Delfigo Security - Strong Authentication

  • Increase font size
  • Default font size
  • Decrease font size
Home IAMblog Security Vulnerabilities Can We Stop Reacting and Start Anticipating?

Can We Stop Reacting and Start Anticipating?

Can we stop just reacting to security challenges? Can organizations shift their focus so that they anticipate them instead?

This week the New York Times posted an article about the role of the CISO and the challenges they face, including sense of inevitability that when a breach happens the blame will fall on them. Quoted in the article: “We’re like sheep waiting to be slaughtered,” said David Jordan, the chief information security officer for Arlington County in Virginia. “We all know what our fate is when there’s a significant breach. This job is not for the fainthearted.” More and more organizations are adding executives whose focus is security, but the author suggests that while talented and dedicated, a part of this role is simply to bear the burden of blame when a breach inevitably happens. Security professionals know that it's a "cat and mouse game" and that staying one step ahead, meeting requirements (regulatory or organizational), and being prepared to react, is the current recipe for success.

But this article, which also appeared this week, makes a compelling point - one that could transform roles like those described in the NYT article, and ultimately, the extent to which organizations succeed with security and with other areas of the business. Viewing being effective at anticipating what will happen - and internalizing that as an organizational value - as a core goal and guiding principle may create a culture and environment where CISOs are not simply waiting for the one big breach they don't see coming, but where the focus becomes their ability and vision when it comes to seeing what is coming, instead of assigning blame to them when a breach happens. For security specifically, this has some really compelling implications. Not every attack can be anticipated, but trends that pertain to end user behavior, adoption, and interactions, can be identified and understood. That's the time for action - not directly after a breach. Effort and time can be devoted to strengthening technology that secures an anticipatory organization, which will lead to fewer breaches, and hopefully decrease the amount of "reacting" the company does as a whole. This can happen when organizations are committed to fostering an environment where talented leaders are encouraged to anticipate, instead of to react.