Orchestrating Cybersecurity Across the Business Ecosystem
A cyber leader’s guide to learning the business and providing precise support.
We’re now in the throes of digital transformation. In terms of hype, we’re now beginning to edge our way up the “slope of enlightenment,” as Gartner would say. Many organizations are slowly clawing their way forward, grasping the reality that it’s not just about digitizing products and services, but entire business models.
Increasing a business’ digital competence is a need that’ll never go away; continual transformation is required to be competitive in the market. So much hinges on getting digital right that entire new disciplines and executive roles are springing up, including the Chief Digital Officer and Chief Transformation Officer. Change makes many people uncomfortable, but it’s a necessity. Ben Franklin was a man ahead of his time stating, “When you’re finished changing, you’re finished.”
Talking the talk is easy but walking the walk of digital transformation is tricky. Truly digitally-minded organizations are feeling the pains of gaining real traction: organizational resistance, re-engineering the customer experience and making data sources widely accessible are all tough propositions. But one item clearly sits near the top of everyone’s “roadblock” list: cybersecurity.
With on-premise infrastructure quickly fading away and the perimeter now gone, there’s no way to neatly box the cyber problem and treat it with commodity solutions. Modern business is now characterized by a chaotic, hard-to-map web of products, services, business processes, data, applications, infrastructure, organizations and people. Yes, this construct creates customer value…and it produces cyber risk that spreads like wildfire.
The Value of Seeing Your World Through an “Ecosystem” Lens
Despite the challenges of being digital, it’s within this disorder where opportunity lies. As a leader, it’s your task to find stillness and clarity amidst the sprawling and morphing organism known as your business, and help secure it. In fact, we can extend the organism analogy further by learning from the natural sciences realm. It helps to view a business as an ecosystem. Much like scientists in climatology, ecology and biology have used the ecosystem concept to tackle wicked problems in those fields, we can study modern businesses through an ecosystem lens and use those insights to make better decisions, especially in cybersecurity.
British ecologist Sir Arthur George Tansley first coined the term “ecosystem” in a 1935 essay to describe the dynamic transfer of materials between organisms in a given environment. He stated that all the components in an ecosystem are interdependent, needing one another to survive and serve their purpose. Anything that does not fit these criteria is, by definition, not part of the ecosystem. Countless studies show us that it’s the diversity of the environment that keeps an ecosystem productive, stable and durable. Cybersecurity is the same – an ecosystem challenge.
Shedding Light on the Top Need in Cyber
When you start viewing security from an ecosystem standpoint, you’ll see a wealth of dynamics at play. You’ll discover the interdependence among diverse entities, how there are “loops” everywhere and the existence of both living and non-living parts. While insightful, gaining this knowledge can quickly overwhelm any leader and make every challenge feel both critical and urgent. Luckily, there is a key need that every cyber leader should fixate on to bring better cybersecurity across their business ecosystem.
Let’s first acknowledge the noise. Today’s cyber leaders feel a wide range of “hard” and “soft” pains as they help manage enterprise risk and (hopefully) create value. With the former, many organizations are drowning in technical debt accumulated over years (e.g., unwieldy technology infrastructures from M&A activity or security tool overload), they lack clear visibility into their attack surface, or they face difficulty installing good security practices into evolving domains (e.g., cloud, manufacturing, and DevOps). As importantly, cyber leaders struggle with the softer side of the coin: reliably accessing high-end talent, measuring and reporting return on investment and influencing a diverse stakeholder community.
These problems are complex and sophisticated. They require both managerial precision and higher-order leadership (e.g., empathy, abstract thinking and creativity).
It’s easy to get frustrated by the laundry list of potential challenges in cyber – the monstrous list of things you could spend your time on. And that’s exactly what most people do; they drown in the endless risk register. But the best leaders bring extreme focus.
As Greg McKeown pointed out in Essentialism, “The word ‘priority’ came into the English language in the 1400s. It was singular. It meant the very first or prior thing. It stayed singular for the next five hundred years.” That is until we confused things and bent the meaning. Definitionally and contrary to popular belief, we can’t have priorities. That might hurt our minds, but extreme focus matters when a problem is this gnarly. It’s time we concentrate on one overarching problem.
It’s time we see the priority cyber challenge as one of orchestration.
We’re not talking in-the-weeds Security Orchestration, Automation, and Response (SOAR), but orchestration at the macro level: getting all the cyber-relevant resources in your business ecosystem to harmoniously sync on a common mission and work together. Here, you’ll benefit from a team that’s wonderfully diverse in mindset, skillset, organizational positioning and background. Like a maestro masterfully conducting a symphony, the outcome is only beautiful when the constituent elements (people and instruments) learn how to work together.
When you’re effectively orchestrating security across a business, you’ll experience:
- Multiple levels of insight: the ability to see and interpret challenges and opportunities from different vantage points (think satellite, helicopter and microscope)
- Tighter connectivity across internal and external teams: a wide appreciation that cyber health is business health, and that it requires diverse parties working together
- Self-forming collaborations: since empowered relationships among different teams already exist inside and outside the business, there will be faster and more pinpointed problem identification and resolution
- Better agility and solution scale: small, targeted teams pull from existing toolkits and blueprints to customize solutions for local problems and then scale them for repeatability
Bringing Orchestration to Life
Cyber leaders conduct the symphony, and use orchestration to affect the change they seek to make. We can no longer afford narrow thinking or micromanagement. The problem is too big and dynamic for that. We need help from others. Instead, it’s about empowering, trusting and guiding.
