4 Principles to Implement a Cyber Program with a Fighting Chance

I have watched all 23 movies of the Infinity Saga in the Marvel Cinematic Universe (MCU), starting with the release of Iron Man in 2008. I have completed this feat multiple times, both in the order of movie release dates and in the story timeline order. (Luckily for my marriage, my husband also loves these films.) On the surface, it may seem like an unhealthy obsession with superheroes, cinema, and comic books. I wish I was cool enough for that to be the case.

In reality, it’s purely fascination for scaling with excellence.

Scaling Cyber Programs for Excellence

When I was at university, my business school taught, “Scale requires growth. Growth requires repeatability. Repeatability requires standardization.” And perhaps in areas of business, like manufacturing, this still holds true. However, in domains like Cyber, always trying to scale to the latest technology — creativity is required for excellence. Nothing squanders creativity quite like standardization.

In the 2019 HBR article, Marvel’s Blockbuster Machine, authors Spencer Harrison, Arne Carlsen, Miha Škerlavaj detail 4 key principles to the success of the Infinity Saga era of the MCU and all of them can be adapted to build a stronger cyber program.

1. Select for Experienced Inexperience

In the 2024 SANS-GIAC Cyber Workforce Research Report, respondents held equal concern in staffing levels and staffing skills of cyber programs. Whether you believe the cybersecurity talent gap is in the millions or not, if you lead a cyber program chances are both of these are a concern for you.

If we apply the analysis of the MCU, then respondents should have overwhelmingly responded with staffing levels being a greater concern. The ideal size of your program and thus your staffing level, depends heavily on the regulatory demands of your business and likely ranges from 6–10% for healthy programs of large organizations.

Based on my experience, gaining business buy-in to increase your staffing levels to a target state will take longer than implementing a “runway” to enable people with technological expertise to grow their career by learning to secure their domain area of experience.

Creating this runway could be its own post. If you are considering how to implement this principle, there is more available to you than just the trusted and expensive SANS Institute, such as IANS, MIT xPro Professional Certificate in Cybersecurity, or KC7.

2. Leverage a Stable Core

Here is where strategic standardization can successfully be applied. A stable core can be people, a business process, or even the adoption of a common framework for business reporting such as NIST CSF.

The stable cores you choose should be closely tied to your business. This can be difficult when, even for large companies, only 60% of CISOs are meeting with the board regularly. Read Annual Reports from your company website, listen to investor calls for what is concerning the market, and prioritize reading company announcements on your intranet. Combine this intelligence collection with your knowledge of the threat landscape to determine what is most important to your company’s success.

For example, if your company just successfully completed a digital transformation to the cloud, cloud security is a good candidate for an area to create a stable core with some experienced and likely expensive key talent.

Or perhaps you use NIST CSF as a framework to report your program’s maturity and you notice resilience is a theme the business has adopted post-COVID. Transition your reporting and create stable core areas to support Respond and Recover. Invest in repeatable processes to report on what Gartner calls Outcome-Driven Metrics (ODMs) for these functions.

3. Keep Challenging the Formula

The introduction of the SEC disclosure rule and the increase in personal liability for CISOs could easily result in a drive toward standardization and a discomfort with continual experimentation.

I don’t know any cybersecurity expert that feels like we are winning as an industry right now. Solidifying how we operate now through broad standardization will surely doom us to a future of continued failure. Rigid compliance frameworks will only widen the gap between a company being compliant and being secure.

We need to experiment with ideas like, “What would it take to remove the need for security agents from end user devices?” If we don’t allow data to live on the endpoint, embed security controls to block lateral movement and rely on device-specific authentication, does it matter if a laptop is compromised or does it simply become a user experience problem?

4. Cultivate Customer Curiosity

It is enticing to view your cyber program customer as the company’s customer. We all want to be able to talk about how our program is not solely a cost center because it increases the trust our customers have in their digital experience with our company.

However, it is transformational to view your cyber program’s customer as company employees. Our industry commonly refers to our colleagues in almost inhumane terms like “Layer 8”, “the human problem”, or “the biggest weakness to cybersecurity.” No wonder we aren’t beloved for all our heroics to keep the company safe. We continue to design interactions meant to “patch” these weaknesses through training or worse “gotcha simulations” to show just how weak our colleagues make the company.

Imagine a program designed to treat all employees as fully human. One that provides them with armor for their weakest spots, skills to feel confident they have the knowledge to safely do their job and support for when they make a mistake. Programs designed this way provide an avenue toward curiosity over annoyance and provide opportunities for employees to co-create their security experience.

If you need ideas on how to implement this principle, I recommend starting with Service Design.

The combination of the post-SEC rule environment and the rising importance of cyber insurance on how a program is measured could create a “Sacred Timeline” with irreversible results; the burnout of the current too-small cyber talent pool, compliance as systemically more important than security for all public companies, and the pruning of revolutionary innovation for our industry that could completely alter the industry narrative of “winning”.

The success of our industry’s future and your cyber program relies on creativity. It relies on the understanding of the inherent complexity in delivering a secure digital footprint based on financially-defined risk appetites and the acceptance that the path to success is at a minimum reliant on these 4 key principles and equal parts art and science.

A special thank you to the authors Spencer Harrison, Arne Carlsen, and Miha Škerlavaj for your research on the MCU success. It inspired me to change how I create teams, lead programs and provided me with an excuse to binge the saga — for my own research purposes, of course.

This post was originally posted on Medium on Jun 16, 2024.

The featured image was generated using Adobe Firefly and the prompt, “A comic book strip image of a female cybersecurity professional as a super hero.”