Divergent Technology Solutions provides a wide range of consultative services including chief information security officer (CISO) services, as well specialized information security subject matter expertise (e.g. information security governance, risk and compliance, information security operations, business continuity and disaster recovery, program/project management and incident response). While the design and implementation of a comprehensive, risk-based security program that is based on compliance with industry standards such as NIST 800-53 is critical, protecting an organization's assets in an ever-evolving threat landscape is far more nuanced than simply ensuring that security controls are in place.

​

Far too often, investment in Cybersecurity is seen as an expenditure that is, at best, a necessary evil and, at worst, an outright impediment to the business. At Divergent Technology Solutions, we believe that, applied properly, the principles of information security can enhance the business process. The key to achieving this balance between the protection of assets and the ability to effectively conduct business is rooted in three basic principles – education, security integration, and changing the organizational culture. 

All employees must be educated as to both the importance of an effective information security program and the consequences of failing to have one. This includes having effective onboarding and annual security training as well as regular, ad hoc security communications to convey information related to emergent threats and changes to the threat landscape. Employees must also understand the value of information security to the business. Unfortunately, this is not easily expressed from the more traditional return on investment perspective. Instead, it is a value that is better explained as a judicious hedge against the future expenditures that often result from having an inadequate information security program – many of which are exponentially higher than the costs of developing and maintaining a proper cybersecurity posture in the first place.

As to integration, we believe that wherever possible, security should be “baked into” every facet of the IT design and architecture processes. From the requirements gathering phase right through operations and maintenance, security should be an integral consideration. In order to achieve these goals, however, the cybersecurity team must first develop healthy working relationships with the other functional areas involved in the IT design process so that they are seen as a trusted partner to those disciplines instead of an adversary determined to complicate and impede business processes.

​

Finally, team and corporate culture are both critical components of organizational success. A corporate culture that encourages open communication and innovation, that values the individual and her/his efforts, that maintains an atmosphere of inclusion and respect, and that tends to align the employees toward accomplishing a common goal will always outperform organizations that do not follow these tenets. Put more succinctly, as Peter Drucker famously stated, “Culture eats strategy for breakfast.”
 

In the final analysis, business priorities must supersede those of the information security program. It is at this critical juncture where very difficult decisions must sometimes be made regarding the acceptance of risk versus an organization’s ability to mitigate risk through security controls. Fortunately, the need for an absolute and exclusive prioritization of business need over those of cybersecurity is rarely required as congruous security design has the capability to achieve a satisfactory compromise in most situations.