Cybersecurity Deficit: More than a Skills Shortage
New Services to Cut the Cybersecurity Strategy Deficit
As 2020 gets underway, we’re excited to announce a more modular and agile cybersecurity, identity management, and risk management consulting services catalog. More than ever the world needs rational cybersecurity leadership, business engagement, architectural integrity, and clear communication. We’re passionate about delivering them to you. To that end, we’ve updated our service catalog on this website to better articulate how we help clients.
This Deficit is a Gap in Strategy, Governance, Architecture
Digital transformation demands more cybersecurity, not just because it means more reliance on IT, but also “riskier IT.” The public is increasingly concerned with cybersecurity issues from events in the news. Entire companies (and other organizations) are suffering intellectual property, market share, and reputation losses to the point of experiencing lawsuits, share price drops, or even bankruptcy.
And yet, based on research we found in various sources (see Note 1), less than half of organizations’ Board members or senior executives consider cybersecurity strategic, and too few have formally defined missions, mandates, or cybersecurity roles and responsibilities. Thirty eight percent (38%) of Fortune 500 companies in the U.S. don’t have a CISO position.
Just as you – a security leader – need to tell the business why they should accept some new control you’re implementing we – as consultants – should give you our why for what we do. Here it is: Our Service Catalog seeks to cut the cybersecurity deficit to make your security program more successful. Through Executive Cybersecurity Coaching, Maturity Assessments, Security Governance reviews, and other services we can help organizations prioritize cybersecurity to the appropriate level of concern for their business. Executive Cybersecurity Coaching helps security leaders perform a variety of tasks:
- Develop a cybersecurity strategy
- Define the cybersecurity mission or mandate
- Craft the right messages and metrics to business and technical audiences
- Deal with pressing issues such as compliance or certification reviews
- Modernize critical infrastructure such as identity and directory services
- Gain stakeholder consensus and support
Our services have always been flexible, but in the new Service Catalog we’ve added additional project formats and we’re emphasizing new topics. Although there’s much more we can do, today we’re featuring two Portfolio Services: Cybersecurity Readiness Exercise and Directory Services Modernization.
Cybersecurity Readiness Exercise
If you host data or services on behalf of your clients or customers, SOC 2 is in your future. If that data includes PHI, PII, or PCI you also have to contend with HiTrust and/or PCI-DSS. If your clients include public sector entities such as state or federal agencies, add in NIST CSF. Non-compliance with cybersecurity standards or frameworks can pose an existential threat to the business, especially for organizations in regulated industries. Having any form of cybersecurity deficit in the security governance structure or policies hurts your chances of demonstrating compliance.
Our Compliance or Certification Readiness Exercise helps clients prepare for mandatory high stakes audits, certifications, mergers, acquisitions, and other security projects that must succeed. We do this by rapidly coordinating and facilitating a series of surveys, interviews, or workshops augmented with well-designed instruments we have developed over many engagements.
At the end of the engagement, you’ll understand your overall readiness for the high-stakes project and have a risk-informed action plan for the next 30-60-90 days, clearly articulated success criteria, and leave-behind instruments for continuous self-assessment and improvement.
Would you like to learn how we can tailor a cybersecurity readiness exercise to address your critical challenges?
Identity and Directory Modernization
Digital businesses are built on cloud services, APIs, and digital relationships.They cannot afford to drag boat anchors behind themselves as the competition moves ahead. However, many organizations’ premise-based identity infrastructures are costly, clunky, or bursting at the seams. Primary among these are older LDAP directories or Active Directory domain structures not designed to work with modern cloud-based APIs and identity protocols such as OAuth, OpenID Connect, and SCIM. Nor are they optimized for the emerging Zero Trust model that depends on directory-enabled APIs for access to any and all resources.
In some cases, older directory releases have reached end of life status. No longer supported by Oracle, Microsoft, CA, or other vendors they nonetheless continue in production use to support most, if not all, of the applications and services in conventional organizations’ IT environments. IAM teams would like to replace them, but are afraid to risk breaking production applications with complex dependencies on their directories’ schema, operational models, or custom integration “glue.”
We offer a Directory Modernization service to rapidly assist with migrating away from end-of-life, overly expensive, or unfit-for-purpose directories. With over 30 years of Directory Services design solution and IAM deployment expertise, we can help you discover requirements and dependencies, plan a successful directory migration, and make the right decisions for modernizing your organization IAM infrastructure and applications by establishing new internal and customer-facing directory services.
Can we help you explore opportunities for directory modernization?
Bottom Line: It’s About Risk Management
In the final analysis, security programs are about reducing risk and that is what our consulting services aim to do. Risk comes in many forms. We’re all too aware of the menace from cyberattacks or security control failures. We must also be mindful of more subtle dangers such as risk aggregation in older directories or the opportunity costs from delayed certifications, audit-inspired fire drills, and inability to efficiently deploy strategic cloud services or onboard key partners to these services. These kinds of issues are the reason we’ve focused on Cybersecurity Readiness Exercises and Directory Modernization today.
For any of the Projects in our Portfolio, we also help clients discern risk directly through our Focused Risk Assessment offering. Or, with more offerings in our Governance, Risk, and Compliance portfolio, we can help you build up the capability to engage with stakeholders on the risk management and security governance programs that should underlie everything we do.
We would like the opportunity to connect with you and your team to see how we could help. Our “door” is always open!
NOTE 1: Most of the stats used in the “Cybersecurity Deficit” figure and supporting discussing come from the excellent book on CISO Soft Skills except as follows. The data on Board participation in the cybersecurity strategy is from the PWC Global State of Information Security Survey report and the factoid that 38% of Fortune 500 companies lack CISOs is from Bitglass’s The CloudFathers analysis.