CISO Compass: What is your security velocity?

We have all experienced the unprecedented pace of technological change spurred by the COVID-19 pandemic. Everything from videoconferencing, to remote access, to Washingtonian's expectations for online services has changed dramatically. The velocity at which this transformation is occurring, if anything, will likely increase.

Which brings me to my question for today: Are the organizations undergoing technological transformation - particularly with the move to cloud services - also keeping pace on the security front?

In other words, what is your security velocity?

A core principle for organizations should always be to closely align business, technology and security. An analogy I like to use is that if business is the body, then technology is the circulatory system and security is the immune system. All three are interconnected and need to be in sync.

There is more to it than principle. Threat actors thrive on change. They observe the transformation taking place in organizations, do reconnaissance and then develop tactics to exploit new attack vectors.

The Washington state Legislature recently passed a law, Senate Bill 5432, that I believe incorporates this important principle stating in part: (7)(a) "Each state agency information technology security program must provide ... the agency's cybersecurity business needs and agency program metrics."

Reflecting on my earlier question (What is your security velocity?), let's do a litmus test.

Looking back at the past two years for your organization:

  • List three major business changes or decisions.
  • List three major technology transformation initiatives.
  • List three security initiatives.

Here's the litmus test: Did your security initiatives position your organization to enable the business and technology change that was implemented?

If your answer is "YES," you get a standing ovation. Continue your journey and please share your strategy. If your answer is "NO," you are not alone. Many organizations are in the same boat.

We need a paradigm shift that changes the conversation from "how" security is protecting to "how well" it is protecting. Doing this can help business leaders understand what is truly required for their organization.

I welcome your thoughts and ideas and look forward to our continuing partnership to serve this great state. Thank you for all that you are doing.

Vinod Brahmapuram
State Chief Information Security Officer