CISOs, it's time to see the world differently: The tried-and-true risk mitigation approach to cybersecurity is...
still necessary, but it is not sufficient. And your predilection for trying to solve the impossible -- well, that's just misguided. That was more or less the message from Phillip Miller, CISO and head of infrastructure at New York-based clothing giant Brooks Brothers.
"We must understand the risk appetite of our organizations, but managing risks cannot be the only thing we do," Miller said in his keynote address at the Argyle CISO Leadership Forum in New York.
He argued that CISOs need to take a more mission-based approach to protecting their companies. They often fall into the trap of trying to fix everything, rather than focusing on fixing the things that will make a difference, Miller said. This is why cybersecurity initiatives like identity management and multifactor authentication projects, to name just two, often drag on for years, he said.
"Focus on vanquishing the enemy that you can see, not worrying about the one that you can't, and then prepare for the next engagement," he advised.
But the view that a cybersecurity program, if just done well enough, can prevent all data breaches is only unrealistic, according to Miller. "Our teams need us to set an example that they can translate in their real lives, in their day-to-day operations as a security threat analyst."
To help security leaders and professionals achieve this goal, Miller suggested a three-phase approach he calls mission, model and medicine.
Mission, the hardest of the three, calls for CISOs to lay out a clear path for every major activity that is necessary to improve their cybersecurity programs.
The first step to doing this is owning the narrative, he said. "Don't let the people around you define what your cybersecurity practice is."
Phillip MillerCISO and head of infrastructure at Brooks Brothers
Of course, it is important that CISOs have a deep understanding of their company's business objectives and goals, their supply chain and finance teams, Miller said, so they can create a mission that protects the business, which is the CISO's primary responsibility.
Secondly, cybersecurity professionals need to team up, he said. "Your team is not just the people that report to you; your team is everybody within the organization that touches data and information, and you need to go out and be obsessive about recruiting those individuals for that mission."
But these extended team missions should be discrete and not overly long; otherwise, people will become disengaged, he said. It is equally important to create reports to evaluate whether the outlined mission goals were accomplished.
"And then we feed those back into the next mission that we take up," Miller said, adding that this will help cybersecurity programs function like "every other business unit that's adopting modern management practices. Think of this as DevOps, or Agile, or Lean Six Sigma of how you run your security programs."
Model and medicine
Miller explained the model phase as creating a set of behaviors or approaches that define how to go about doing something -- and then communicating those standards to the enterprise. This will help prevent the security organization from being seen as a roadblock.
For example, if an Agile development team is implementing a new technology that has a connection to the outside world, the cybersecurity program should offer the Agile team a set of "reference models" to choose from, explaining that by adhering to one of these models upfront, the deployment will have a much easier time getting sign-off from the security team. "[At Brooks Brothers,] we have been working on creating these reference models," he said.
Medicine is the easiest of the three, according to Miller. This refers to the parts of an organization's infrastructure and security program that just need to be fixed, he said. It's that server that's sitting out there that's still running an obsolete version of Windows or of Linux, and "you need to buckle down and create a plan to resolve it."
Cybersecurity is no longer a discrete discipline within the organization, Miller said. It is everywhere, and that's how CISOs need to think about their cybersecurity programs as they build their teams.
"We still need to have individuals who wear that [security] hat, but we need more data analysts ... we need more people who are willing to walk across and shake hands with somebody and say, "Hi, I work in cybersecurity, and I'm here to help your project be more successful."
The ability -- and willingness -- to make cybersecurity an enterprise-wide discipline starts at the top, Miller said. Cybersecurity leaders must be proactive in changing the way they collaborate and communicate about cybersecurity, both with their teams and with the business.
Indeed, Miller is convinced the next generation of cybersecurity professionals will be the most inclusive, diverse and collaborative industry has ever seen. These new entrants to the field will not want to be siloed within the organization, he said. And CISOs will be better off for it.
"Finally, I think that CISOs will change the way they measure themselves and the way they are measured externally -- not on whether they stopped a data breach, but on the strength of their [cybersecurity] program. They will be measured on resilience versus reaction."