Company leaders worldwide are constantly asked to improve the performance and security of their businesses. I was asked to do the same when I was a CISO. These goals seem to conflict, but they do not if you adopt a broader mindset. To do so, you have to first take a very pragmatic view of what the security industry is selling.
My belief is that the security industry is too academic. There is no shortage of vendors who can provide you with a list of vulnerabilities, a list of risks you need to address, or a list of technologies you should implement. Once the list is delivered, the vendor leaves. The customer is then left to decide how to prioritize these lists with the other strategic goals and operational issues within their company. In my former CISO role, I had a list of over a million vulnerabilities to manage. How do you manage that many vulnerabilities? And how do you manage that many vulnerabilities while also managing new business initiatives, new technology deployments, refreshing of old technology, resource drains caused by attacks, etc.? What I really needed wasn’t another list, but a strategy and process to prioritize everything and form a robust defense framework. I needed someone to come out of the ivory tower of risk, stop giving me lists and start helping me build a program that can actually do something with those lists. I needed someone who was going to get on the field and help me win the game. I didn’t need more people on the sidelines calling in plays.
I also believe that the security industry is overly technology focused. Cyber risks are no longer technology risks. Cyber security professionals are not only tasked with protecting their companies against malicious computer programs. They are now tasked with protecting against malicious people. In other words, today’s cyber security leaders have two problems to solve: technology problems (stop the automated attacks, viruses, worms, random/opportunistic attacks) and people problems (stop the team of attackers who are specifically trying to break into your company). These are separate and distinct problems and they require separate and distinct solutions. Whereas automation and technology are good at stopping the technology based risks, it is not good at stopping people. The security industry is so focused on delivering new technology to address emerging cyber risks that they have missed the fact that they are not solving a technical issue, but a people issue. Technology will never solve a people issue. Don’t get me wrong, there’s a healthy business model to sell the “next great box.” Boxes are an easy, singular sale requiring minimal overhead for the vendor to support, but they will not stop people from breaking into your business.
In short, the industry is missing a practitioner’s approach. Someone who could help an organization understand how to approach and prioritize the threats they face. Someone who had successfully defended large enterprises really helping teams that lacked the people, processes, or funding needed to do the job effectively.
This realization led me to leave my CISO role at General Electric to found Morphick. We have created a company of former security leaders that doesn’t just tell our customers about all the various vulnerabilities and issues that they have. Nor do we evangelize the latest technology. We believe that security should support operations and strategy rather than constrain them. The challenge is to identify the key initiatives that will make yours a twenty-first century business.
Morphick’s Security Defense Assessment allows any company to perform a comprehensive review to identify the right issues for improvement and set compelling and achievable goals.
A comprehensive look at your security program.
No matter how robust your security practice, each has areas that could be accelerated or built upon. Funding, staffing, and staying current in the security space is a complex challenge. Morphick helps clients that are embarking on major growth or change in their security stance to identify the optimal future state of defense, aligned with business needs, and then jointly develop an implementation blueprint.
Expert guidance on how to best use your existing tools and processes.
Many companies face a mismatch when it comes to the ability of their IT to meet evolving security expectations. A key lesson Morphick delivers is that great people and process, not just great technology, are what creates great defense. Our experts help companies grow and transform existing security tools and processes to win in a digital environment using methodologies we both implemented and have seen work in the real world. We also have patented technologies designed not to fix your cyber problems, but to enable those methodologies that will fix your cyber problem.
Reduced risk with prioritized initiatives.
Security should not prohibit the flow of business. We believe that a company’s corporate strategy both guides and is influenced by its technological capabilities. Our industry experts take the unique approach of working with business leaders to understand corporate goals first. This allows us to work together to determine what technological capabilities, systems, and processes are required to succeed.
Don’t get another list of items to worry about, actually improve the security of your business.
Improved performance and operational excellence can happen with security improvements. The goal of Morphick’s Security Defense Assessment is to help you, the business leader, deliver the best planning possible according to your company’s security needs, financial constraints, and business goals.
