The first article in this four part series focused on the emergence of a full lifecycle approach to cybersecurity over the last 15 years, and the elevation of the cyber responsibility in an organization to the C-Suite and beyond. This article will look at how the cybersecurity market has changed from an operational perspective, focusing on the internal changes that have occurred to keep pace with the demand externally. But first, no operational discussion can start without a look at budgets, and how organizations plan for, and procure, cybersecurity services and solutions. And who is responsible for that budget?
From a government perspective, the answer is quite clear. Congress appropriates funding and agency Chief Information Security Officers (CISO) – and other procurement officials – spend it. In fact, agency budget requests include cyber-specific funding and those levels are growing significantly as the overall budget remains stagnant. Take for example the Department of Defense (DOD) U.S. Cyber Command, which more than doubled its 2013 funding to a total of $447 million. The Department of Homeland Security (DHS) cybersecurity operations budget is $792 million, an increase of $35.5 million over the previous year. Although cybersecurity was a priority in the late 90s, including roughly $1 billion of funding in the FY 1998 budget, the current status shows the clear focus and evolution of the government in their dedication to delivering a robust cyber program.
The same cannot be said for the commercial world, where cyber budgets have historically been ad hoc versus full and comprehensive. If you were a cybersecurity technology vendor, you were pretty set in the commercial world as programs were pieced together tactically as opposed to structured strategically. This approach is now changing in the commercial market as well, with organizations actually looking to their public sector counterparts for best practices, with the role of the CISO emerging to provide that financial management and oversight. Although specific point cybersecurity technologies are still important, they are now being selected and implemented with a higher-level strategic view and often being delivered by integrators with roots in the government market, a big change from even a decade ago.
As noted, budget is just one aspect of business operations; there is also the focus on how an organization’s internal environment has adapted to meet external demands.
The role people play in cybersecurity has probably seen the biggest change. Security used to be something that an information technologist or network engineer studied on the side. Now, you see full-fledged cybersecurity experts who must be up-to-date on all of the new and emerging technologies and vulnerabilities. In addition, these experts have moved from a focus on a niche product or solution to having a complex knowledge and understating of multiple technologies.
That said, there is a major shortage in terms of available candidates to support cybersecurity programs, which makes recruitment a challenge. According to Jim Gosler, Sandia Fellow, NSA Visiting Scientist and the founding Director of the CIA’s Clandestine Information Technology Office, “There are about 1,000 security people in the U.S. who have the specialized security skills to operate effectively in cyberspace. We need 10,000 to 30,000.” That is a shocking statistic and one that has altered the recruitment strategies of every organization.
Cybersecurity was not something that was traditionally built into an organization’s operational processes. Rather, it was something deep down in the organization that “nobody wanted to talk about,” or even knew existed. To most, it was that annoying pop up that occurred every 90 days that required them to “change their password” or “update now.”
Cybersecurity is now incorporated into operational processes at the corporate or agency level, with an established commitment to an organizational approach and internal standards in place that are required of employees and partners accessing the network. Organizations are now focused on implementing true governance programs. Serving as the foundation for effective cyber practices, these programs consist of a clearly defined structure, as well as defined and well-communicated policies – all of which support the standardized processes and procedures. This means that resources across an organization now have an increased awareness and direction to follow the processes and procedures documented in international governance standards, which is critical to success in today’s threat environment.
Centralize or Decentralize
From an operational perspective, it is really about whether security is embedded into an organization and if it is managed centrally or provided on a decentralized basis. Back in the day, security was considered decentralized as it was implemented in a fragmented fashion – one part of the organization would implement a network intrusion tool, another would establish a firewall around their work cluster. It was primarily done this way because security was the responsibility of the IT shop instead of security-specific resources.
Now, CISOs want to centralize the entire function. Although this might be more effective from a management function, operationally it does not necessarily support the requirements to the edge. What should be centralized are the required set of security controls implemented throughout the enterprise. Control normalization allows organizations to streamline its management activities while reducing the number of overall controls. With this approach, organizations can leverage these commonalities to more effectively monitor their controls internally across the organization, while decentralizing the delivery model.
Cybersecurity challenges on the operational side of the house are many, and will only get worse as technology advances. As such, it is critical to develop a strategic and consistent method of managing budgets, as well as instilling the appropriate internal resources and processes to effectively manage the cybersecurity function.