Cybersecurity: Is it mature enough to protect our increasing digital attack surface?
Both businesses and consumers should understand the threat. What are we doing to solve the problem? Here's a Jobs-to-be-Done view.
What’s inside? A complete Jobs-to-be-Done research catalog that frames one of the jobs of a Chief Information Security Officer (CISO). It includes steps, success statements, situations, contexts, use cases, related jobs, success statements for related job, emotional jobs, social jobs, and more
Cybersecurity is a serious challenge. We’ve moved swiftly into a world where we operate our lives while trusting that our money, IP, and personal information is safe and sound. But is it?
In recent years, the landscape of cyber attacks has become increasingly complex and sophisticated, with threat actors employing advanced techniques to exploit vulnerabilities in both technology and human behavior. The success rate of these attacks has seen a steady rise, primarily due to the rapid proliferation of IoT devices, the emergence of 5G networks, and the growing dependency on cloud-based services. Attack vectors such as ransomware, phishing, and supply chain attacks continue to evolve, resulting in significant financial and reputational damage to organizations worldwide.
In response, cybersecurity professionals have been making strides in deploying AI-driven security solutions, enhancing threat intelligence sharing, and adopting zero-trust frameworks to minimize the attack surface. However, the constantly changing nature of cyber threats, coupled with a widening skills gap in the cybersecurity industry, makes it imperative for businesses, governments, and individuals to remain vigilant and proactive in their efforts to combat these digital adversaries.
Cybersecurity experts purchase solutions to fill gaps, resolve the impact of attacks, train their teams, etc. But do they really get the entire job done? And does the solution of the future really look like a wall? Let me paint you a picture:
One way to improve the interior of a home is to paint the walls with colors and/or textures that you find appealing at the time you selected them. The quality might be controlled by making the paint adhere to more types of surfaces. Conversely, the substrate might designed to allow inferior paints to adhere better. The latter is not necessarily a the focus of the paint manufacturing industry.
But what if consumers demanded to have a decorative touch in their homes that appealed to them in the moment? Much like the way we can now find music on demand, what if we wanted ambience on demand that went beyond smart light bulbs?
Let’s carry this forward to cybersecurity and consider what solution might look like that doesn’t require firewalls as we know them today, or the experienced staff that we need to have today? What if an attacker had no way of knowing where the data was, or could only find parts of it but not the rest of it? What if the data itself could become so obscured that it was nearly impossible to tamper with it, intercept, or retrieve it?
Essentially, what if we shifted the focus from the fortress, to the data itself? One has to wonder. Perhaps that’s a longer-term consideration.
In the shorter-term, the most attainable solution might be reducing the struggle stack by designing a platform that gets the whole job done by automating away all of the current solutions we cobble together. There is more to cybersecurity than an electronic countermeasure and the model I’m sharing today demonstrates that. So you can look at it as…
Data points that show innovators where to consolidate and integrate current solutions
Data points that show disruptors what to abstract themselves completely from current solutions by designing a solution space that does things differently, and has far fewer features (people, processes, technology).
Note: this model is verbose. You will never be able to field a single survey that utilizes everything that is in it. I have not reviewed this for quality or scope because that’s your job! My bias is real, just as yours is, so I’ll let you have it raw.
A Chief Information Security Officer Protecting the Organization’s Digital Assets
The following is the result of qualitative research using a Jobs-to-be-Done approach and several months of AI prompt engineering and refinement. The purpose of this is to support deeper qualitative analysis in an accelerated fashion, as well as to build a model that supports much deeper quantitative research. While this is a work product in the overall framework, it is not what I consider to be a deliverable. And since it comes pre-baked, I guess you can consider it to be an accelerator.
Why am I not including a job map? Once again, this catalog needs to be scoped before doing anything like that, and frankly, they are of limited value.
Here’s a link to the Notion.so catalog
Core Job
In this section we establish a portfolio of steps that frame the Job-to-be-Done. Each step has it’s own set of customer success statements. These can be used in a survey to establish priority and how that is differentiated between different groups within the respondent population. I get into that more in other blog posts. Consider this as content only.
Establish security goals - The ability to quickly and accurately identify the specific security objectives and outcomes that the organization aims to achieve, considering the context of cyber-security. This includes safeguarding digital assets, maintaining privacy, and ensuring compliance with relevant regulations.
Align security goals with the organization's overall objectives
Identify critical digital assets requiring the highest level of protection, e.g., sensitive customer data, intellectual property, etc.
