Three Principles for Managing Security in Turbulent Times

“…I have always found that plans are useless, but planning is indispensable.”
-- Dwight D. Eisenhower

Principle 1: Come from strategy

You know, there isn’t an “easy button” for securing your organization. Any meaningful, successful change to your security posture will involve changes in technology, process and culture. And the best way to guide this kind of change is to have a strategy in place well ahead of real-time events. If you don’t know where you want to go, how can you choose the next step to get there? In turbulent times, everyone’s attention will be on the company’s security posture, so this is the time to lean into your strategy. Any recommendations you make during a global crisis need to align with that strategy. This will build support for your goals and demonstrate that you and your team are in control. During a crisis, a calm leader gets a lot more done than a person yelling, “Fire!”

Hopefully you have a strategy that is supported by your leadership team. (This is not the same thing as funding it.) If you don't, or if events have made your strategy ineffective, then it’s time to revisit it or iterate. Don’t try to author a completely new strategy in a time of crisis, as it will likely be focused on the “now” event and imminent risks.

However, if you’re in this situation, it’s easier to adopt an existing framework. I’m a fan of NIST and the current 800-207 on Zero Trust Architecture and believe Zero Trust is the best “working” security strategy available today. There are two big benefits to using a pre-built framework. First, it addresses overall needs in a well-rounded way because it isn’t skewed to current events. Second, it offers dozens of supporting articles and tools that give a clear, proven map on how to make it successful in your company.

Principle 2: Embrace momentum

As an organizational leader, it can often feel like enacting real change is pushing a boulder up an endless hill. That all shifts during a crisis; now we must sprint to stay in control. The boulder is now falling downhill, and if it gets away, it can cause a lot of damage.

Let’s revisit the 2012 Hurricane Sandy crisis as an example. Due an extended power loss, some very large colocation facilities went off-line and dozens of companies suffered widespread outages. In the following months, companies rushed to get better disaster recovery options in place … spending millions of dollars to change colocation and networking vendors in months vs. the years it should have taken. Ultimately, the issue was identified as an industry-wide design flaw: generators couldn’t run for more than 100 hours without being serviced and service couldn’t happen while generators operated. Unfortunately, companies spent a lot of money and effort moving from one flawed colo facility to another before the root problem was fixed with a mechanical bypass valve at a net cost of $2,000 in parts and a day’s work. (These modifications were universally adopted within a few years.)

This shows how blindly charging in can be wasteful and produce no return on investment. But right now, your leadership is likely thinking about cybersecurity in a meaningful way, so use it to advocate for the right strategy. With current world events forcing cybersecurity concerns to the forefront, it’s an ideal time to discuss the value and necessity of a strong security strategy and clearly outline what that means.

And if you have projects that lack resources or need a push to get moved into production to reinforce that strategy, now is a good time to ask for what you need to close existing gaps. The point here is you don’t want to present new or “out of left field” ideas. Everything you talk about needs to connect back to the big picture and agreed-upon strategy.

Another way to make the best of crises is have your team on the frontlines, training employees on cybersecurity practices and helping them understand how to protect themselves and your company. Being a calm and reassuring voice in challenging times builds trust and that trust will pay back when the world calms down and we return to pushing the boulder back up the hill.

Principle 3: Transparency

The final principle is transparency. Let’s be honest, your security posture likely isn’t where you want it to be. We’re always making trade-offs to get the most done with limited resources. Most companies have weak spots in their security. Importantly, now is NOT the time to try to hide these weaknesses from your leadership team. You must give your leadership honest and clear information about the risks the company faces.

It took me years to understand that it’s not solely up to the IT or security teams to protect the company. Indeed, their role is limited; the real job falls to executive leadership. It’s their role to balance the scale when it comes to resources vs. risk. Their choices then filter down to the IT and security professionals to manage as best they can. In challenging times, it is our job to be fully transparent to leadership about the company’s security posture, because without accurate data, leadership can’t make the right decisions. When presenting weaknesses, always try to offer options for how gaps can be closed.

In conclusion

A brief word on “known, unknowns”— every company has security flaws and risks. If you do not routinely test your defenses in multiple ways, you are effectively flying blind. And, running nmap against your firewall does not count; instead, find a penetration testing company and schedule at least an annual test. I promise if you do, you will quickly see the value.

Our world is a very dynamic place. You will likely see many events during your career that shift your company’s focus dramatically and quickly. As a leader, it is your job to take those moments to move the company closer to its goals and strategy. Be calm, lean on your strategy, leverage momentum and always be transparent.

If you are unsure where to go next or how to best secure your company in this new threat landscape, Appgate can help. We are the leader in Zero Trust access and architecture and can help you and your company understand why Zero Trust is changing the face of security much faster than any other technology.

Additional resources

Podcast: Cybersecurity is Absolute Chaos Right Now
eBook: Securing the Hybrid Enterprise
Blog and Q&A video: Breaking Down Zero Trust Market Dynamics with Dr. Chase Cunningham