CMMI Institute


The latest information for media, analysts, and others interested in the CMMI® Institute and process improvement.

Get Comfortable with Being Uncomfortable

By E. Doug Grindstaff II, CMMI® Institute Sr. VP of Cybersecurity Solutions

Someone once told me that the key to success in cybersecurity is getting comfortable with being uncomfortable. There may be no better description of cyber resilience.

Think about it: No matter how good you are as a cybersecurity professional, cyber risk will always be there – and always changing. What’s good enough to mitigate cyber risk today probably won’t be enough for the job tomorrow. You need to embrace that reality if you’re going to fend off most attacks and recover quickly from the ones that inevitably breach your defenses.

What does it mean to be uncomfortable? It’s the hallmark of a forward-leaning culture of cybersecurity. It means habitually questioning, challenging and pushing your organization. It’s actively looking for trouble – persistently reevaluating the cybersecurity landscape, assessing the new risks it might pose to your business and re-mapping your capabilities against them. It means taking little comfort in merely complying with industry frameworks and government regulations.

Compliance is only table stakes, as I wrote recently in “Resilience, Not Compliance, is a Real Cybersecurity Strategy.” Yes, frameworks and regulations address cyber risk, and they can even provide a level of comfort as your team completes the tasks and checks the boxes they prescribe. Yet they present generic, lagging indicators, where your company needs to fight specific, emerging threats.

To be resilient, your cybersecurity strategy needs to be risk-based, not compliance-based, with those risks prioritized according to the unique needs of your business and organization.

Cyber Stress is a Fact of Life
I know it’s asking a lot for you all to get comfortable with being perpetually uncomfortable.

Already, in study after study, the issue of personal cyber stress is coming to the fore. Nine out of ten CISOs suffer moderate to high stress, according to one survey, with 60 percent saying they rarely disconnect from their work. Researchers make comparisons to air traffic controllers and surgeons. MIT reports that cybersecurity conferences now feature sessions on “Mental Health Hacks” and “Addiction in Infosec.”

Doesn’t this validate what you already know—and feel? Cybersecurity professionals find themselves between a rock and a hard place. The rock is relentless cyber threat. The hard place is heightening regulatory scrutiny of data privacy and cyber preparedness.

The root causes of cyber stress aren’t going away. In one specific example of the ongoing evolution of cybercrime, Symantec’s 2019 Internet Security Threat Report showed thousands of websites compromised every month by formjacking, a relatively new threat in which thieves capture data as it’s submitted by individuals to a legitimate online order form. From the cloud to smart speakers to the Internet of Things, each technology innovation is also ushering in novel cybercrimes.

At the same time, the pile of public-private frameworks and government regulations continues to grow. The National Institute of Standards and Technology (NIST) Cybersecurity Framework and Europe’s General Data Protection Regulation (GDPR) only top the list. Consider all the GDPR look-alikes emerging in many states and countries, and the acronym soup of ISO/IEC standards, industry-specific norms, public procurement policies, COSO, NERC, TY CYBER, HITRUST CSF and others.

With so many overlapping and even conflicting frameworks and regulations, compliance risk can be as great a source of stress as cyber risk. Their proliferation is one reason the technology industry is among those calling for more unified, federal privacy regulation in the U.S., and the government is said to be considering just such a step.

Discomfort Builds Cyber Resilience
All of these frameworks and regulations cannot ensure cybersecurity, as even their authors would tell you. What’s worse, they can create a false sense of cybersecurity.

In contrast to a compliance-driven strategy, a risk-based strategy builds cyber resilience by focusing on your organization’s own biggest risks, with a mindset that is constantly trying to anticipate and prepare for new threats. That’s a far cry from a focus on aligning to frameworks. And yes, it’s uncomfortable.

I am seeing a clear example of this cultural shift by IT auditors, among others. Many audit teams are evolving from working on retrospective checklists to identifying risks to their business in real-time, using advanced analytics as data managers.

We’ve designed the CMMI Cybermaturity Platform as a catalyst for such shifts and an enabler of a more resilient culture. The platform provides a regularly refreshed mapping of the cybersecurity environment and a shared view of the current risks and capabilities across your enterprise. It helps monitor your cybermaturity, identify gaps, drive improvements in your capabilities where the cyber risk is greatest and then track progress – while also assessing compliance risks, gaps and capabilities.      

Getting comfortable with being uncomfortable may not sound like the cure for common cyber stress. But with more effective cyber defenses, less impactful data breaches and lower compliance risk, cyber resilience might just deliver something better: renewed confidence in your work and the well-being of your company.