The networked nature of the cyber challenge requires us to operate through orchestration. Doing it well requires that we look inside and outside the organization to first gain holistic understanding. Then, we can tune the collective people, processes and technology that lead to our desired security outcomes. This is hard, but the approach is important.
For the same reason traditional project management is giving way to agile ways of working, we can’t think of orchestration as a linear or one-time approach in cybersecurity. We can’t set it and forget it. Done well, orchestration becomes a meta-capability in your program that continually enables your portfolio of traditional cyber capabilities (e.g., threat intelligence, risk management, incident response) to do what they’re meant to do.
We desperately need the bigger picture to be effective at lower levels. The continuous nature of doing orchestration across your business ecosystem generally involves the following loop:
- Crystalize your strategic aims. Think deeply about the problem you’re trying to solve. Start with clarifying your organization’s “why” for cybersecurity. There is no one-size-fits-all strategy, but there are options to consider, such as: business continuity, brand protection, compliance and business growth. Your specific business context drives your choice. By getting business leaders (board members and C-suite) and cyber leaders aligned on purpose, you can create guiding objectives that flow downward and generate meaningful outcomes. Then, whenever you spot a challenge that clashes with these objectives, it’s time to orchestrate a change. Start with clarifying top-level ambition to ensure cyber truly becomes an enabler of business strategy.
- Continually map a fresh view of your business ecosystem. You need a wide-angle view of your world in order to act within it – the people, data and machinery, tied together with real-world relationships and workflows. We can learn “how to map” from a variety of fields. In System Dynamics, we discover that all parts of a system must participate for that system to carry out its purpose. Furthermore, every part of a system either reinforces or balances another part. Just like you need threat intelligence to fuel you hunting activities (reinforcing processes), you need internal and external stakeholders aligned (balancing processes) on the guiding objectives of your cyber program. Or take Value Network Analysis, where we take value chains a step further and look at the more complicated reality of how people and organizations truly interact to deliver customer value. Knowing your business ecosystem gives you the visual required to affect bigger, more systemic types of change. Note: you’ll want help from business leaders to generate this.
- Design and implement a cyber operating model tailored for desired outcomes. Once you’ve clarified a strong “why” and possess an ecosystem map, you can methodically design the governance, roles, responsibilities, capabilities and organizational structure required to deliver the right security outcomes. The Operating Model Canvas is a great guide for doing this. Your intent here is to “overlay” security on top of your real business – the chaotic mess that it is. Having a strong operating model also puts sensors everywhere (internal and external), helping you discover weak points and important opportunities for shoring up how and where capabilities exist across the business. Also, embrace the design process and use it to build relationships with key stakeholders outside the cyber organization – you’ll need them.
- Mobilize resources to orchestrate change. As a cyber leader, your job is to set things in motion, not micromanage. Be humble, flexible, accessible and visionary. As you scan your environment, zoom in on the opportunities that need the most attention and get to orchestrating. This involves assembling the right group of relevant parties, wherever they exist, and giving them top-level guidance, setting reporting criteria and acquiring resources as your team needs them. Your job is to enable agile, highly-focused groups that (a) are led by creative and highly collaborative individuals and (b) love swarming problems. This way, you’re giving your teams individual “sandboxes” that they have full control over (similar to the U.S. Joint Special Operations Command’s “team of teams” model). Mobilizing these teams may require “going above” and establishing executive alignment to unlock movement or access to a key resource, but it’s all good, because relationship-building is now your thing as chief cyber orchestrator.
- Ensure a cycle of continuous learning. Much like we red team cyber capabilities at the operational level, it’s important to continually gauge where the “blind spots” and “cracks” are across your well-orchestrated ecosystem. Since your business and the cyber risk landscape are both so dynamic, the opportunities for improvement will continually shape-shift. Applying your orchestration capability requires you – as the leader – to let go of full control and let localized work happen where the problems exist. And it’s from these smaller networks that you can tap into important nuances – what the best practices are, where you have allies, relationships that you need to build and so on. You’ll want to have a systematic approach to extract, analyze and adopt lessons learned from out in the field. In tandem, this approach will give you data required to update your ecosystem map so that you always have a fresh view.
- Make orchestration an enduring capability. As a leader, your job is to work on the system, not in the system. Orchestration is now your specialty. Today, very few cyber programs have a way to “know the business” and take targeted action within it. Sadly, they operate with generic frameworks. To alleviate that pain, make orchestration an ever-on capability within the cyber program. You’ll need it to stay abreast of how business and technology strategies are changing, which informs your own cybersecurity approach. Surround yourself with creative, highly-collaborative people that see the world from a “systems” viewpoint or have design thinking skills. Leading in cybersecurity has evolved from technical mastery to artful teamwork. Knowing your business ecosystem and being able to orchestrate change within it is the key capability going forward.
Most organizations struggle to visualize the swelling cybersecurity challenge, and they’re unable to adapt accordingly. Cyber-related gaps and "blind spots" are continually surfacing, mostly as a byproduct of the business changing to remain competitive. Without a systematic and thoughtful approach to orchestrating security across the business ecosystem, cyber programs will continue to lack in influence and impact.
To make progress, cyber leaders need to work with key stakeholders to understand and structure efforts that match unique business needs. By institutionalizing certain techniques, cyber programs can methodically and repeatably obtain a “picture” of the business ecosystem to gain situational awareness. And by knowing the interdependencies and flows of how a business works, how external parties fit in and where and what the critical assets are, then leaders have a fighting chance to establish an effective and efficient operating model that brings the right capabilities and binds diverse teams using a “shared mission” mentality.
This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security Magazine. Subscribe here.