Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

02:30 PM
Troy Mattern
Troy Mattern
Connect Directly
E-Mail vvv

Cybersecurity at the Core

For too long, cybersecurity has been looked at as one team's responsibility. If we maintain that mentality, we will fail.

Leaders around the globe are not naive regarding the impact cyberattacks have on a business. From affecting the bottom line to losing your customer's trust, recovering from a cyberattack isn't easy. When an organization succumbs to an attack, nearly every business unit is affected, costing the business, on average, $3.86 million. While most CSOs and CISOs want to be the ones to prevent and fix this, they must realize they can't take this on alone. There is a strong argument to be made that cybersecurity needs to go beyond the CSOs, CISOs, and their teams. Security needs to be a companywide effort and embraced as part of the company's core culture.

Most have heard the saying "Culture eats strategy for breakfast," and CISOs around the world know how true it is. The adage carries over to the security world in a basic way. Any security strategy or plan you're trying to implement will be held back by the people you depend on if the culture does not support it.

Today, many companies are struggling to embrace a culture of security. Only 5% of organizations believe that no gap exists between their current cybersecurity culture and their desired cybersecurity culture, according to a recent survey put out by ISACA. This means that a whopping 95% of organizations see a disconnect between the culture they have and the culture they want. So, what can businesses do?

Accept That Your Security Team Can't Do It Alone
One of the challenges in cybersecurity is that most organizations take the approach of having one security team and thinki that one team can address all cybersecurity threats and needs. In reality, cybersecurity goes far beyond just the security team. Products and corporate assets are never "owned" by the cybersecurity team, and those who do own them likely have very different objectives than the security team.

Security needs to become something that all departments think about. That doesn't mean sales or engineers need to become technical experts in security, but they do need to start bridging the gap by asking questions, understanding the risks, and knowing how they fit into the solution. In fact, that is what must happen if we want to succeed.

Establish Relationships with Different Business Units
Security leaders will always be the biggest cheerleaders for cybersecurity, but when other departments openly embrace it, their teams will follow. Security teams must enlist the support of departments including human resources, communications, marketing, product development, legal, and more. While not all will sign on, most reasonable leaders will recognize how doing so helps the company achieve its objectives.

Spend time talking to the different department leaders to find where your interests align and how you can work together for mutual benefit. For example, product quality and security are often viewed and measured as two different elements owned by two separate departments. However, customers don't see it that way. If a product is high in quality but lacks security, it ultimately isn't a high-quality product.

Likewise, customer privacy can't exist without security, and a sales team that can't speak to the security of their products can't understand and help manage customer risk. Businesses need to start to make those types of connections, and it will happen more naturally when cybersecurity is engrained in the culture.

Get Buy-in from the C-Suite
Studies show that top executives and boards of directors see cybersecurity as a top issue facing companies. The question is: Are leaders taking action or expecting their CISO to fix the problem? We've found the answer requires both. In another role, we were able to get the C-suite to establish security goals as part of their annual objectives. These goals were ones that the C-suite, not just the CISOs, were measured against. That was a successful cultural change.

It's time that we recognize security for what it is: a business and leadership concern. Executives must prioritize security in the same way they do all other business risks. They must recognize that not all the actions to address the risk will begin with the CISO. In fact, they are likely to find most do not. The CISO needs to develop the strategy, guide and advise throughout the process, provide measures, teach, and coach, but the CISO can help the most by accepting that they cannot be the one that does it all, regardless of the size of the team. Without leadership from the top, cybersecurity will remained siloed and viewed as a specialized technical issue rather than the cultural one it is.

For too long, cybersecurity has been looked at as one team's responsibility. If we maintain that mentality, we will fail. Cybersecurity needs to be a part of a culture, and security needs to be at the core of the company, lead by executives. It's no longer good enough for the security department to be the last stop on a checklist of things to do — we need a team approach instead.

