New York native Don Devine is a loyal Giants fan, but he points to Bill Belichick’s organizational and coaching skills at the helm of the New England Patriots as a guide for CISOs in the midmarket space.
“The Patriots win Super Bowls, not because they have the best team, but because they execute extremely well,” Devine explained, commending their consistent, five-yard advances down the field with as few penalties as possible. Their program focuses on instilling discipline, taking above average players – not necessarily superstars – and practicing flawless execution.
Cyber security planning in the midmarket requires a similar approach.
Devine’s guided information security, data and risk management programs for Fortune 500 companies for more than two decades, and he’s currently serving as the CISO at Phoenix-based Aspect Software.
Back to Basics
A focus on the fundamentals of information security like patching and vulnerability scanning are like blocking and tackling on the gridiron; they are indispensable to a defensible security strategy. Pouring millions of dollars into a company’s information security budget is no guarantee against hackers infiltrating and hijacking information.
Earlier this year, Nuix released their second annual Black Report that taps into the minds of hackers to better understand how they operate. Nearly a third of survey respondents report an ability to breach an organization’s perimeter within 10 hours. Of the most vulnerable industries, food and beverage, hospitality and retail, more than half of respondents said they could find critical value data (CVD) within an hour and remove it in the remaining, at most, five hours.
“It’s not if, but when,” Devine said of tenacious hackers, driven by the challenge of penetrating network perimeters. The ever evolving role of CISOs includes managing the conversation with Public Resource Officers in the court of public opinion when at attack happens. Because it will.
“Every company may have patching and vulnerability programs, but there will always be the box in the corner that wasn’t patched, and that’s the one the hacker will find.”
A defensible plan that also includes meeting regulatory compliance standards is key to any organization’s security strategy. As security leaders Mike Benz and Steve Hundley agree, it’s not enough to build an incident response plan that includes industry best practices and lofty goals simply to appease stakeholders; security teams, however modest they may be, must have well-rehearsed plans on which they can immediately execute.
While a company’s security strategy can be carefully marketed as a competitive advantage, doing so likely only serves as a loud beacon for ambitious attackers. Executives who ask if their organization is secure are not asking the right question, according to Devine. Rather, the more important question is understanding how risks are being managed.