Closing the siloed security gap with cybersecurity program management

Published 11/2/2021, 9:00am

Many of the high-profile (and not-so-high-profile) attacks of the last year have one thing in common: these attacks thrived in an environment where siloed security reigned.

What is siloed security?

Businesses have been dealing with cybercrime for years now, with varying degrees of success, using tools and technologies designed for specific purposes, such as endpoint detection. Often there is no connection point between these tools to enable a deeper understanding of threats beyond the specific context of the tool’s original design. Additionally, traditional security tools only offer a point-in-time snapshot of threats and provide no ongoing visibility into the constant dangers that exist in today’s cyber environment. Due to the rapid pace of threat evolution, siloed security solutions implemented as little as five years ago may already be outdated. In essence, traditional security tools and technologies operate in isolation, cut off from each other and from more advanced security solutions.

How the cybersecurity skills gap contributes to the siloed security challenges

Adding to the siloed security woes is the cybersecurity skills gap—that is, the fact that too few skilled and experienced cybersecurity professionals exist to fill the vast number of positions available. 

Many companies today understand that they need more robust security solutions, and that includes better-staffed teams. Often, though, finding experienced, skilled professionals to do the job becomes a significant challenge. Researchers estimate that there are roughly three million more cybersecurity jobs worldwide than there are trained experts available to staff them. Even if an organization happens to luck out and find a person with the right skill set, high salaries in the field of cybersecurity make hiring an experienced practitioner out of reach for many organizations.

Organizations that operate with minimal or no cybersecurity expertise in siloed environments, using disparate and disconnected security systems, are threat magnets. In fact, ransomware operators and other cybercriminals view this type of scenario as the ideal setting to launch an attack.  

In the end…you don’t know what you don’t know—and that creates significant risk.

With so much information on security tools and solutions, and with a limited number of skilled experts available to consult, it is understandable that businesses may not comprehend their own level of security maturity and business risk or whether they are vulnerable to attack.

The old phrase “you don’t know what you don’t know” really is applicable here. Because technology changes almost daily, it can be hard for businesses to know whether the right security tools are in place and the extent to which one security tool helps or hinders another security tool.

Unfortunately, this knowledge gap significantly increases the risk that a business will be targeted by a ransomware attack or another type of threat. And when that happens, it is highly unlikely that the existing, siloed security tools and solutions are going to be able to stop it.

How cybersecurity program management helps combat silos and skills gaps

The idea behind cybersecurity program management is to help businesses assess their overall security maturity and business risks, prioritize any security gaps, and build a roadmap for improved prevention, protection, detection, and response. It takes security out of its siloes and leverages expertise across a wide range of cybersecurity disciplines—like application security, governance, risk, compliance, vulnerability management, identity and access management, and cloud security. This approach helps businesses understand, build, implement, manage, and maintain a truly comprehensive security approach that focuses on reducing business risk. 

A good cybersecurity program management approach also doesn’t focus on selling a business more unnecessary tools and solutions. Sometimes all an organization may need to improve their overall security maturity and reduce business risk is an analysis of their current security profile and some advice and consultation around how to better use and integrate the security tools they already have.

Understanding your level of security maturity is the first step

Deciding on whether it makes sense to apply a cybersecurity program management approach really comes down to whether a business knows its security maturity level. To assess your business’s level of security maturity, we encourage you to take our new security assessment questionnaire, which explores the extent of your current security program, what cybersecurity practice areas are covered, your experiences hiring cybersecurity talent, and how you would rate the overall level of your security program.