Page 196 - Cyber Defense eMagazine March 2024
P. 196

jettisoned in favor of a new model that flips the paradigm, acknowledging that the pace of business
            shouldn’t be slowed, but that cybersecurity must be sped up!



            Removing Barriers

            Traditional cybersecurity thinking creates a heavily guarded road with speed bumps, stop lights, and
            guarded checkpoints to protect organizations from risk. Every new initiative or innovative project must
            run this gauntlet to expose potential threats and ferret out uncertainty, inevitably leading to significant
            delays. This "security first mentality" is fraught with bad friction and inadvertently creates a culture of
            inhibition  where  the  fear  of  potential  threats  overshadows  the  potential  benefits  of  innovation.  As
            businesses  today  need  to  be  agile  and  innovative  to  stay  competitive,  this  model  is  increasingly
            untenable.

            Now imagine pulling those barriers off the road, turning them 90 degrees, and lining them up as guardrails
            to clearly mark the approved path.  Expressed as a vision: transform 42nd Street in Manhattan into the
            Autobahn.  Expressed in ASCII: Turn these | | | | into these = = = =.  Unlike the bad friction of roadblocks
            and barriers, guardrails don’t aim to stop movement but to guide it safely and efficiently forward.  This
            approach encourages a culture of security mindfulness where everyone understands the importance of
            cybersecurity, is equipped to make decisions that balance innovation with risk, and is aligned with the
            business's goals.



            Building Guidelines and Guardrails

            The  essence  of  exchanging  bad  friction  for  good  friction  lies  in  transitioning  from  strict  barriers  and
            controls to less prescriptive and restrictive guidelines and guardrails. Instead of requiring every decision
            to go through a central security team for approval, organizations adopt a thoughtful, balanced framework
            of decision-making.  These guidelines and guardrails provide teams with the boundaries within which
            they can operate safely. They are designed to be broad enough to allow for innovation and agility but
            narrow enough to protect against significant risks.

            For instance, a guideline might dictate that any new software development must undergo a security
            review before being deployed, but it leaves the choice of technology and implementation strategy up to
            the  individual  teams.    A guardrail  may monitor  for  software  deployed  with known  vulnerabilities  that
            exceed risk appetite.  This approach not only speeds up the development process but also empowers
            teams to take ownership of their security practices.



            Fostering Security Awareness

            The shift towards good friction is not just about changing policies but about fostering a culture of security
            awareness.  It requires educating all members of the organization about the importance of cybersecurity
            and how they can contribute to it. When employees understand the rationale behind the guidelines and
            see how they enable rather than restrict their work, they are more likely to embrace them.




            Cyber Defense eMagazine – March 2024 Edition                                                                                                                                                                                                          196
            Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.
   191   192   193   194   195   196   197   198   199   200   201