When the world is in crisis, security leaders face a serious challenge. When risk levels are high, every staff member, from non-technical teams to the C-Suite, will look to the cybersecurity department for help, guidance, and reassurance.
In turbulent times, it can be tempting to simply pile more technologies on the security stack. But this is a wasteful approach in the short term and is a strategic mistake in the long term because solving today’s problems often comes at the expense of preparing for tomorrow’s.
When incidents such as ransomware attacks or major data breaches hit the headlines, security leaders have the attention of decision-makers and the chance to enact real change. Stay calm in a crisis and you are more likely to be successful during more stable times. To help you survive and succeed in this era of upheaval, here are three principles that should guide security leaders during periods of turbulence.
Principle 1: Focus on Strategy
There will never be an “easy button” that can be pressed to trigger total security. Leaders that want to make meaningful, successful, and lasting changes to their company’s security posture must play a long game focused on changes in technology, process, and culture.
Strategy and planning are the foundation of these changes and should be established as far as possible ahead of real-time events. Proactivity during calm moments allows for resilience during turbulent periods. The opposite is also true. If an organisation is forced to hurriedly redefine its security posture in the middle of a crisis, risk will soar and resilience will drop. External problems are contagious, and good strategy inoculates against some of the pathogens that inevitably arise in a turbulent world.
When a crisis hits, an organisation’s pre-developed strategy should guide its response. Ensuring recommendations made during a crisis align with strategy will build support for leaders’ goals and demonstrate that they and their team are in control. A calm leader will be more effective during a crisis than one that yells “fire” and runs around in a panic. If they are seen to have pre-empted events and placed the correct strategies in place to deal with a crisis, leaders will project confidence and show colleagues that competent people are at the helm who can deal with the problem effectively.
Leadership teams should support strategies (although this is not the same as funding them). If executives are not behind the security strategy, either more effort needs to be made in clearly explaining it to secure buy-in, or it may ultimately need to be revised or replaced.
If leaders are in a crisis and it is too late, it is advisable to adopt an existing framework. I am an advocate of NIST and its Special Publication 800-207 on Zero Trust Architecture. I believe Zero Trust is the best “working” security strategy available today.
Adopting a pre-built framework has two benefits. First, it will offer a straightforward solution to needs and will not be tied to current events. Second, there will be many articles, supporting tools, and potentially a thriving community to help leaders roll out the framework successfully.
Principle 2: Embrace Momentum
The momentum of crises can be valuable and energising. Yet it can also lead to rushed decisions—the 2012 Hurricane Sandy crisis is an example. When power supplies went down, some large colocation facilities went off-line, and outages knocked companies down too.
In the aftermath of the hurricane, companies rushed to build better disaster recovery systems. They spent millions of dollars on changing to a new colocation and networking vendor in a matter of months. Usually, this process takes years—but organisations were forced to do it in months.
The issue that caused the problems was eventually identified and turned out to be an industry-wide design flaw: generators could not remain operational for more than 100 hours without being serviced, but service could not take place while the generators were switched on.
Companies expended a lot of time, money, and effort switching from one colocation facility affected by the flaw to another. In the end, the issue could be fixed with a mechanical bypass valve, and the bill would come to about $2,000 and the cost of a day’s work. If leaders had only held back a little, they may have been able to make significant savings. Today, the modifications which prevent future outages are universally adopted.
This example shows that rushing in can be wasteful and end with no return on investment. A strong security strategy reduces wastefulness and ensures ROI. However, a crisis is not the time to be over-cautious. When world events push cybersecurity concerns to the fore, it is the perfect moment to explain why a robust security strategy matters. It may also be a great time to get the resources to finish a project or close gaps. Security leaders should be careful to tailor their ideas to the big picture and wider agreed-on strategy because a crisis is not the time to introduce concepts from left field.
Security teams should also be visible across the organisation. This could involve asking staff to train colleagues in cybersecurity best practices and helping them learn to better protect themselves and the broader organisation.
During turbulent times it is worth remembering that life will calm down eventually. If security leaders are seen to have a steady hand during a crisis, they will build trust. Then, when it is time to push that boulder up a hill again, that trust will help to lighten the load.
Principle 3: Transparency
Crises demand honesty. When the world is turbulent, organisations will face serious security challenges. Their security posture will not be in the place it would be during a time of calm.
Security leaders need to be transparent about security weaknesses and risks the company faces. Without full transparency, the correct decisions cannot be made and gaps cannot be closed. Leadership must be fully briefed on the strengths and weaknesses of the organisation’s security and have access to reliable, up-to-date data which clearly illustrates any problems that must be addressed. Without current, accurate data, leadership teams are unable to make the right informed decisions. When presenting challenges, security leaders should be prepared to present options on how they can overcome them.
Leadership In a Crisis
Every company has its own security flaws and risks. Adopting these three principles is a great start when it comes to leading a security team in troubled times. Testing defences should be a critical activity, with tests taking place on an annual basis at least.
Leadership is not easy. The world will always be dynamic, so proactively building a strategy, staying calm as events unfold, and being transparent will help security leaders sail through the storm and steer the company to a safer place.
Kurt Glazemakers, CTO at Appgate