Ensure the security goals are comprehensive, addressing all relevant aspects of information security
Develop measurable and achievable security objectives that can be tracked and reported on
Avoid setting overly complex or unrealistic security goals that may lead to confusion or ineffective implementation
Keep the security goals up to date with the evolving threat landscape and industry best practices
Prioritize the security goals based on the level of risk and potential impact on the organization
Communicate the security goals clearly and effectively to all relevant stakeholders
Engage the necessary resources and expertise to achieve the security goals, e.g., skilled personnel, budget, technology, etc.
Foster a security-conscious culture within the organization to support the security goals
Mitigate the risk of goal misalignment that could compromise the effectiveness of security measures
Prevent the neglect of certain security areas due to an excessive focus on specific goals
Avert potential regulatory non-compliance that could result in penalties or damage to the organization's reputation
Anticipate and address potential obstacles that may hinder the achievement of the security goals
Identify digital assets - The ability to quickly and accurately catalog and categorize all digital assets within the organization, such as sensitive data, intellectual property, and critical systems, to better understand what needs to be protected and to prioritize security efforts accordingly.
Create an inventory of all digital assets within the organization, e.g., software applications, databases, files, etc.
Categorize digital assets based on their sensitivity and importance to the organization
Determine the ownership and responsibility for each digital asset, e.g., department, team, or individual
Identify the location and storage of digital assets, e.g., on-premises servers, cloud storage, third-party systems, etc.
Recognize digital assets with regulatory or compliance requirements, e.g., personal data, financial records, etc.
Avoid overlooking digital assets that may be hidden or embedded within other systems or applications
Update the digital asset inventory regularly to ensure accuracy and completeness
Keep track of digital assets throughout their lifecycle, from creation to disposal
Prevent unauthorized access to sensitive digital assets by implementing appropriate access controls
Prioritize the protection of digital assets with the highest value and potential risk to the organization
Avert potential data leaks or breaches due to unidentified or unsecured digital assets
Minimize the likelihood of duplication or redundancy in digital asset management
Anticipate changes in the organization's digital landscape that could affect the relevance or priority of certain digital assets
Determine risk appetite - The ability to quickly and accurately assess and establish the organization's tolerance for risk, including the acceptable level of potential loss or damage to digital assets, in order to guide decision-making around security investments and strategies.
Align risk appetite with the organization's strategic objectives and priorities
Consult with key stakeholders to gather input on acceptable levels of risk, e.g., executive management, board members, etc.
Establish a risk appetite framework that clearly defines the organization's tolerance for risk in different areas, e.g., financial, operational, reputational, etc.
Ensure risk appetite is consistent with the organization's culture and values
Avoid setting an overly restrictive or excessively high risk appetite that may hinder innovation or growth
Communicate the risk appetite clearly to all relevant stakeholders within the organization
Update the risk appetite as needed to reflect changes in the organization's objectives, risk landscape, or external factors
Prevent potential misalignment between risk appetite and actual risk-taking activities
Monitor and report on the organization's risk exposure in relation to the established risk appetite
Avert potential regulatory or compliance issues due to risk-taking activities that exceed the organization's risk appetite
Mitigate the risk of financial loss, reputational damage, or operational disruptions resulting from a misaligned risk appetite
Foster a culture of risk awareness and informed decision-making within the organization
Anticipate changes in the risk environment that could necessitate adjustments to the risk appetite
Define roles and responsibilities - The ability to quickly and accurately outline the specific duties, tasks, and accountabilities of different stakeholders involved in protecting the organization's digital assets, ensuring clear communication and collaboration between individuals and teams.
Identify all relevant stakeholders involved in the protection of digital assets, e.g., IT department, business units, management, etc.
Assign clear and specific roles and responsibilities to each stakeholder based on their expertise and function within the organization
Establish accountability for the management, protection, and monitoring of digital assets
Ensure all stakeholders understand their roles and responsibilities, as well as those of others within the organization
Develop a reporting structure that facilitates effective communication and escalation of security-related matters
Avoid overlapping or conflicting roles and responsibilities that may cause confusion or hinder effective collaboration
Regularly review and update roles and responsibilities to reflect changes in the organization, personnel, or security landscape
Implement appropriate training and development programs to equip stakeholders with the necessary skills and knowledge to fulfill their responsibilities
Foster a culture of shared responsibility for security across the organization
Avert potential gaps in security coverage due to unassigned or unclear roles and responsibilities
Mitigate the risk of ineffective security measures resulting from miscommunication or lack of coordination among stakeholders
Prevent unauthorized access or actions by defining appropriate access levels and permissions for different roles
Anticipate future organizational changes or growth that may require adjustments to roles and responsibilities