As leaders responsible for cybersecurity programs, we are asked to create plans with annual budgets for the next year even though the technical infrastructure, threats and business models are bound to change. This requires us to design agility into our programs in ways we have not had to, previously.

The speed of change has hit the point where we need to reconsider some of our standard assumptions and practices. The only way information security programs can provide the support and security needed is to shift our basic approach to deploying security controls. Rather than simply buying tools that solve specific problems we need to select the capabilities that provide more dynamic controls to allow us to adjust our risk appetite or coverage. These platforms should also be ones with a history of innovation to mitigate emerging threats.

I want to share five steps you can take today to create a business focused on building a “rapidly adaptive security program.“ This process will allow organizations to create a strategy that drives this new methodology of operation. We need to focus on being able to quickly iterate to meet the dynamic changes to risk based on factors like complexity, vendor lock-in and changing business models.

The five steps are:

1.     Gain situational awareness throughout the customer and employee journey (data flow)
2.     Determine where you have issues: Tech debt, vendor lock-in and unmitigated cyber risks
3.     Design a capability architecture to reduce complexity and introduce agility
4.     Examine your culture and processes to shift to a new focus on agility
5.     Execute your transformation to drive a business-focused dynamic program

The process will illustrate what is needed to create your strategy and to drive this new mindset. The focus on being able to rapidly adapt to factors like the dynamic changes to risk based on striving for simplicity, minimizing niche vendors and changing with new business models is our mandate. This will allow the InfoSec team to reduce the risk of trailing the latest transformation changes. Instead, InfoSec will become a partner in securing the operational and business environment in real-time based on active risks.

This means we need to create stronger relationships with our business partners that ensure the mitigation of the next generation of risks. We will need to change our evaluation criteria, analysis and vendor management principles to reflect a flexible approach to mitigating risk.

We also need an ongoing program to update our team’s skills. For example, we are shifting from traditional web interactions to application programming interfaces (APIs) as our primary method of engaging customers. However, this requires different skills to analyze threats and new tools to protect them. While we are supporting this shift, we must start now in developing the skills and security controls to enable securely deploying the next challenge such as generative artificial intelligence (GenAI). The idea of developers ‘shifting left’ and including security early is not working. We need to be able to react at speed, which requires that we shift how we work. This leads us to design flexible security controls that can adapt, as opposed to expecting developers to integrate our controls as part of transformation – not ideal but necessary in today’s fast-moving environment.

Finally, each company needs to tailor the approach based on the culture of their organization to determine whether a top-down or bottom-up approach will work best. Leadership buy-in can be effective but is not easy to achieve. Sometimes showing success at the tactical level can get other organizations to join the effort and drive change from the bottom. At the end of the day, we go back to the idea of rapidly adapting – in this case, it will be how to successfully implement this strategic change within your organization.