Cybersecurity: Is it mature enough to protect our increasing digital attack surface?

Both businesses and consumers should understand the threat. What are we doing to solve the problem? Here's a Jobs-to-be-Done view.

What’s inside? A complete Jobs-to-be-Done research catalog that frames one of the jobs of a Chief Information Security Officer (CISO). It includes steps, success statements, situations, contexts, use cases, related jobs, success statements for related job, emotional jobs, social jobs, and more

Cybersecurity is a serious challenge. We’ve moved swiftly into a world where we operate our lives while trusting that our money, IP, and personal information is safe and sound. But is it?

In recent years, the landscape of cyber attacks has become increasingly complex and sophisticated, with threat actors employing advanced techniques to exploit vulnerabilities in both technology and human behavior. The success rate of these attacks has seen a steady rise, primarily due to the rapid proliferation of IoT devices, the emergence of 5G networks, and the growing dependency on cloud-based services. Attack vectors such as ransomware, phishing, and supply chain attacks continue to evolve, resulting in significant financial and reputational damage to organizations worldwide.

In response, cybersecurity professionals have been making strides in deploying AI-driven security solutions, enhancing threat intelligence sharing, and adopting zero-trust frameworks to minimize the attack surface. However, the constantly changing nature of cyber threats, coupled with a widening skills gap in the cybersecurity industry, makes it imperative for businesses, governments, and individuals to remain vigilant and proactive in their efforts to combat these digital adversaries.

---

Cybersecurity experts purchase solutions to fill gaps, resolve the impact of attacks, train their teams, etc. But do they really get the entire job done? And does the solution of the future really look like a wall? Let me paint you a picture:

One way to improve the interior of a home is to paint the walls with colors and/or textures that you find appealing at the time you selected them. The quality might be controlled by making the paint adhere to more types of surfaces. Conversely, the substrate might designed to allow inferior paints to adhere better. The latter is not necessarily a the focus of the paint manufacturing industry.

But what if consumers demanded to have a decorative touch in their homes that appealed to them in the moment? Much like the way we can now find music on demand, what if we wanted ambience on demand that went beyond smart light bulbs?

Let’s carry this forward to cybersecurity and consider what solution might look like that doesn’t require firewalls as we know them today, or the experienced staff that we need to have today? What if an attacker had no way of knowing where the data was, or could only find parts of it but not the rest of it? What if the data itself could become so obscured that it was nearly impossible to tamper with it, intercept, or retrieve it?

Essentially, what if we shifted the focus from the fortress, to the data itself? One has to wonder. Perhaps that’s a longer-term consideration.

In the shorter-term, the most attainable solution might be reducing the struggle stack by designing a platform that gets the whole job done by automating away all of the current solutions we cobble together. There is more to cybersecurity than an electronic countermeasure and the model I’m sharing today demonstrates that. So you can look at it as…

1. Data points that show innovators where to consolidate and integrate current solutions

2. Data points that show disruptors what to abstract themselves completely from current solutions by designing a solution space that does things differently, and has far fewer features (people, processes, technology).

Note: this model is verbose. You will never be able to field a single survey that utilizes everything that is in it. I have not reviewed this for quality or scope because that’s your job! My bias is real, just as yours is, so I’ll let you have it raw.

A Chief Information Security Officer Protecting the Organization’s Digital Assets

The following is the result of qualitative research using a Jobs-to-be-Done approach and several months of AI prompt engineering and refinement. The purpose of this is to support deeper qualitative analysis in an accelerated fashion, as well as to build a model that supports much deeper quantitative research. While this is a work product in the overall framework, it is not what I consider to be a deliverable. And since it comes pre-baked, I guess you can consider it to be an accelerator.

Why am I not including a job map? Once again, this catalog needs to be scoped before doing anything like that, and frankly, they are of limited value.

Here’s a link to the Notion.so catalog

Core Job

In this section we establish a portfolio of steps that frame the Job-to-be-Done. Each step has it’s own set of customer success statements. These can be used in a survey to establish priority and how that is differentiated between different groups within the respondent population. I get into that more in other blog posts. Consider this as content only.

1. Establish security goals - The ability to quickly and accurately identify the specific security objectives and outcomes that the organization aims to achieve, considering the context of cyber-security. This includes safeguarding digital assets, maintaining privacy, and ensuring compliance with relevant regulations.

   1. Align security goals with the organization's overall objectives

   2. Identify critical digital assets requiring the highest level of protection, e.g., sensitive customer data, intellectual property, etc.