Related Content:


Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Troy Mattern is the Vice President for Product and Services Cybersecurity at Motorola Solutions. Having joined Motorola Solutions in June 2017, he leads all policy, strategy, and prioritization for cybersecurity efforts pertaining to Motorola Solutions Products and Services. ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
11/26/2018 | 12:54:09 PM
Re: Why CYBER security?
I've heard the "Cybersecurity" vs "Information Security" debate and know some people think there is real value in sorting it out.  However, I don't think this is where we should be spending time.  I tend to fall into the camp that thinks the train has left the station on this.  Why? Because our Boards and the C-Suites are hearing "Cyber" and that is what has them concerned.  From regulatory bodies, to news articles and their own peers it is "cyber" they are being bombarded with.  Therefore, I tend to think there is more value in using that term then in trying to get them, or our community, to use another one.  That said, if "information security" works for your C-suite, run with it. Where I think the danger comes is when experts paint the issue as a technical one only, or when they allow the belief that only the security team can or should address it.  The security team should be the source of the strategy, but that strategy should be looking at what the whole organization needs to do, not just those who work for the CISO. 

I am a strong believer of transparency and making it clear what the security team can and should do, but also what we can't do and where the rest of the organization needs to help if we are to succeed.   When we are able to show those limitations then I think it becomes easier to address the cyber = technology = I don't understand it = someone else's problem.  That is why I like painting this as risk management.  In most, though certainly not all, organizations when a corporate risk is identified, and the treatment plan is agreed to, there are actions in that plan which end up being the responsibility of teams across the business to deliver.   Example: If there is a regulatory risk about the disposal of certain wastes then product production, procurement, facilities and the compliance team are all involved in the treatment plan for that risk.  Business get that, yet too often in cyber, or information security, it falls exclusively on the security team.   Sometimes that is the business failing to understand the team sport we are playing, sometimes it is the security leadership thinking they have to do it by themselves.  Regardless of the reason, if we don't change, we will fail.  

What's more is in many cases the security program will costs less and will be more effective when the treatment plan involves more than just the security team.  Often, security teams try to compensate with more staff or technology when partnerships are more effective.  I've kept my own team relatively small by the standards of most companies our size, but in partnering across the business with champions who are organic to others, I have more than 4X as many security representatives, and growing, in various departments than in my own team.  The best part is many of those are in the teams that actually do own the assets that affect our risk.   Those champions are the only way we could have effectively scaled, helped influence local culture and continue to drive the behaviors we decided as a company we want.  However, without buy in from across the business segments we could never have implemented such a large champion program and it would have taken us much longer at much greater cost to have impact.  I also doubt that impact would have been as meaningful.  
User Rank: Strategist
11/21/2018 | 3:46:54 AM
Why CYBER security?
Surely part of the problem stems from the name. To many (most?) people outside of our bubble cyber=technology=I don't understand it=someone else's problem.

As someone said on another post "cyber" scores lots of ninja points, but I'm unconvinced moving to cyber security from information security actually moved our cause along very far, although i'm sure it's resulted in many more sales of shiny things.
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-21
neos/forms is an open source framework to build web forms. By crafting a special `GET` request containing a valid form state, a form can be submitted without invoking any validators. Form state is secured with an HMAC that is still verified. That means that this issue can only be exploited if Form F...
PUBLISHED: 2021-06-21
Textpattern 4.7.3 contains an aribtrary file load via the file_insert function in include/txp_file.php.
PUBLISHED: 2021-06-21
Cross Site Scriptiong vulnerability in Typesetter 5.1 via the !1) className and !2) Description fields in index.php/Admin/Classes,
PUBLISHED: 2021-06-21
mongo-express is a web-based MongoDB admin interface, written with Node.js and express. 1: As mentioned in this issue: https://github.com/mongo-express/mongo-express/issues/577, when the content of a cell grows larger than supported size, clicking on a row will show full document unescaped, however ...
PUBLISHED: 2021-06-21
In memory management driver, there is a possible memory corruption due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-185196177