How would you invest resources to Deter, Detect, Defend and Document (4D) within your enterprise, if you knew that your organization would be continuously vulnerable for the next 6 years? What would you change, if this was the current state of play:
"A recent study from the RAND Corporation, a global policy think tank, determined that among any given entity's stockpile of zero-day vulnerabilities, only 5.7 percent of these bugs will be discovered and publicly disclosed by a second party within a year's time. (Note that the study does account for additional groups that may also find some of the same bugs but decide to secretly hoard them.) Moreover, the study found that exploits and their corresponding vulnerabilities have an average life expectancy of 6.9 years before they are uncovered and patched."You won't have to invest more dollars in your pest extermination company such as Orkin to address these kind of bugs. The software vulnerabilities that exist in your organization, will be unknown to you long enough for the adversaries to live and operate freely inside your company, for months if not years.
The mindset shift that is necessary now, is to view the enterprise as any major change management initiative. One that is continuously evolving based upon market shifts and new product introductions. You have to be "Adaptive" and you must respond to the competitions new marketing campaigns.
Why is it so hard for you, to take the "Strategy of Business" and make the leap to the "Strategy of Information Security?"
When the competitor launches a new feature set and the corresponding Ad campaign, how do you pivot? What do you do to counter the potential erosion of your market share? How much money and resources are devoted to the new roll-out, brand recognition and sales events?
Can you imagine sitting back and doing nothing for months or years, while your adversaries in business are exploiting your slow and weak response in the marketplace?
The nation-states and Crime, Inc. is betting on the reality that you don't take Information Security seriously in your organization. They do their research to see what Global 500 organizations are keeping their Information Technology budgets flat, year-to-year. They use this Intelligence to stack rank their list of targets for the software vulnerabilities they are buying each day on the "Deep Web."
Is your Chief Information Security Officer (CISO) still reporting to the Chief Information Officer (CIO)? Is your Chief Privacy Officer (CPO) even part of your Senior Staff? Can you show a line item increase for Information Security in your year-to-year budget, to address the change management reality and strategy of your enterprise?
Have you and your Board of Directors had a briefing yet on "The Shadow Brokers?" What does it all mean for your enterprise?
It means that the traditional way of thinking about protecting and defending your organization is over. It means that the standard "Go-to-Market" strategy and "Competitive Intelligence" investments that you are making should incorporate a parallel "Information Assurance" program.
The business of an "Adaptive Enterprise Architecture" and "Decision Advantage" requires bold new thinking and even harder changes of personal and organizational behavior.
The truth and reality of your business survival means a significant change in strategy and in investment. Do your own research within your own organization this week. Get the numbers and the data to show how much you are spending next budget cycle on Information Assurance vs. last year.
Find out where the budget is being allocated year-to-year and why? You know how to do this. Just like you have been doing it, with the Marketing and Sales Department.
What is the opportunity?
Sometimes the digital truth is difficult and in the end, the trusted reality becomes almost "Darwinian". Survival in the next decade will be about your "Decision Advantage" at the speed of Digital Trust...