3 Reasons Cybersecurity Programs are so Immature?

I recently read the results of a study that asserted that men don't mature until they are about 43, or roughly 11 years later than women, on average. 43 is a dot in my rear-view mirror at this point in life, and I'm not sure if I'm "mature" yet. However, one thing that it crystal clear is that many cybersecurity programs are on about the same maturity track as these aforementioned men. As a CISO, who leads a business practice group that consults as vCISO's for numerous organizations and provides advice to many others, it is clear to me that there are a number of reasons for this immaturity. In this article, I'll focus on 3:

1. Non-existent security program. The organization may have a few controls here and there, but cybersecurity is not a budgeted and tracked budget line item. In most of these cases, cybersecurity budget is simply whatever extra falls out of the operational IT budget, OR whatever point solution some recent incident dictates, OR whatever the bare minimum can be done to satisfy outside regulatory bodies and/or customer demands.
2. Ignorance about what a mature cybersecurity program looks like plays a large role. Attempting to do cybersecurity "right" without addressing the specific organizational risks is a recipe for poor outcomes. Many organizations are constantly fighting to "do better" on cybersecurity, but they lack a formal plan and they also lack a tangible measures for what "better" actually means. If it isn't measured, it isn't done.
3. Lack of qualified, committed resources. It is incredibly rare to find organizations, particularly SMBs, but also some larger organizations, that have dedicated security resources. In most cases, the responsible individual owns the security role in name, but it is not their only role, nor even their primary role. They simply do not have the time to actively drive organizational cybersecurity. The result is that the security program never matures. This results in frustration on behalf of all involved parties. It is a recipe for poor cyber-hygiene, which inevitably results in negative outcomes for the organization.

The good news is that there are ways to combat these 3 things and ensure that your organization begins (and then continues) to make forward progress in adequately protecting organizational cyber assets. It simply requires intentionality, investment and continuous effort. A good start, in order, is to:

1. Formally adopt a risk management framework and begin taking steps to understand and address organizational risks. An easy place to begin is the NIST CSF. It is designed to be substantially easier to understand and use than trying to directly attack NIST 800-53. With simple categorization like Identify, Protect, Detect, Respond and Recover, you can quickly assess gaps in organizational security. Commit to supporting organizational security by budgeting for cybersecurity specifically. This allows you to understand what you are spending to be secure and compare that to industry standards. Most organizations spend at least 15% of their total IT budget on security.
2. Formally adopt a maturity model. Most people are surprised to find out that their organization is not very far up the maturity scale, even in cases when they feel like they have a substantial security spend. Take a quick NIST PRISMA Review to see how well your organizations stacks up. Did you end up at Level 0 because there are no written policies? Many do.
3. Recognize that cybersecurity is a discipline that requires expertise and time to execute. If the organization does not have dedicated cybersecurity resources responsible for cybersecurity, a security program cannot be expected to mature at a rate that even keeps pace with the constantly changing threat landscape. Commit to supporting the hiring of resources that will allow your organization to move forward.

Ultimately, there is something implicit in the word mature. Much like that study suggests for men, maturing a cybersecurity program simply takes time. But it doesn't just take inactive time, waiting, hoping things will get better. It won't simply happen without dedicated budget and resources put into place to make continuous and measurable progress. The key resource is dedicated, purposeful, time. I'm fond of invoking the Oak Tree Principle. If I want a shady back porch, the BEST time to plant the tree is 20 years ago. The SECOND BEST time is today. If you don't start, you won't get there.

Pileum SRC is here to help if you have any cybersecurity needs. We are happy to simply engage in discovery conversations and provide good advice. At Pileum we routinely work on point in time engagements for specific projects as well as ongoing services like our vCISO program.