The CISO Continuum

This post is about the range of cybersecrity programs we encounter in the wild, or what one of our founders calls "The CISO Continuum."

This phrase refers to the combination of two phenomena: the fact that people tend to use "CISO" (short for Chief Information Security Officer) as shorthand for "cybersecurity program" and the fact that cybersecurity programs fall somewhere on a spectrum.

Note that in this context, "cybersecurity program" means "a formal effort to protect your cyber assets." Many organizations do not have a cybersecurity program, but almost all organizations are engaged in some kind of cybersecurity. Having your IT department engage in some kind of IT security is not a cybersecurity program but it is cybersecurity.

The question of where any given organization falls on the continuum arises when prospects tell us that they have cybersecurity already, so they do not see why they would need more cybersecurity. To answer this question we ask two questions in turn: are your people doing the right things? If they are doing the right things, are they doing those things effectively?

Often there is a defensive undertone to this interaction because prospects are under the mistaken impression that we are looking to find fault with their current IT Security efforts. This is the opposite of what we are looking to do: our first step is always to figure out what you are already doing right and then build on that.

What distinguishes a formal cybersecurity program from "that's the IT department's problem" approach is that the loop is closed between the cyber defenders (the IT security folks) and management. The actual front-line work is done by the same people in each scenario, but management has input into what is protected and has proof (evidence that they understand) that the protection is happening and is effective.

When we start to work with a client, these are our three areas of focus:

• Are the right things being protected?
• Is that protection actually happening?
• Is that protection effective? 

If the answers are all yes, then there is nothing more you need from us in the short-term. When considering the longer term, we also ask "is this effort self-sustaining?" but that is a story for another time.

The answers to these questions are fuzzy, they are not black-and-white. What we find is a continuum which ranges from

• "no CISO, some IT security, no program" through
• "part-time or franctional CISO, more IT security, little or no program" to
• "professional CISO with a staff, lots of IT security, clear communication between management and security professionals."

Does any organization every pass muster? Do we ever say "you are just fine, both in what you are doing and in how you are proving what you are doing?"

In general, no because cybersecurity is a moving target and few organizations allocate the resources needed to stay up-to-date. Instead most organizations allocate the resources to keep doing what they are already doing.

In specific, there are three cases where there is little or nothing for us to do:

1. you do not have the resources to do anything more than what you are doing now
2. you just got hit and so are in the throes of fixing whatever you can fix
3. you are large enough, mature enough, and farsighted enough to already have an effective program in place.

The point of the CISO Continuum is not to shame anyone who is not on the high end but rather to frame a discussion about where you are and, given your organizations resources, where you should be. If you are where you should be then we are done. If you are not where you should be, we need to figure out how close to there you can get with the resources that you have.

Cybersecurity is a requirement for almost every organization today. A cybersecurity program is appropriate for a much larger number of organizations than currently have them. But as biostatisticians like to say, "statistics mean nothing to the individual." You should be making informed decisions about your cybersecurity commitment. We can help you do just that and it starts with placing you on the CISO Continuum.