medium.com Open in urlscan Pro
2606:4700:7::a29f:9904  Public Scan

Form analysis
0 forms found in the DOM

Text Content

Open in app

Sign up

Sign in

Write


Sign up

Sign in


Mastodon


NEW OFFICE OF THE CISO PAPER: ORGANIZING SECURITY FOR DIGITAL TRANSFORMATION

Anton Chuvakin


·

Follow

Published in

Anton on Security

·
4 min read
·
Sep 14, 2024

22

3

Listen

Share

So some of you are thinking “ewwww … another security transformation paper” and
this is understandable. A lot of people (and now … a lot of robots too) have
written vague, hand-wavy “leadership” papers on how to transform security,
include security into digital transformation or move to the cloud (now with
GenAI!) the “right” way, while reaping all the benefits and suffering none of
the costs. Because tote leadership!

This is not one of those, promise! Why not? Because our new paper helps answer
two real — and really hard — questions:


#1 BASED ON THE EXPERIENCE OF OTHERS, WHAT DOES A “MODERN” OR TRANSFORMED
ORGANIZATION’S SECURITY CAPABILITY LOOK LIKE?


#2 GIVEN WHAT YOU HAVE TODAY, HOW TO TRANSITION FROM WHATEVER YOU HAVE TO WHAT
WE DISCUSSED IN #1 ABOVE?

I bet you’d agree that this is really tricky. Hence our paper!

Let’s start with my favorite insights and surprises below (and, yes, Gemini via
Gems had a “hand” in this, curation though is very human):

 * The Primacy of Organizational Transformation: The guide emphasizes that
   digital transformation is not solely — or even largely — about technology
   adoption, but fundamentally about transforming the organization, its
   operations, its team structure and its culture. This may surprise security
   leaders from traditional organizations who might primarily focus on technical
   solutions and “let’s just get new tools!”
 * The OOT (Organization, Operations, Technology) Approach: The guide advocates
   for prioritizing organizational and operational changes before finalizing
   technology decisions. This may challenge the conventional approach in
   traditional organizations where technology choices often precede
   organizational adaptation.


Roadmap of how “classic” teams fuse into modern ones
 * The Significance of a Generative Culture: The guide stresses the critical
   role of a generative culture in achieving successful transformation.
   Cultivating a generative culture is essential for fostering adaptability and
   thus ultimately for modernizing security. Such a culture, characterized by
   high trust, information flow, and shared responsibility, may be a departure
   from the hierarchical and siloed structures prevalent in traditional
   organizations.
 * The Distribution of Security Responsibilities: We propose a shift away from
   centralized security functions towards a model where product teams assume
   greater ownership of security throughout the development lifecycle. The
   distributed responsibility model emphasizes empowering product teams to build
   security into their applications from the outset. This may surprise — and
   upset — security leaders accustomed to a centralized security model.
 * The Difficulty of Letting Go: We remind everybody that moving away from
   legacy processes and controls can be unexpectedly challenging, even painful.
   Teams may be attached to familiar processes or resistant to change, even if
   it leads to visibly greater efficiency and security. Security leaders might
   be surprised by the internal resistance they encounter when trying to
   implement new ways of working.


Transform process we use

As usual, my favorite quotes from the paper:

 * “As we’ve helped more security teams make the move to the cloud, we’ve
   identified nuanced challenges that they face — namely those related to team
   structure, changing business operations, and establishing culture — that are
   critical to their success”
 * “Where do we start when we talk about transforming the cybersecurity
   organization within a company that’s historically delivered security to
   on-premise systems within a highly centralized function? Ideally, we think
   this conversation should start with defining security goals framed in
   business outcomes like capabilities, velocity, quality, cost, and risk.”
 * “You’ll find many opinions about how cybersecurity enables a successful
   digital transformation, but most observers are unaware of the complexity
   involved in effectively collaborating and sharing responsibilities, skills,
   tooling, and other capabilities with fast-moving product-based teams who own
   the full set of responsibilities — including cybersecurity — for the
   applications they build and run.”
 * “Moving away from the toil often associated with securing on-premise systems
   can be challenging for unexpected reasons. We think security in the cloud is
   a better future that can be difficult to imagine without inspiration and
   intentional culture development. ” [A.C. — this is not some snide remark
   about ‘server huggers’ but a very human tendency to like whatever they
   invested their blood and soul into…]
 * “Our first step in helping customers work through transition to the cloud and
   more modern ways to work starts with backing away from the belief that it’s
   the technology that’s transforming.” [A.C. — my fave example is here]

Now, go and read our new paper!

