CISOs must “think different”

Jon Oltsik

Remember the "Think Different" advertising campaign from Apple?  It ran from 1997 to 2000 and featured bigger-than-life personalities like Buckminster Fuller, Martin Luther King, and Pablo Picasso. 

The "Think Different" ads coincided with Steve Jobs's return to Apple and exemplify his somewhat contrarian and analytical mindset.  In a PBS interview, Jobs offered this philosophical insight about life:

"The minute that you understand that you can poke life and actually something will, you know if you push in, something will pop out the other side, that you can change it, you can mold it. That's maybe the most important thing. It's to shake off this erroneous notion that life is there and you're just gonna live in it, versus embrace it, change it, improve it, make your mark upon it.

I think that's very important and however you learn that, once you learn it, you'll want to change life and make it better, cause it's kind of messed up, in a lot of ways. Once you learn that, you'll never be the same again."

Jobs's playful observation about life is actually sage advice for CISOs circa 2014.  Since the early days of computer security, many cybersecurity practitioners have developed a set of aphorisms they live by like best-of-breed security products, an emphasis on endpoint and perimeter defenses, and an aversion toward automated enforcement.  Yes, these concepts are still worth considering but it's clear that cyber criminals have become adept at circumventing status quo ideals and defenses.

To paraphrase Steve Jobs, CISOs must 'shake off their erroneous notion that cybersecurity is there ... versus embrace it, change it, mold it, improve it, and make their mark upon it.'  This requires that they "think different" about:

1.  The security organization and processes.  Many security organizations today resemble a production line.  Security events and tasks roll down a conveyer belt while each security staff member performs their individual duties.  Unfortunately, this has led to a dependence on individuals, manual processes, specialized tools, and limited cooperation.  Rather than continue this inefficient cybersecurity churn, CISOs should instead seek out the lessons learned from "Lean Manufacturing" most closely associated with the Toyota Total Production System (TPS).  TPS really stressed a focus on process flow, teamwork, consensus building, and continuous improvement.  CISOs can use these concepts to improve workflow.  For example, the handoff between the security and IT operations team is often fraught with process issues, redundant tasks, and wasted time.  These bottlenecks must be identified and fixed. 

2.  Cybersecurity systems.  Here's another lesson from lean manufacturing - the whole is greater than the sum of its parts.  I actually wrote a blog with this title recently but here's a synopsis.  Each individual employee, process, and tool is important on its own, but it is far more important that each discrete puzzle piece contributes to the entire cybersecurity system in a harmonious and cooperative way.  CISOs didn't really follow this thinking in the past and often built their organizations, processes, and technical infrastructure from the bottom-up based upon individual point tools and other assorted technologies.  Even if this model still works today, security professionals must realize that it is a non-scalable kludge at best.  CISOs must "think different" by setting strategy and goals from the top-down henceforth and then create the cybersecurity systems with common archetypes and goals. 

1  2  3  Next Page