Boosting security maturity, bridging disconnects between execs, infosec specialists

Justin Berman, Technical Director, Skybox Security.

---

Disconnects between business executives and technical information security teams must be overcome to advance security maturity within organisations.

This is according to Justin Berman, Technical Director for Skybox Security, who says many South African organisations are stuck in early levels of security maturity, which hampers their ability to optimise their security posture and properly support digital transformation of the business.

Berman explains that the earliest stage of security maturity is an ad hoc approach, followed by a ‘developing’ phase in which organisations have an active cyber security programme; then a ‘defined’ phase in which programmes and processes have been defined; and a ‘managed’ phase in which programmes and policies are well established. At the highest level, organisations are in the ‘optimising’ phase, in which they have a holistic view of the attack surface, tight integration between IT and security and are continually improving the environment.

To move beyond the early stages of security, organisations must address the disconnects between executives and technical stakeholders, he says. Berman notes that all stakeholders – from the C-suite through to security architects, NOC and SOC engineers, security architects and IT operations – have the same goals of mitigating risk for organisational growth. However, the tools, data and dashboards they need to achieve this is different for each stakeholder.

“The CISO, CIO and CTO need to align security with business objectives. They need quantifiable measurements of cyber risk and the outcomes of actions and programmes that address that risk. Security architects are also strategic thinkers – they must de-risk digital transformation and glue all the components together. They need a holistic view of the environment, risk and business requirements,” Berman says. “Meanwhile, the engineers and NOC and SOC analysts are focused on monitoring and managing critical infrastructure to support the business and enable availability, scale and performance. They need data that drives security efficacy and performance, resiliency and compliance. Finally, risk and compliance teams need reports that provide risk oversight around compliance, policies and enforcement, to prove they are compliant. They all need different information.”

Meeting these needs in an increasingly complex environment can be challenging, Berman says. “There are communication gaps across business units and even within departments – for example, CIOs and CTOs may have the same objectives but different views and requirements for security, while the board sees security as priority, but is focused on finance and strategy. If a disconnect continues, security will be driven from the bottom up and not as a top-down approach, and as time moves on, security will fail to support the organisation’s strategic direction.”

While CISOs are considered C-level executives, many tend to play an advisory role and do not sit on the board, he adds. “The CISO role is evolving, but while they drive strategy, they may not be the key decision-maker on budget, tooling and engineering,” Berman says.

According to executive search firm Heidrick & Struggles, only around 12% of CISOs were on corporate boards in 2021.

Berman says organisations must overcome disconnects and advance their security maturity by addressing people, processes and technology. “They need to automate menial tasks and free engineers to work on more meaningful and strategic projects. They also need to empower stakeholders with alerts, dashboards and reports that are timeous, actionable, intelligent and concise.”

Processes also need to be improved across identification, prioritisation, remediation and oversight,” he says. “In South Africa, many organisations are stuck at identification level. We must put the right processes and workflows in play so that strategic and technical people get what they need, when they need it.”

Berman says the right technology helps overcome disconnects and ensure that all stakeholders have the information they need to improve security and compliance and better support the business. “Skybox consolidates the data and gives the right insights to the right people when they need it. It consolidates and aggregates many datasets across complex environments. It allows them to dynamically model the environment to visualise and assess the efficacy of security controls, gives context to help them understand exposure, prioritise vulnerabilities and determine optimal remediation strategies. It also helps them plan and analyse the impact of changes across the hybrid environment,” he says.

“When executives and technical teams have the tools and information they need, and management is incentivised to drive security strategies, you see massive improvements in security,” Berman says.