Security professionals have to wear many hats, and on any given day, may be asked to do any number of different things.
To avoid a mad, chaotic dash to get it all done, the industry is looking toward a more structured and programmatic way of accomplishing things.
speaks with Nathan Wenzler
, Chief Security Strategist at Tenable
- The past two years in cybersecurity
- Three levels of security strategy
- How the framework improves decision-making
The last two years …
The last two years have been really difficult for a lot of organizations. Most have had to navigate the sudden onset of remote work and drastic changes in the way they cater to customers.
Initially, executives did what they had to do to keep their companies afloat. Now, as the dust has settled, many are taking a step back to ask an important question—what’s the best way to deal with risk now that we’re here?
Three levels of security strategy
Security teams are in a unique position when it comes to mitigating risks. They maintain responsibility for a wide variety of different functions.
Because of that, their day to day can easily devolve into a mad dash to get everything done all at once.
This framework, provided by Tenable, helps them avoid that.
First level: C-Level
This level of decision-making includes two pieces.
- The business needs to be fed relevant information to make better decisions about where to spend resources and how to incorporate better security practices.
- The CISO needs enough relevant information so they can make better decisions about how and where to focus efforts.
This level is largely about translation and ensuring that security goals and business goals are aligned.
Second level: Strategic
This level can be tricky in many organizations because it can be unclear whose role it is. In general, this layer exists alongside mid-level management directors.
At this level, people should aim to identify places where the security program can be optimized and where security goals can be accomplished more effectively.
Conversely, this level also identifies where things are going right so they can be replicated across the organization.
Third level: Tactical
Despite the title, this level is not simply about rote execution. It’s also about validating that tactics are working.
When people at this level see the things they validate get fed back up the chain, it allows them to see that their decisions directly correlate to business results.
Using this framework encourages people to make better decisions because each individual understands what they’re there to solve and how it relates to the entire apparatus. It also makes it easier to communicate decisions to non-security teams.
For more information, reach out to Cole Bauer (email@example.com