   3. Ensure the security goals are comprehensive, addressing all relevant aspects of information security

   4. Develop measurable and achievable security objectives that can be tracked and reported on

   5. Avoid setting overly complex or unrealistic security goals that may lead to confusion or ineffective implementation

   6. Keep the security goals up to date with the evolving threat landscape and industry best practices

   7. Prioritize the security goals based on the level of risk and potential impact on the organization

   8. Communicate the security goals clearly and effectively to all relevant stakeholders

   9. Engage the necessary resources and expertise to achieve the security goals, e.g., skilled personnel, budget, technology, etc.

   10. Foster a security-conscious culture within the organization to support the security goals

   11. Mitigate the risk of goal misalignment that could compromise the effectiveness of security measures

   12. Prevent the neglect of certain security areas due to an excessive focus on specific goals

   13. Avert potential regulatory non-compliance that could result in penalties or damage to the organization's reputation

   14. Anticipate and address potential obstacles that may hinder the achievement of the security goals

2. Identify digital assets - The ability to quickly and accurately catalog and categorize all digital assets within the organization, such as sensitive data, intellectual property, and critical systems, to better understand what needs to be protected and to prioritize security efforts accordingly.

   1. Create an inventory of all digital assets within the organization, e.g., software applications, databases, files, etc.

   2. Categorize digital assets based on their sensitivity and importance to the organization

   3. Determine the ownership and responsibility for each digital asset, e.g., department, team, or individual

   4. Identify the location and storage of digital assets, e.g., on-premises servers, cloud storage, third-party systems, etc.

   5. Recognize digital assets with regulatory or compliance requirements, e.g., personal data, financial records, etc.

   6. Avoid overlooking digital assets that may be hidden or embedded within other systems or applications

   7. Update the digital asset inventory regularly to ensure accuracy and completeness

   8. Keep track of digital assets throughout their lifecycle, from creation to disposal

   9. Prevent unauthorized access to sensitive digital assets by implementing appropriate access controls

   10. Prioritize the protection of digital assets with the highest value and potential risk to the organization

   11. Avert potential data leaks or breaches due to unidentified or unsecured digital assets

   12. Minimize the likelihood of duplication or redundancy in digital asset management

   13. Anticipate changes in the organization's digital landscape that could affect the relevance or priority of certain digital assets

3. Determine risk appetite - The ability to quickly and accurately assess and establish the organization's tolerance for risk, including the acceptable level of potential loss or damage to digital assets, in order to guide decision-making around security investments and strategies.

   1. Align risk appetite with the organization's strategic objectives and priorities

   2. Consult with key stakeholders to gather input on acceptable levels of risk, e.g., executive management, board members, etc.

   3. Establish a risk appetite framework that clearly defines the organization's tolerance for risk in different areas, e.g., financial, operational, reputational, etc.

   4. Ensure risk appetite is consistent with the organization's culture and values

   5. Avoid setting an overly restrictive or excessively high risk appetite that may hinder innovation or growth

   6. Communicate the risk appetite clearly to all relevant stakeholders within the organization

   7. Update the risk appetite as needed to reflect changes in the organization's objectives, risk landscape, or external factors

   8. Prevent potential misalignment between risk appetite and actual risk-taking activities

   9. Monitor and report on the organization's risk exposure in relation to the established risk appetite

   10. Avert potential regulatory or compliance issues due to risk-taking activities that exceed the organization's risk appetite

   11. Mitigate the risk of financial loss, reputational damage, or operational disruptions resulting from a misaligned risk appetite

   12. Foster a culture of risk awareness and informed decision-making within the organization

   13. Anticipate changes in the risk environment that could necessitate adjustments to the risk appetite

4. Define roles and responsibilities - The ability to quickly and accurately outline the specific duties, tasks, and accountabilities of different stakeholders involved in protecting the organization's digital assets, ensuring clear communication and collaboration between individuals and teams.

   1. Identify all relevant stakeholders involved in the protection of digital assets, e.g., IT department, business units, management, etc.

   2. Assign clear and specific roles and responsibilities to each stakeholder based on their expertise and function within the organization

   3. Establish accountability for the management, protection, and monitoring of digital assets

   4. Ensure all stakeholders understand their roles and responsibilities, as well as those of others within the organization

   5. Develop a reporting structure that facilitates effective communication and escalation of security-related matters

   6. Avoid overlapping or conflicting roles and responsibilities that may cause confusion or hinder effective collaboration

   7. Regularly review and update roles and responsibilities to reflect changes in the organization, personnel, or security landscape

   8. Implement appropriate training and development programs to equip stakeholders with the necessary skills and knowledge to fulfill their responsibilities

   9. Foster a culture of shared responsibility for security across the organization

   10. Avert potential gaps in security coverage due to unassigned or unclear roles and responsibilities

   11. Mitigate the risk of ineffective security measures resulting from miscommunication or lack of coordination among stakeholders

   12. Prevent unauthorized access or actions by defining appropriate access levels and permissions for different roles

   13. Anticipate future organizational changes or growth that may require adjustments to roles and responsibilities