One of the key trends I’ve noticed in cybersecurity over the years is the over-reliance on established practices without questioning whether they are still effective. When I work with organizations, I often encounter this resistance, particularly around the justification of “but we’ve always done it that way.”
As a Field CISO, one key aspect of my role is to align business objectives and initiatives with new innovations in data resilience and recovery. When met with this resistance, I often ask if “having always done it that way,” is a good justification to continue. It’s also useful to follow up and ask them why they began doing things that way in the first place. Interestingly, quite often the answer was that when they started, a former manager had instructed them to do it that way, and it was never questioned.
It’s an interesting conversation. There are certainly some cybersecurity procedures or processes that were optimal 10 years ago, but not necessarily today. Often, they’d maintain the ‘status-quo’ due to increasing pressures, and shrinking budgets, which stifle innovation. Initially, there was defensiveness, but gradually, they started to see my point. The goal isn’t to be critical but to provoke thoughtful questions. It’s about challenging assumptions and re-evaluating the effectiveness of long-standing practices.
In my experience as a Field CISO, I’ve adopted a simple guiding principle: “How does this serve the business?” This has proven to be extremely powerful. For CISOs, it’s critical to question whether established practices are still serving the organization’s security needs. Cybersecurity is so far removed from other disciplines such as finance or law, where the core principles remain relatively stable. In cybersecurity, the field is so dynamic it is constantly evolving due to the ongoing battle between defensive and offensive strategies, and new emerging cyberthreats.
While core strategies may stay constant, tactics must adapt frequently. A critical question to ask as we assess our security posture is this: Are we truly being effective, or are we holding on to outdated practices? Are we proactive, or are we merely reactive? As you think about this, imagine it’s just you and me, having an honest conversation over coffee. Are you confident that your organization’s cybersecurity approach is genuinely effective? Would your team be ready if a breach happened today, or would a breach put jobs at risk?
Therefore, it’s essential to periodically go back to basics, even if it seems mundane or redundant. Recently, after a talk on Zero Trust I delivered, someone mentioned that Zero Trust covered basic concepts that they were already familiar with. I appreciated their feedback but responded by asking if their organization had fully implemented the practices I discussed. The person admitted they hadn’t.
Security Posture
Security isn’t an end state, it’s an ongoing, dynamic intention towards a posture that needs constant adjustment and refinement. In reality, 100% security doesn’t exist, so there is no end goal to be achieved. You could, theoretically, bury all the server infrastructure fifty feet underground, and encase it in cement to achieve complete security, but at what cost to the business? Security has always been a balancing act, between functionality and risk. So, we must continuously ask ourselves: What is the value and benefit? What is the risk and exposure, and is the benefit worth the risk?
For any cybersecurity initiative to succeed, organizations must establish and communicate a clear security posture. This involves defining acceptable levels of risk and consistently managing new risks and functionality. However, one of the biggest issues in cybersecurity today, is that many organizations lack a defined security posture. Executives often operate under a broken model where they have all the authority, while CISOs bear all the responsibility without corresponding decision-making power. This results in a scenario where business unit leaders can disregard security warnings to boost short-term gains, while CISOs are left accountable for the breaches.
With the introduction of NIS2 and DORA regulations in Europe, and new mandates coming in the United States and other parts of the world, non-technical executives and board members are increasingly being held accountable for the cybersecurity posture of their organizations. These regulations establish not only a financial and reputational risk but also criminal liability in some situations. This shift means that the ability to adapt, and maintain a posture of resilience must be a top priority. Resilience isn’t merely about recovery, it’s about building a culture that learns and evolves from every security event.
The capability of an organization to respond effectively hinges on having established and well-practiced procedures, making use of new technology innovations, thus, emphasizing the need to recover, learn, and adapt. This dynamic approach isn’t a ‘one-off’ exercise but an ongoing process. Processes should be continuously developed and adapted to align with both emerging threats and innovations. This adaptability ensures that as the strategic portfolio evolves, so does the security posture, maintaining relevance in a shifting landscape.
Integrating security posture with cyber resilience strategies is not only about protecting against breaches but also ensuring rapid recovery when an incident occurs. This alignment minimizes downtime, financial loss, and reputational damage, especially when faced with evolving threats like ransomware.
Risk Posture
I’m often asked, “So, where do we start?” and almost always I respond with risk posture.
Organizations must agree on a clear risk posture and make it known that decisions exceeding acceptable risk levels will be reported to executives. Initially, there will be resistance to this increased accountability, but over time, this approach will significantly improve decision-making and reduce security violations.
Once a risk posture is in place, the next step in improving security posture involves managing access, network movement, and privilege escalation. This requires adapting to new threats, such as the rise of AI-enhanced cyberattacks.
The key takeaway here is to frequently re-evaluate your security posture and challenge existing assumptions. Be honest about whether current practices are working, and explore simpler, more effective ways to implement security measures. Security is not an end-state to be achieved, but a continuous process of management and adaptation.
Final Thoughts
You may have heard the term security must be baked-in, not bolted-on. Integrating cybersecurity into every aspect of the organization’s operations is essential. Cybersecurity must be embedded within projects, processes, and strategic initiatives from the outset rather than being treated as an afterthought. This approach is often termed “cybersecurity by design” and is fundamental for building robust defenses. A parallel focus should be on educating the workforce, as human error remains one of the most exploited vulnerabilities.
A significant challenge arises with the increased outsourcing of applications to third parties, such as SaaS providers and cloud platforms. This shift complicates control over data, making it crucial to maintain stringent oversight and clear visibility into data handling and security practices across the supply chain.
It’s also important to understand the vendor landscape. Vendors are often at the forefront of technological innovation, and executives need to comprehend how these innovations impact business strategy and risk. There’s a reciprocal learning opportunity here. While vendors can gain insights into the real-world implications of their technology on business, organizations can draw from vendor expertise to better manage innovation. This fosters a partnership model, with the CISO playing a central role in ensuring that vendors align their innovations with the organization’s broader resilience and security strategy.
Also, as supply chain vulnerabilities continue to rise, it’s crucial to establish transparency and trust with third-party vendors. An effective security posture involves not just internal resilience but also maintaining continuous assessments and controls over the security practices of external partners and vendors.
Call to Action
If you are in a security leadership role, such as a CISO, now is the time to re-evaluate your organization’s risk posture, question established assumptions, and collaborate with your teams to forge a more resilient posture. The ability to proactively adapt and refine your strategies in this ever-evolving landscape will determine your organization’s strength in the face of uncertainty.
