It may seem clear-cut that organizations should have a security plan in place, but the reality is that many don’t. 

When we talk about protecting an organization, we are typically looking at its risk exposure.  If we do not have a first-rate way to identify and quantify the risk, then it is exceedingly difficult to say whether the organization is secure or not. 

And if you have not defined the components needed to drive your security program, then it makes things even more difficult because it becomes like an ad hoc activity.  Organizations end up buying tools when they do not even have a good understanding of what their needs are. 

CISOs need to know first the organization’s goals to start building a plan.  If an organization is not looking into digital transformation and is going to stay in a data center that it owns, then its cybersecurity plan must be built accordingly.  Requirements will be based on that strategic planning. 

If the organization wants to move away from being its own service provider and wants to outsource applications, then the CISO will have to meet a separate set of requirements.  Before considering specific tools, a CISO needs to define what the security program needs to make the organization successful and secure.

Immature organizations typically look at tactical-level things or even lower.  As they start making and implementing decisions, they face having to backtrack, having spent a considerable amount of money on tools that have a considerable number of resources tied to them.  This happens because these companies have not defined their needs ahead of time.  If you cannot even apprise what your security posture is at your endpoint, then what are you going to do, for example, with a service that provides threat intelligence from the dark web? 

The importance of understanding the goals and plans of an organization is therefore paramount.  Only then can you put in all the building blocks and prioritize what would have the highest impact on coverage and protection – because let’s face it, the smaller the organization, the fewer the resources it will be able to provide.

When you come into an organization that has a hodgepodge of different things, none of them really well coordinated or delivering outcome from investment, then you need to pause until you stabilize the security program, and make sure the organization is protected as best as possible with what you have. Only then can you start looking at areas where you can improve and mature.  And all the while, you’re evangelizing the organization on the importance of structuring a good security program that will drive all initiatives and investments going forward.

It’s at this point that you can become an organization that can be measured and show it’s sustainable, with repeatable processes.

Most important, it’s then that you became an organization that really supports and manages the organization’s risk.

While on this journey, it is important not to let yourself become overwhelmed by all the deficiencies you see.  Ground yourself in the fact that things are not where they need to be and be cognizant that the organization may not be ready to make the changes that are necessary.  It may not even be capable of understanding what its security posture is. 

Smaller organizations may not have caught up with how AI is making attacks much easier.  They are now in a more dire shape because their risk has increased exponentially.  It is our job to encourage them to look at the situation comprehensively and programmatically – so with the limited resources you have, you can put forward something solid.  It is particularly important to help them realize the value of taking the right approach as opposed to advising them to put in another tool.