For a chief information security officer (CISO), it is vital to develop internal and external ecosystems with participating partners who can support the varied needs of the cyber operation. With resource constraints, especially during the current pandemic, the importance of the ecosystem has increased considerably.
Continuing this thought leadership series focused on cybersecurity, this short article will explore the role of ecosystems in cybersecurity.
Role of internal ecosystem
As part of the organizational cyber strategy, creating and sustaining an internal cyber ecosystem should be initiated without delay, as it requires careful planning, diligent socializing and creative nurturing. The internal ecosystem will facilitate and accomplish the following:
- Aligning the cyber strategy and operations with board and organizational goals. It will also provide buy-in from this important constituency later.
- Collaboration with other core IT functions such as shared services, infrastructure (in the chief technology office) and operations for improved performance. Our experience shows that complementary services are provided and consumed by these functions and cybersecurity.
- Close association with IT audits using a collaborative governance, risk and compliance (GRC) platform to reduce cost and increase utilization of common processes and evidence collection.
- Providing a holistic risk assessment to the board and leadership covering diverse perspectives. Usually, an enterprise risk committee or chief risk officer (CRO) role assists with leveraging the best outcomes.
- Helping standardize cybersecurity messaging throughout the ecosystem.
Figure 1: Internal Cybersecurity Ecosystem
Figure 1 displays a basic internal cyber ecosystem. Please note that it can become complex based on the organizational size. Additional entities can always be added as required to make it more effective. The ecosystem requirements are true for small, medium and large organizations.
Role of external ecosystem
Figure 2 below displays the external ecosystem example from my tenure as CISO for a public sector entity in state government. At minimal, there should be close integration with executive and legislative branches followed by the critical agencies involved in law enforcement. Additionally, the collaboration with the critical infrastructure, financial institutions and health care entities are vital for this external ecosystem. Finally, the association with other states in the region to share best practices and use cases always results in improved services for the citizens. The vendor community is a key entity in this eco-system. Additional entities can be added as required.
Figure 2: External Cybersecurity Ecosystem
Nurturing the ecosystems
While creation of these ecosystems will require leadership and collaboration, nurturing will require creativity and trust in partners. I have seen great outcomes by sharing best practices regularly over conference calls or on-site meetings. Firm commitment to attend and share information in a trusted and secure environment is key to the success of such ecosystems. Conducting tabletop exercises with the internal and external partners will further improve the business relationships and improve the cybersecurity posture of the ecosystem. The ecosystem should be allowed to grow organically based on the needs of the members.
- With the increased demand to “do more with less”, developing an ecosystem and leveraging it for strategic and operational needs will become highly beneficial.
- Be ready to contribute to the ecosystem while leveraging it for your organizational needs. The bi-directional exchange of information, best practices and tools always is healthy, essential and refreshing.
- Effective and creative leadership is very important for sustaining and nurturing the ecosystem. The leader should develop a collaborative vision and mission which should be used to guide the member entities.
Rajiv has more than 25 years of information technology strategy, operations, large systems integration, cyber security and program management experience. Rajiv is a principal with Plante Moran management Consulting, cybersecurity practice after serving as Chief Information Security Officer (CISO) for the Department of Technology, Management and Budget, State of Michigan.