In a past life, before I was a Chief Information Security Officer, I was a Soldier. As a soldier I learned whether you were in a training area or deployed to a combat zone, you had to learn to get the job done with the tools you had on hand. My colleagues that were U.S. Marines would often say “Adapt, Improvise, Overcome.” This phrase is simple, descriptive, and directive. It is a statement on how to deal with adversity, accomplish the mission at hand, and accept that getting more help or more tools is not an option. More importantly, how to get the job done when failure is not an option; because failure could have dire consequences.
Similarly, a cybersecurity failure could lead to dire outcomes. More help and more tools are also problematic due to costs, procurement cycles, or just simply competing business interests within the organization. Funding may not come in, and when it does, it may take too long to get a new technology in place to allow a risk to remain exposed. Therefore, cybersecurity leaders must embrace the idea of fighting with what you have on hand to implement solutions that mitigate cybersecurity risks. Fighting with what is on hand is also about addressing immediate issues such as disasters, fires, and most recently the global pandemic.
The COVID-19 pandemic has been regarded by some as the biggest agent for change within their organizations for the year 2020. The pandemic forced organizations across the globe to reinvent how their employees work and transition entire work forces to work from their homes. For IT and cybersecurity, the pandemic may have provided a financial windfall to execute some longstanding projects. However, the rapid funding initiatives at the present used to combat the pandemic would likely adversely impact future funding for IT and cybersecurity initiatives over the fiscal years to come. Regardless of future impacts, cybersecurity leaders had and still have the challenge of continually improving the posture of a now continually transforming workplace while determining the best use of available funds for IT and security efforts. For example, if the organization has to choose between laptop computers for staff to work remotely, Identity as a Service (IDaaS) subscriptions for Mutli-Factor Authentication (MFA), or increased VPN access for existing devices, it is highly likely the security team will have to find a way to accomplish the same goals the Identity as a Service provider offers without the benefit of establishing a subscription with the IDaaS provider.
Fighting with what you have does not mean not being innovative. Fighting with what you have is simply about looking at people, processes, and technologies the organization has available to kick start cybersecurity program objectives, respond to urgent situations, or remediate identified vulnerabilities. When staring down the barrel of a crisis or just generally looking at a need to improve the organization’s cybersecurity program, consider the following:
- Develop clearly defined objectives in the first place. If you don’t know where you want to take a cybersecurity program then it is unlikely that any amount of technology improvements will have any lasting effect on improving the defensive posture of the organization.
- Obtain a “what does it do?” understanding of the technology you have on hand, to include shelfware products (these can often be implemented in lieu of procuring a new solution). Then cross-walk the capabilities of all on-hand technologies against the established security program objectives.
- Create a gap assessment of what program objectives you cannot meet with the existing technologies and then determine how you might be able to improvise network infrastructure, software policies, etc. to mitigate risk created by these gaps.
- Use the gap assessment to develop a procurement roadmap using risk factors to set priorities for purchase. Use this to develop a spending plan before you ask for increased funding so you will be able to show quarter by quarter how the expense of dollars relates to the reduction of risks.
In closing, fighting with what you have is about being effective, cost conscious, and establishing value for cybersecurity services. It is about getting the most value out of existing technologies, understanding how technology is going to be used to address risk mitigation requirements, and setting realistic measurable objectives. Ultimately, taking this approach requires cybersecurity leaders to be less idealistic, more pragmatic, and optimistic about the achievement of their program goals.