The Main Mission of Cybersecurity is Not Cybersecurity

by | Oct 10, 2024 | security program leadership

Image of a female CISO standing at a cross-roads of technology mission and business goals

The main mission of cybersecurity is not cybersecurity. I’ll say it again. The main mission of cybersecurity is not cybersecurity. I know that might sound somewhat counterintuitive, and maybe even a bit controversial for some, but come with me along this path and I’ll show you how changing your perspective on this will improve the impact, effectiveness and efficiency of cybersecurity in your organization.

The seed of this article came out of a fascinating conversation I had with Dr. Joe Lewis, the CISO of the Centers for Disease Control and Prevention. I strongly recommend listening to the whole thing, but here I’m going to focus on one aspect of our discussion and what I took from it. If you want to check out that podcast, it’s here.

Probing Probability Times Impact

In risk calculations, we look at the probability of an event or occurrence and the impact that it would have, should it occur. Based on that, we can make sensible, measured decisions about prioritization, balancing different risks, and so on. 

As cybersecurity professionals, we become good at that calculation early on, and it becomes very natural very quickly. Seasoned cybersecurity folks can typically make a fast “back of napkin” type assessment during a meeting when a new issue arises to give an accurate ballpark estimate of what a later in-depth analysis will show.

What we often miss in this industry, though, is what we mean – or what we ought to mean – when we say “impact.” 

Within the confines of our narrow focus on cyber attacks and risks, it’s always clear what kind of impact we’re talking about. But when we’re talking about risk more generally in the context of the organization as a whole, it’s a whole different kind of impact. 

On that level, impact does not mean whether you’re in breach of a policy or not compliant with industry standards. Impact is enabling the mission of the organization to be achieved. 

If I’m making cybersecurity decisions in such a way that means I’m preventing the organization from achieving its mission, then I’m not doing my job right.

How Cybersecurity Gets in its Own Way

If you think that the main mission of cybersecurity is cybersecurity, you don’t only have a negative impact on the real goal of the organization you’re supposed to be serving, you even harm your own cybersecurity efforts. You get in your own way.

This came across particularly strongly in my conversation with Dr Lewis because of his experiences during the Covid-19 pandemic, when it was crucial that the agency he serves be able to move fast to keep up with the needs of a situation that changed by the day. We experienced the same thing at CMS when I was there as CDC partners, though we were working on a different aspect of the problem.

With healthcare professionals and patients all around the country looking to the CDC for guidance, taking things slow and steady simply wasn’t an option, even if that meant taking security decisions that would not be best practice in more normal times. 

Had Dr Lewis insisted on every cybersecurity policy, position and checkbox remaining the same he would have hamstrung the vital efforts of the professionals in his agency, in turn harming the health situation of the entire country.

If you think your main mission is cybersecurity, for example:

  • You impede the necessary flow of data in your organization, making it hard for different departments to collaborate effectively
  • You restrict access to new tools, programs or features that can make work more efficient and enable new projects and options
  • You slow down new initiatives and make it difficult for people to respond to new problems creatively and with agility
  • You force policies and practices on departments because they’re “best practices” even though they may not be the practices that best fit the needs of your organization

The result of all this is that you harm cybersecurity efforts themselves in the long run:

  • Departments start concealing the ways they’re sharing data
  • Departments start avoiding cybersecurity participation when they’re creating new processes and assessing new tools
  • Departments end up sharing data in ways that are much less compliant in order to get around restrictive rules
  • Departments tune out cybersecurity training and briefings when they receive them because they assume they’re out of touch with their real needs
  • Departments do not solicit cybersecurity expertise even with issues for which it is directly pertinent 

All of this harms the operations of the organization as a whole, and can also be very destructive for cybersecurity reality and posture – often in ways that you won’t even know about, because your visibility is restricted by other departments trying to work around your rules. 

The Main Mission of Cybersecurity is The Main Mission of the Organization

Putting the organization first gets better results overall, even if there are some cases when that means taking on additional cybersecurity risk. That’s really hard for cybersecurity professionals to accept, so it’s important for this mindset to be embraced by the entire organization and especially by leadership. 

Here are some steps that Dr Lewis and I have found helpful in achieving this shift in an organization:

  • Step 1: Get to know the organization and its mission very, very well. There are likely a lot of departments, a lot of perspectives, a lot of priorities. It’s your job to listen and learn. 
  • Step 2: Pick a cybersecurity theme for the year and make it one that serves the organization, not a purely technical cybersecurity need. 
  • Step 3. In a collaborative, iterative process, have all your security teams reflect the theme in their own personal goals, priorities and strategies. 
  • Step 4. Invest in relationships. As relationships. Within cybersecurity and across the org, these are not purely transactional connections. You need to treat them like meaningful interactions and partnerships. This is so important that we’ll doubtless have an entire article on it soon.
  • Step 5. Encourage your team members to invest in cross-departmental relationships too, and to find ways of making connection points part of the routine.
  • Step 6. When you’re promoting or hiring, choose people who are able to take the needs and mission of the organization as a whole as their guiding principles. 
  • Step 7: Have monthly meetings with your team and group leads dedicated to strategic analysis and planning. Structure it explicitly around the mission of the organization, with cybersecurity priorities supporting that.

Sometimes Compliance Risk is a Risk You Have to Take

Cybersecurity has evolved to use compliance as an immutable yardstick for performance. If you’re not compliant, you’re nothing, the thinking often goes. 

It’s true that compliance is very important. Practically speaking, compliance means that you have basic ground rules and processes in place that are enormously valuable in protecting your company. In terms of legal, insurance and defensive PR concerns, compliance is vital to show the world that you do take these matters seriously. It’s how that seriousness is often measured by the outside world.

It goes against the grain, therefore, for cybersecurity pros to admit that sometimes compliance risk is worth taking. But in reality, compliance is like any other kind of risk. You try to avoid or mitigate it, but there are times when you make the educated, expert decision to accept risk because the alternative is a negation of your organization’s core mission. 

When you do that, you build up risk debt, and you’ll want to come back and fix that later on, just as engineers might with technical debt. You’ll want processes in place to make sure it’s not forgotten or overlooked. Doing this means you can make these decisions sensibly and in the framework you use to evaluate other forms of risk.

As we discussed on the podcast, this is something we all need to get used to saying out loud more frequently. It’s vital for the health of our industry, our own professional growth, and the security of our organizations.  

Cybersecurity is a Mission. To Succeed, You Need to Zoom Out

Cybersecurity isn’t just a job for a lot of us in the profession. It’s a true mission. We breathe it, we live it, we care deeply about protecting our organizations against threats. 

That profound emotional and vocational aspect makes it difficult sometimes to achieve the objectivity or detachment that’s also necessary for true success. It’s all too easy to become over-focused on the technical challenges, the latest attack trends and types, and putting restrictions and fences in place to keep everything as safe as possible. 

To truly succeed in our cybersecurity mission, though, we need to serve the organization as a whole, even when that means accepting that our cyber priorities might not always be the most important. 

Paradoxically, accepting that we’re not always the most important increases the chances that the rest of the organization will take us seriously, because that mindset allows us to show that we care about their goals and requirements and are trying to serve them. When we do make requests of others, therefore, they will be listened to with respect and seriousness. 

For myself and for Dr Lewis, learning that lesson has been one of the most crucial steps in our CISO journeys. I hope that sharing it with you helps you to internalize it as well. Trust me – it makes all the difference to how effective you can be in your role, your department, and your organization.