5.31.23 > Paul Hershberger
I was recently engaged in a conversation with some colleagues in the cybersecurity industry and they posed a question along the lines of; ‘how do you define best in class’?
I was really eager to dive into this one and confident that I had the answer, and it was going to be nothing short of inspirational. So I dove in and started putting all kinds of wonderful words on paper around the concept of multiple layers of defenses that are mutually supportive and continually adapting to input related to the evolving threat landscape; the need for continuous improvements in prevention, detection and response capabilities to keep pace with the evolving tactics and techniques of threat actors, while aligning the confidentiality, integrity and availability needs of the organization within the established risk tolerance thresholds…. blah, blah, blah, blah…..
I realized I was responding the question in a way that is very academic in nature and sounded more like a sales pitch for the ‘next generation’ security solution that was guaranteed to prevent every attack both known and unknown from every impacting your organization. Wait maybe I’m on the verge of something here, possibly the answer is Next Generation Best in Class or (NGBiC), yea that’s got to be it after all its “Next Generation”, so it’s got to be better than just normal best in class. Or maybe not….
When I step back away from the noise and all the marketing around the industry and ask myself what best in class means I must be honest and ground myself in the fact that the definition is dependent on a whole lot of factors that are unique to the environment and organization that you’re talking about. The fact that something works well within the technical landscape within one organization does not mean the same approach will have the same results in another organization. The factors around the technical environment, the organization culture, centralization versus decentralization, internal resourcing versus external partner relationships and don’t forget risk appetite, all influence what works and what doesn’t which can drive very different approaches to achieve the same goal. Don’t get me wrong the overall goals are consistent, you must know what your assets are, you must understand what mattes to the organization, how data flows, what’s normal within the environment, what the risk tolerances are, you must monitor vulnerabilities, incidents and respond to them as well. So, if everything is dependent, then how do you define best in class? Let’s consider the idea of contingency planning within the context of cybersecurity program development and execution.
Contingency planning has long been a foundational component of resiliency planning and disaster recovery capabilities. Walking through a process and identifying those parts of the process that are necessary to keep operational, even if in a degraded state, building resiliency into the processes and developing contingency plans to support sustained operations through a disruption. The same principles apply to the resiliency of the cybersecurity program. Walking through the processes that sustain a cybersecurity program and identifying those critical components that must remain operational, and asking the question, what if that fails, then what. That doesn’t mean listing off your favorite tools that you can’t live without and making sure you have two of each (sorry sales teams everywhere), it’s really digging into the processes and how they support the goals of the program and what are the critical components that are required to keep the process working. Going from top to bottom through the NIST Cybersecurity framework domains of Identify, Protect, Detect, Respond and Recover, and building resiliency into those processes; creating contingency plans and ensuring the teams understand how to execute on those plans if needed.
As I reflect on the question, ‘how do you define best in class’, I don’t define it by what actions you’re taking or what tools you have in place, or how many of the latest Next Generation things you are running, it’s so much than that. I believe there’s at least one thing we can all agree on; no matter what tools you operate, no matter how many partners you engage, no matter how many people you have focused on cybersecurity in your organization, at some point something will fail, then what? Best in class plans for the ‘then what’ moment, considers resiliency in processes and has a level of flexibility in the program to incorporate a Plan-B to sustain the ongoing operations. So, yea there you have it, best in class from my perspective is always having a Plan-B, after all attackers always have a Plan-B; do you?
Paul Hershberger, Cyber Command Center Leader, Cargill
Cyber Security Executive | Cloud Security | Technology Strategy | Incident Response | Threat Intelligence | eDiscovery
I’m a high-performing, globally-experienced executive with extensive information security, enterprise risk management, technology compliance and audit, and information technology leadership experiences. My background has helped me develop a leadership approach that builds cohesive team dynamics, promotes highly-engaged and successful teams that consistently deliver value to the business. I am a skilled security executive with a proven record of aligning security strategy to business needs in a way that builds support at the executive level and drives success across the organization. A strategic thinker that consistently looks beyond the here and now preparing to respond to and manage emerging threats while leveraging new technology to drive value.
You can Connect with Paul here at the Summit at >
You can Connect with Paul on LinkedIn at >