IT Security Organizational Model and Culture Needs to Change

With so many large-scale data breaches that occurred in the last couple of years, we must ask ourselves: what does it take to improve the current cybersecurity processes and how to detect vulnerabilities and attacks on time? In reality, many people still think of cybersecurity as a specialized career, which is not something an average person should know or learn about.

We live in an age where we increasingly manage our lives (both personal and business) digitally. That is the main reason why anyone should know the basics of keeping security at a high level.

On a recent webinar, hosted by Rhett Dillingham (VP at Moor Insights & Strategy), we had the opportunity to hear from the industry’s thought leaders Gene Sun (CISCO, FedEx), James Beeson (CISO at Cigna), Kelly Isikoff (CISO at renaissanceRE), and Jim Routh (CISO at Aetna). As people who dealt with a lot of organizational aspects and implementation of cybersecurity, they’ve come together to discuss why IT security organizational model and culture needs to change.

About Centralization, Decentralization, and Pushing Responsibility Forward

As a Chief Information Security Officer at Aetna (a managed health care company), Jim Routh explains their organizational model when it comes to merging and acquisitions – they would acquire a company they thought it has a unique capability but always with a separate development process and separate IT infrastructure. However, SMBs cannot apply corporate security controls because they cannot fit into the startup culture and environment. The only way is to identify the gaps, which represent the company’s top cyber risks and prioritize the remediation work to support them in addressing their high cyber risks.

The Role of DevSecOps

The importance of DevSecOps systems is on the rise because of the necessity to integrate IT operations and development. Everyone is responsible for security. A DevSecOps program can help improve the productivity of an enterprise by helping reduce defects – it requires doing automation and continuous integration build into a consistent set of tools that are instrumented in a DevSecOps model.

For James Beeson, it’s pushing the idea of speed. Speed is essential because everybody wants to move faster, and you can go as fast as you’d like with DevSecOps guidelines. Enterprises need to look at their security vulnerabilities as just another bug that they need to get out of the way to run as fast as they’d want. And in the past, everybody believed that the security sector was the only one to be held accountable, but in reality, everybody needs to be sharing the accountability burden.

Helping Each Other Out

All the experts agreed that small organizations can’t dedicate themselves to improving in critical areas around new and emerging threats because most of their talent is dedicated to their core business. A small enterprise can use security service provides to look and analyze what they should focus on in the future as well as train the people within their organization so they can manage those capabilities and genuinely understand their roles. At Aetna, the executives are educating their service providers on all their security techniques as well as their third-parties. Large corporations are fortunate enough to have dedicated expertise to secure their digital footprint, while many small businesses have an IT department made out of only ten people.

Small businesses will never have the resources to raise their security posture on their own, so we have to help each other raise it across the entire supply chain as small businesses often target them to get to the larger organizations. It’s a challenging space to make everyone safe and sound.

How to Choose a Smaller Partner (from a Security Aspect)?

To find smaller companies that have something interesting and help them grow, Jim Routh says that they’ve changed their procurement process. They are looking at things like financial resiliency, liability insurance, scale, and market share. Most innovation in cybersecurity comes from early-stage companies.

Smaller organizations are working on specific use cases and have game-changing capabilities that they offer to enterprises that are ready to take some risk (from a technology standpoint.) They also need to pivot and adjust.

About Organizational Readiness

In case of a large-scale cyber-attack, your operations can be severely impaired. Image your computer assets not being able to perform for a month? That’s bad. That forces larger corporations to expand their due diligence acquisition process to bring newly-acquired companies to their standards. When it comes to organizational preparedness, you should be prepared for the worst and work to improve your instant response to threats with automated measures, machine learning, and other advanced techniques. A human being can’t respond in a matter of seconds or minutes, but a computer can.

And to prepare for the worst, only practice can make people understand how it would look like to suffer a large-scale attack. The communication between all the teams, from technical to the executive level, needs to be improved. Also, there’s a lot of newer technology that allows you to create so-called “synthetic incidents.” It’s when you design a scenario based on a specific risk that you’re not sure how your enterprise is going to respond. Go through it, learn your lessons, and embed them into the remediation work.


It is evident that the responsibility needs to be pushed forward. Larger corporations have a collective responsibility, on the other hand, to educate and train their third-parties on the latest security techniques. SMBs are often targeted by hackers who want to get to their larger partners through them.

There is cybersecurity insurance, which is mandatory in larger companies, while SMBs cannot afford it. However, as our world is getting more and more dependent on the digital economy, the participants raised a question whether cyber insurance should be backed up by the Federal Government. It is necessary for us to make progress and it’s something for the community to discuss and debate.

Author's Bio

Guest Author