P.S. “Anton, but I like SOC papers, can I haz moar? — Yes, there is one coming
in a few weeks! Part 4.5 of our glamorous SOC of the Future series”

Related:

 * “CISO’s Guide to Cloud Security Transformation” paper (2021)
 * Moving shields into position: How you can organize security to boost digital
   transformation (official launch blog for the same paper)
 * How CISOs need to adapt their mental models for cloud security
 * For a successful cloud transformation, change your culture first




SIGN UP TO DISCOVER HUMAN STORIES THAT DEEPEN YOUR UNDERSTANDING OF THE WORLD.


FREE



Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.


Sign up for free


MEMBERSHIP



Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app


Try for $5/month
Security Transformation
Ciso
Security Leadership


22

22

3


Follow



WRITTEN BY ANTON CHUVAKIN


3.7K Followers
·Editor for

Anton on Security

See www.chuvakin.org

Follow




MORE FROM ANTON CHUVAKIN AND ANTON ON SECURITY

Anton Chuvakin



in

Anton on Security


GUIDE YOUR SOC LEADERS TO MORE ENGINEERING WISDOM FOR DETECTION(PART 9)


THIS BLOG SERIES WAS WRITTEN JOINTLY WITH AMINE BESSON, PRINCIPAL CYBER
ENGINEER, BEHEMOTH CYBERDEFENCE AND ONE MORE ANONYMOUS…

Jul 25
70
1



Anton Chuvakin



in

Anton on Security


NOT A SOC FAQ! THIS IS SOC FMD!


SOMEBODY ASKED ME THIS PROFOUND QUESTION THAT (A) I FEEL NEEDS AN ANSWER AND
THAT (B) I’VE NEVER ANSWERED IN THE PAST:

Aug 28
38



Anton Chuvakin



in

Anton on Security


DETECTION ENGINEERING IS PAINFUL — AND IT SHOULDN’T BE (PART 1)


THIS BLOG SERIES WAS WRITTEN JOINTLY WITH AMINE BESSON, PRINCIPAL CYBER
ENGINEER, BEHEMOTH CYBERDEFENCE AND ONE MORE ANONYMOUS…

Sep 8, 2023
131



Anton Chuvakin



in

MITRE-Engenuity


THREAT-INFORMED DEFENSE IS HARD, SO WE ARE STILL NOT DOING IT!


GUEST POST BY DR ANTON CHUVAKIN, SENIOR STAFF SECURITY CONSULTANT, OFFICE OF THE
CISO, GOOGLE CLOUD.

Sep 1, 2023
192


See all from Anton Chuvakin
See all from Anton on Security



RECOMMENDED FROM MEDIUM

Anshul Kummar

in

Bouncin’ and Behavin’ Blogs


GOODBYE GMAIL: THE HARD TRUTH ABOUT WHY IT’S TIME FOR A CHANGE


THE END OF AN ERA.


Sep 18
5.6K
126



Austin Starks

in

DataDrivenInvestor


I USED OPENAI’S O1 MODEL TO DEVELOP A TRADING STRATEGY. IT IS DESTROYING THE
MARKET


IT LITERALLY TOOK ONE TRY. I WAS SHOCKED.

Sep 16
2.9K
83




LISTS


STAFF PICKS

742 stories·1336 saves


STORIES TO HELP YOU LEVEL-UP AT WORK

19 stories·816 saves


SELF-IMPROVEMENT 101

20 stories·2813 saves


PRODUCTIVITY 101

20 stories·2398 saves


Rahul Sharma

in

AWS in Plain English


I HAVE ASKED THIS SSH QUESTION IN EVERY AWS INTERVIEW — AND HERE’S THE CATCH


WHEN I INTERVIEW PEOPLE, I ALWAYS ASK QUESTIONS ABOUT PROBLEMS THAT PEOPLE FACE
IN THE REAL WORLD.


Sep 17
922
42



Andrew Blooman

in

OSINT Team


YOUR EVERYDAY THREAT INTEL: BUILD A THREAT HUNTING PLATFORM AT HOME!


LEARN HOW TO COLLECT OPEN SOURCE THREAT INTELLIGENCE


Sep 5
246



Vicente Aceituno Canal

in

The CISO Den


CISO, HOW DO YOU MEASURE MATURITY?


NO, IS NOT HOW YOU THOUGHT


Aug 2
7



Stevdza-San


THIS IS BAD! MONGODB IS SHUTTING DOWN THEIR SERVICES? 😭


ABOUT


Sep 12
707
34


See more recommendations

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams