Building a Security Transformation Program in Our New Information Security World

From an information security perspective, companies often have perceived their own organization as a castle with well-defined walls, with few entry points sufficiently staffed with guards monitoring what information is coming in or leaving the organization. If further protection is needed, it is obvious what to do: build higher or thicker walls or add additional security guards. What is inside the castle can be considered safe.

However, there have been several significant changes in the past few years, namely:

• New business models and supply chain dependencies transcending traditional company and information boundaries
• Advances in technology and digitization increase ICT reliance
• Increasing reliance on external parties and their security approach
• Scarcity of resources, be it financial or human resources
• Increased regulatory requirements supporting the shift from a protection focus to a detection/response focus (e.g., GDPR)
• Changes in the cyber threat landscape (e.g., crime-as-a-service, espionage)

This means that reliance on traditional perimeter security is no longer sufficient, a mindset that information security professionals have been advocating for several years. The National Institute of Standards and Technology (NIST) in the US, for instance, has developed a model by mandating an ‘Identify – Protect – Detect – Response – Recover’ approach.

The next generation CISO
So why are so many companies still struggling to adopt this approach? A CISO of a reputable company once said: “I was hired for my technical security skills; however, I do not know how to build an organizational change program.” The next-generation…