Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
Cybersecurity News

A Proposed Model for Permanent Change in Cybersecurity

By James Doggett
c-suite
October 4, 2018

Why is it that we keep on doing the same things in security year after year and we expect a different result? For decades, we have been buying and installing security tools to “fix” our security issues around things such as patch management, privileged access, application vulnerabilities, etc. And yet these issues remain at the top of the list of security issues today.

Assuming our goal is to actually fix security issues and keep them fixed, how might we change our approach to this problem? The fact is, most CISOs are now being held accountable for measurable and sustainable risk reduction, and not just having fixed a lot of security flaws. This may require ongoing reporting of the risk reduction achieved on a monthly basis. Such KPIs could include the percentage measurement of reduced sensitive data leaving the network month over month, as well as the percentage of enterprise data captured by a DLP (data loss prevention) solution.

For a new “permanent change” model to work, it’s crucial that, from a goal’s perspective, we should only take on new security initiatives if we can have confidence that the initiatives fix a security issue (as measured by risk reduction), and that fix is sustainable in an automated manner. In other words, we fix the problem in a manner that includes not only the tools, but also the processes and controls.       

The first step is usually identifying the area of security where we want to invest in improvement. Ideally, the area(s) chosen for investment will be a security domain where the greatest risk reduction can be achieved for the dollars spent. A second criteria might also be that once implemented, the solution (i.e., the tool and related processes) will continue to control the risk being remediated and control the risk that the risk will grow again over time.

For example, we may want to focus on a risk area around firewalls and hone in on the hygiene related to the firewall rules across the environment. We might approach this by hiring a consultant to come in and clean up all the rules, eliminating those which are out of date, consolidating those that are redundant, etc. The problem with stopping here is that the firewall rules will fairly quickly become stale again and will grow quickly. What is missing are the control processes/tools to manage the future changes in firewall rules, and the tools to monitor those changes.

Once we have decided upon the security areas to focus our investments on, we then need to consider what processes need to be implemented to remediate the security risk. Only after the end-to-end solution is designed should we determine the “tools” that will help enable the solution. While building the solution(s) to reduce security risks, we should consider several factors including coverage, remediation of the risks and automated monitoring of controls.

Typically, when we take on a large initiative to reduce risk in a particular security area, we put together a plan to remediate, and then we put forth a major effort to fix the issues. From a risk perspective, this represents a reduction in risk. However, it is equally important to take steps to ensure the risk does not rise again.

We need to build into our remediation program/security initiative the processes and tools to monitor this control in the future. We all know that over time, vulnerabilities/risks/issues tend to grow and come back unless there is a focused effort to ensure they don’t. There have been several occasions where I spent a large sum of money to “fix” a security area, reported the results to the board, and then had to go back to the board some time later to request budget to fix again.

CISOs cannot wait for someone else to solve this problem of permanently fixing security risks and keeping them fixed. While tools may help, the problem will ultimately be solved by CISOs thinking of an end-to-end process that will not only remediate risks, but continuously watch over the controls, ensuring they continue to manage the risks.

 

This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security magazine. Subscribe here.

KEYWORDS: cybersecurity hygiene firewalls security budget security risk management security ROI

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

James semperis

James Doggett is CISO at Semperis. He previously served as Head of U.S. operations at Panaseer, Chief Technology Risk Officer for AIG, the Chief Security Officer and Chief Technology Risk Officer for Kaiser Permanente and Managing Director of JP Morgan Chase. He also spent 27 years at Ernst & Young, where he helped build the company’s cyber security practice from the ground up. 

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Leadership and Management
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Columns
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Logical Security
    By: Charles Denyer
Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Sureview screen
    Sponsored bySureView Systems

    The Evolution of Automation in the Command Center

  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

Popular Stories

Rendered computer with keyboard

16B Login Credentials Exposed in World’s Largest Data Breach

Verizon on phone screen

61M Records Listed for Sale Online, Allegedly Belong to Verizon

Security’s 2025 Women in Security

Security’s 2025 Women in Security

Red spiderweb

From Retail to Insurance, Scattered Spider Changes Targets

blurry multicolored text on black screen

PowerSchool Education Technology Company Announces Data Breach

2025 Security Benchmark banner

Events

July 17, 2025

Tech in the Jungle: Leveraging Surveillance, Access Control, and Technology in Unique Environments

What do zebras, school groups and high-tech surveillance have in common? They're all part of a day’s work for the security team at the Toledo Zoo.

August 7, 2025

Threats to the Energy Sector: Implications for Corporate and National Security

The energy sector has found itself in the crosshairs of virtually every bad actor on the global stage.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • cyber

    5 tips for cybersecurity insurance compliance

    See More
  • cyber_lock

    How CISOs Can Consolidate Security Tools

    See More
  • people working together around laptop

    68% of cybersecurity professionals work in a centralized IT model

    See More

Related Products

See More Products
  • security culture.webp

    Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

  • Physical-Security-and-Safet.gif

    Physical Security and Safety: A Field Guide for the Practitioner

  • security book.jpg

    Security Investigations: A Professional’s Guide

See More Products
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing