment for security as I mentioned at the beginning).

Look at the first data point for example: hiring challenges. What is causing these challenges? In many organizations, I’d argue it’s organizational commitment. To demonstrate, as a thought experiment, consider how difficult you think it’d be to fill an open security positions if you both pay 10x the industry average and dedicate a team of HR specialists to actively recruit for that one position. Barring an extremely anomalous set of circumstances, chances are good you’d be able to fill that pretty quickly, right? Therefore, it’s possible that hiring ability is in some ways a proxy for how these positions are prioritized – in other words, they’re tied to organizational commitment.

Likewise, where the security function reports can be a proxy for accountability. In all the other reporting structures the survey asked about (i.e. security reports into CEO, CIO, CFO, Board), the organization is clearly committed to some degree. But there’s only one situation where a single, accountable, C-suite executive is dedicated to security: the CISO reporting structure. In that case, you have someone accountable to make sure that security tasks are completed – and you have their entire focus on that.

The point of all this is that accountability and organizational commitment matter to security. We assume it to be true from the traditional wisdom, and I think we have empirical evidence of it through the insights in this year’s survey. More examination in future years’ surveys would be required to establish it (and would probably involve asking a few additional questions), but in the meantime, it can be sufficient material for us to self-examine to ensure that our organizations have the appropriate commitment and assign an accountable owner for security.