Restructuring the security program when technology and skills change: When revamping the security programs, CISOs can have in mind Venables’ four-phase framework, which is flexible enough to fit almost any organization. Companies can start where they are, make the changes they want, and then return to complete the remaining tasks.Restructuring the security program should be done periodically, because technology evolves. Venables recommends CISOs “consume strategic threat intelligence” to stay updated. And he also advises them to proactively address entire classes of risks, threats, and vulnerabilities, rather than waiting for an incident to occur.It helps if CISOs and security teams take time to examine existing plans, processes, and procedures to determine if there are any improvements or innovations necessary to strengthen defense capabilities, adds LeMaire.Sometimes, there are tools that can be added, and tools that can be taken away. “If you can simplify your stacks and get 90% from 10 tools instead of 10% from 90, you’ll free up budget and attention for the next challenge,” LeMaire says. Meanwhile, experts point to leveraging AI-driven tools that can increase the team’s productivity and capability by “10x”, as Venables put it. Training should also be taken seriously, supporting security teams to grow is another theme echoed by many experts in the field. “When in doubt, invest in your people,” says LeMaire. “You can’t really future-proof security, but you can build a team that can adapt.”But beyond hiring the right talent and ensuring proper training, CISOs must also be ready to make tough personnel decisions when necessary.”Sometimes you change the people, and sometimes you change the people,“ says Herrin. “If you have the wrong people in critical roles, you need to make changes and make them quickly. What matters most is the people and the leadership, not the tech.”
Common mistakes: Mistakes are inevitable when reworking something as complex as a security program. They usually come from not having enough support, holding on to the wrong assumptions, or underestimating how big a cultural shift is needed to make changes last.Such big projects rarely succeed without full backing from the top, so one mistake CISOs can make is not confirming an explicit commitment to trust and support from the CEO, the CFO, and the COO of their organization. “The people who control the vision, purse strings, and operations of the organization are the champions a CISO will need when restructuring begins to inevitably and necessarily change the processes and behaviors of everyone across that organization,” Bird says.Another common misstep, he adds, is “believing that they can will a restructuring into existence.” In reality, without strong soft skills to negotiate with leadership and rally employees behind the effort, even the best-laid plans risk falling flat.Soft skills also help CISOs identify the right people to work with, and they should be open about the knowledge, attitudes, and adaptability they’re looking for. One mistake, though, is only hiring people with big-company experience, which can limit fresh perspectives and agility. Diverse backgrounds, whether from startups, the public sector, or unconventional career paths, can bring new problem-solving approaches that established corporate veterans might overlook. And these employees should be treated fairly.”A tenured team without raises for several years can signal that the company is not really invested in security,” says Nick Muy, CISO at Scrut Automation. The lack of investment often pairs with unrealistic expectations for the team and questionable calls on how resources are allocated. “If the attitude is to in-house everything, that’s rarely practical for most mid-sized firms,” Muy adds. “Direct in-house resources where you need them most and leverage outsourcing or tools for the rest.”Other common missteps in a restructuring involve tools and technology. “CISOs must avoid three key pitfalls,” says Benslimane. “Underestimating the impact of AI-powered threats, relying on static, legacy tools, and mismanaging expectations around new technologies like AI.” His suggestion is to embrace cloud-native infrastructure and bring in talent with the skills to harness AI.Problems can also surface when CISOs focus too much on enabling the business, which often means that security takes a hit. “This can sometimes lead to a compromise between implementing robust security requirements and the company taking on more risk,” says Chad Thunberg, CISO at Yubico. “Sometimes it is important to slow down and reassess a situation or a decision to make sure the focus is on the right areas at the right time.”In many ways, rebuilding a security program is more challenging than creating it from scratch. This is why CISOs can face intense pressure to deliver results despite the limited resources they have at their disposal, which can often lead to sleepless nights.”When a CISO embarks on this kind of crusade, they often fail to account for the toll it will take on their relationships with their family, friends, and community,” Bird says. “Forgetting about taking care of emotional, physical, and interpersonal balance usually means the restructuring fails and swallows up all of those personal components in the blast radius as well.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4063708/how-to-restructure-a-security-program.html
