Hack may not be the most comforting word in describing cyber security strategies, but it is nonetheless of paramount importance to defend against cybersecurity breaches. Such breaches over the past several years have persistently made headline news, despite contemporary enterprises spending more and more money on competent cybersecurity personnel and defensive technologies. While these threats are an inevitable cancer in the age of digitization, anyone can prevent the potential crises that may emerge from cybersecurity issues.
From well-funded nation-states to undertrained (or perhaps incompetent) employees clicking on the wrong links, there is plenty of variety in the root cause of cybersecurity breaches. What these root causes do all have in common is their insidious nature when they do come.
Organizations today also operate in an increasingly distributed corporate landscape. Since the dawn of the pandemic, chief information officers have to some degree had to deal with opening many new offices (AKA overwhelmed with having to send everyone home). Employees, previously ensconced behind a firewall, suddenly seemed defenseless. Even without COVID-19, the shift toward software-as-a-service apps, mobile computing, and interconnected relationships has seriously weakened the security border for the corporate world.
However, despite all these threats, organizations can influence organizational behavior and reduce tactical errors to become more secure. The following are areas that many organizations need to address.
Strategic mistakes
1. Outsourcing responsibility:
Outsourcing to a managed security service provider (MSSP) is a well-established tactic, particularly for companies that need to secure resources quickly or that cannot hire and retain adequate staffing. However, the MSSP route can devolve into outsourcing responsibility for the program while satisfying compliance obligations. Let’s face it, no one should care more about a security posture than the company. People and processes are more important and should be considered before tool selection and implementation.
2. Great exposures
Apart from strictly regulated industries, programs for two significant attack surfaces are either immature or non-existent. Vendor risk management must garner more attention because companies operate in an interconnected corporate landscape, and security is only as strong as its weakest link. Almost every enterprise has moved to the cloud in one form or another. However, many still have to address the fundamental data security and privacy compliance consequences. The confirmation of user identity and controlling administrative access to applications are related safeguards.
3. Inadequate risk management, governance, and compliance
Too many organizations lack security policies or fail to enforce them. Passing vendor risk assessments and being SOC 2 compliant (a voluntary standard from the AICPA) are becoming essential to keeping customers and growing revenue.
4. Proper vendor selection
Broadline vendors such as Microsoft appeal to security customers in the pursuit of their singular focus functional interoperability, or bundled price discounts. Although they just offer foundational security tools, Microsoft will allow customers to integrate other best-of-breed vendors, usually SaaS-based and artificial intelligence-powered, to create defense in depth.
5. Trusting tools
People and processes are more important and should be considered before tool selection and implementation. Unfortunately, flashy new technologies in addition to eager vendor sales reps, can obscure this critical point of consideration in the broader framework of cybersecurity.
6. OT security
Colonial Pipeline’s breach shed light upon the potential susceptibilities within operating technologies (OT), the networks running critical infrastructure, and manufacturing facilities. Plant-level engineers too often falsely assume that such systems are air-gapped or are reluctant to examine old code and shut down a line.
7. Lack of Data Planning/Mapping
Data mapping can be disregarded as an exercise in painting the Golden Gate bridge yet, without a map, how would a CISO know what specific protections are needed? Privacy regulation influences improved data planning, and organizations need to cultivate comprehensive understandings of data assets, whether those are technical or improvements, or the integration of software tools improving data insights and efficiency.
8. Design Gaps
Facebook initiated the trend of rapid development and breaking things down and building back up; disruptive companies aspiring to unicorn valuations can also improve their efficiency. Even companies that perhaps lack uniqueness are less attentive to the security aspects of applications and new products than is wise. Organizations’ cybersecurity obstacles are not insurmountable. As with all worthwhile endeavors, companies must take unified steps to become resilient, secure and to drive value.
Organizational Behavior
The majority of chief information security officers (CISO) have a tenure of a couple of years, which is fewer than 50% of chief information officers’ tenure (CIO). This results in less continuity and ability to learn from mistakes among CISOs. There are high turnover rates in this position due to burnout and the pursuit of more lucrative career opportunities. CISOs also become a punching bag for blame and thrown under the bus in light of a major breach, effectively creating a gap in mutual trust with the rest of the organization, particularly with the rest of the C-suite.
CISOs often report to the c-suite and are cautious regarding conflicting objectives. Among the members of the C-suite in particular can prioritize revenue-generating projects, broad digital transformation initiatives, and infrastructure-related, “keep the lights on” investments. While it is understandable to associate security with IT, it’s inherently a risk management proposition requiring cyber/technical acumen.
When approached as a risk issue, cybersecurity can become more an exercise in transference than mitigation. There are limited but not insubstantial costs of a breach that can be insured, but preserving reputation and resiliency is worth investment. Decades of offshoring IT gutted early career ladder rungs. Lower but more attainable entry requirements, and certification programs, are good sources for the essential supply of new security talent.
It should be understood that with greater security comes inconvenience. Employees typically prefer the path of least resistance and may push back on security initiatives. Few (if, anyone) enjoys logging in to applications using multi-factor authentication, but it ensures such greater security. Trained employees establish powerful firewalls this way.
Employees rarely see themselves as stewards of their own data, thinking IT has sole responsibility for securing it. Privacy regulations drive a welcome, lean data mentality, but security should never shoulder the full, or even primary, responsibility.
According to Gartner, 40% of corporate boards will have a committee for cybersecurity by 2025. The work is transitioning from periodic, rote reviews of qualitative traffic-light indicators on IT control framework checklists. Quantitative measures of risk exposure signify an improvement. Boards may assume a broader mandate to analyze the quality in which the management team protects and drives value from data while keeping compliance with privacy and other regulations.
Cybersecurity practitioners can be challenged to communicate with laypersons, compromising access to funding and crisis management. Additionally, spending on cybersecurity can come in spurts following significant events; the pound of cure, not the ounce of prevention. Companies should treat security as a competitive advantage, not a regulatory burden to minimize.