Last year, I wrote about the Verizon Payment Security Report saying it was ”Not Just for PCI.” Verizon liked that post enough to include its introduction in this year’s version. This recognition was a wonderful surprise. Like last year’s report, the 2020 publication goes well beyond PCI in its information and recommendations.
While PCI DSS forms the foundation of these reports and informs their content, the guidance is broadly applicable, and they could easily be rebranded as “data security” reports. I hope everyone responsible for data security takes the opportunity to not only read this year’s report but to also download the reports from prior years. Each report builds on the previous foundations, and the 2020 report provides an overall success strategy for CISOs and information security leaders.
2020’s Theme: Strategy
The 2018 and 2019 reports had decidedly tactical viewpoints, ‘how-to’ guidance describing the nine factors of control effectiveness, the five constraints, and the four lines of assurance. These concepts help build a long-term approach to data security maturity.
In 2020, the focus is on the CISO and using these tools to take a long-term, sustainable approach to data security. That forward-looking vision requires strategy in order to be successful, and strategy is hard work. Fortunately, there is deep and rich guidance in the Payment Security Report (PSR) for both new and experienced cybersecurity strategists.
Rather than go into detail on specific sections of the report, (And there are a lot including strategic management traps, business modeling, and security strategy.) I’ll discuss three main ideas that stood out to me.
Shift from Technology to People
Security teams are having to manage more security solutions all the time. According to the 2020 PSR, “most organizations manage a multivendor environment with between 20 and 70 different IT security products for monitoring and detection” (pg. 21). That’s a substantial cognitive load for any team, especially one continually struggling with the skills gap. While companies are actively trying to consolidate vendors and solutions, that consolidation also has a cost in real dollars, project time, and learning new ways to operate.
Tools will often ‘check the box’ for compliance without providing any additional security or risk management value. The reason for this is that even though these products automate difficult or impossible security controls, they do not operate by themselves. It requires time and expertise to deploy, tune, manage, and act on the information provided or to ensure the technology is offering the desired protection. With so many tools to manage, the value of automation is lost as analysts spend their time managing technology and not risk.
What does this mean when developing a security strategy? To start, when considering the short- and long-term goals, incorporate a people-focused approach. This means shifting dollars and time to investing in developing the skills of the security team and possibly looking to augment them with additional staff or outsourcing. Create expertise in one or two areas that improve the business model, business objectives, and security goals for the near and intermediate future. Building strength in fewer areas will be more advantageous than adding more tools. This will create a foundation upon which to grow year-over-year.
Balance Strategic Work against Immediate Tactical Needs
“Firefighting” is part of any IT work, and that includes security. Addressing the immediate issues confronting a security team is a critical need and cannot be neglected. However, space also needs to be made for strategic planning in order to implement the projects that will help advance long-term security goals and reduce firefighting.
Balancing strategic and tactical work isn’t unique to cybersecurity, though it may be a larger area of growth for a CISO than other business disciplines. Almost 60% fortune 100 CISOs came from IT and IT Security (Digital Guardian as referenced on PSR, pg. 22). That doesn’t mean a lack of strategic mindset, though often the focus and incentives in IT tend to be on tactical execution rather than long-term strategic planning. Further hindering a CISO’s success with long term planning is the short average tenure of someone in that position. For example, 80% of those fortune 100 CISOs have been in their current position for less than five years (Digital Guardian above, PSR, pg. 29).