Insight by LookingGlass

The road to cybersecurity maturity is paved with the basics


With a career that stretches back to the 1980s, Ron Nielson, executive director for Public Sector at LookingGlass, has seen the IT Industry grow and mature over the decades – from his start in the intelligence sector to his work in the private sector for an internet service provider.

On this edition of CyberChat, host Sean Kelley discusses with Nielson what it takes to develop a mature cybersecurity posture.

Nielson said employees need to know the mission of the company, the company’s key terrain, what they are defending and what is the pot of gold at the end of the rainbow.

Nielson said companies should “get more broadly focused on what is the objective [to protect] … what is the corporate sweet spot?” Whether it’s a server, a database or the organization’s people, Nielson said understanding what the adversary has in their toolbox, how an adversary would attack and what those attacks look like are key questions to answer first.

“Most cybersecurity companies, even ones we consider mature, don’t seem to align their defensive practice to the high-value assets or the terrain,” Nielson said.

Adopting a threat assessment or a cyber assessment kind of mentality is one of the best ways to mature a cyber posture. Nielson said “it can be done organically by the organization or through a third party as a service activity.”

The revolving door of chief information security officers, Nielson cautioned, is a hindrance to the maturity of the cybersecurity sector. “It’s hard to really mature that position or that organizational function when we don’t apply some level of stability to it.”

The cyber workforce also has an important role in cybersecurity maturity. “You have to understand your workforce and their capacity,” Nielson said. He added that there is always going to be a shortage of cybersecurity professionals. So, as organizations look at their environments, they must understand how tools can be incorporated to offset skills or personnel gaps.

“The tools sometimes can be wonderful. But if you’re not going to trust what the tool tells you [or] use its knowledge to help defend your network, you’re kind of defeating the purpose of automation and machine learning,” Nielson said. “Mature organizations pick the tools that compliment their workforce.”

Nielson recommended finding service providers that offer advanced techniques that the company and workforce may not comfortable with yet.

Information sharing is the last big piece of creating a mature cyber posture.

“I don’t think cybersecurity professionals are basically trusted,” Nielson said. “When an organization has been compromised, they’ve been trained not to expose it […] because if you show that you were compromised, you’ve demonstrated that you, in a sense, have failed.”

Nielsen challenged the community “to start thinking of it differently.” He said cybersecurity professionals should be applauded because they found the intrusion, not denigrated or scrutinized. “When people find an adversary, we should all salute them. Maybe come up with an award in D.C. for them.”