Cloud StrategyCloud SecurityCloudSecurity Transformation
Blog • • 4 minute read

The Tail is Wagging the Dog More than Ever

It's time for cyber professionals to step up so we can fix the issues that have been plaguing our industry.

At just over seven months into 2024, I've noticed a change in organizational currents, creating headaches for cyber teams as well as opportunities for new start-ups. A bevy of acquisitions in the cyber space didn't help my fellow InfoSec pros, and then there was the recent worldwide outage caused by a cyber tool.

What should we make of all this?

First off, let's take a breath and remember that the basic tenets of a solid cyber program have not changed much. We may have new tools thrown at us, using recycled technologies and marketing buzzwords meant to confuse and frighten us and our leaders. But in the end, there is one simple truth and one question you need to answer:

Your data needs protecting. So, how much friction can be added to appropriately protect it?

Whatever we are called today, cybersecurity or information security, each of us — from the analyst to the CISO — needs to do what we know is right. Cyber is a lonely job and we are often seen as blockers, but we are the last line of protection. When everyone else is trying to make data available to the world as fast as possible, we must be the voice of reason ensuring access is measured, appropriate, time-bound, observed and secured. Do not chase the latest tool, you cannot solve a process problem with technology.

Discussions with cyber teams and executives are always a story of shared pain. I lived in that world for over 20 years and all I can say is, "IYKYK." Cyber teams have always played second fiddle to other teams and enough is enough. We are the ones held responsible during cyber events and we should remember that when we sign off on concessions, approve non-compliant architectures and let things go just to not be "the blocker."

A 2024 survey by ISC2 uncovered that organizations around the globe are hiring attorneys to deal with governance, risk and compliance (GRC) issues instead of cyber professionals, representing a shift from "protect and defend" to "expect and litigate." Cyber apathy is sweeping the enterprise. As both a cyber professional and a consumer with my data out in the world, that is unacceptable. Do NOT let the tail wag the dog any longer.

I am making a generalization here, but you, as a cyber professional, have typically worked in more areas of IT. You have built, architected and/or maintained a majority of the critical infrastructure in your enterprise and now, more than ever, your expertise is needed to secure it. 

Wherever your organization stores data, create a security onion around those locations and work outward. You may have multiple onions to fit the class of data and the location (on-prem, private cloud, public cloud), and that is OK. Be confident in your approach and consolidate tools where appropriate, but do not go all-in on a platform just to meet an arbitrary directive. Psst, board members, you should know by know those directives are not good for business.

If you get pushback on multiple tools, do not defend your choice. Instead, educate those around you as the cyber expert you are. Make them defend their reasoning. With the right operating model and framework, supporting a toolset is just as efficient as supporting a platform, but with telemetry tailored to the use case.

Don't be a blocker just to be one. You know how to appropriately apply security principles so stand your ground. You know where the line is, don't let someone push your principles past it. There is strength in numbers. You will gather an army when you run your approach past your peers. 

"If you don't, give me a call. I'll fly with you."