If you are an executive (CIO, CISO, CEO) or board member, cybersecurity is top of mind. One of the top comments I often hear is: “I don’t want our company (to be) on the front page of the Wall Street Journal.” Ostensibly, the comments are in the context of a breach. Yet, many gaps still exist between avoiding this situation and reality. Just saying the words is not enough.
The recent Equifax breach brings to light many conversations with enterprises and executive teams about shoring up their security posture. The sad reality is that cybersecurity spending often happens immediately after a breach happens. Why is that? Let us delve into several of the common reasons why and what can be done.
ENTERPRISE SECURITY CHALLENGES
There are a number of reasons why enterprises are challenged with cybersecurity issues. Much of it stems from the perspective of what cybersecurity solutions provide. To many, the investment in cybersecurity teams and solutions is seen as an insurance policy. In order to better understand the complexities, let us dig into a few of the common issues.
Reactive versus Proactive
The first issue is how enterprises think about cybersecurity. There are two aspects to consider when looking at how cybersecurity is viewed. The first is that enterprises often want to be secure, but are unwilling or unable to provide the funding to match. That is, until a breach occurs. This has created a behavior within IT organizations where they leverage breaches to gain cybersecurity funding.
Funding for Cybersecurity Initiatives
Spending in cybersecurity is often seen in a similar vein as insurance and comes back to risk mitigation. Many IT organizations are challenged to get adequate funding to appropriately protect the enterprise. It should be noted that no enterprise will be fully secured and to do so creates a level of complexity and cost that would greatly impact the operations and bottom line of the enterprise. Therefore, a healthy balance is called for here. Any initiatives should follow a risk mitigation approach, but also consider the business impact.
Shifting to Cybersecurity as part of the DNA
Enterprises often think of cybersecurity as an afterthought to a project or core application. The problem with this approach is that, as an afterthought, the project or application is well on its way to production. Any required changes would be ancillary and rarely get granular in how they could be applied. More mature organizations are shifting to cybersecurity as part of their core DNA. In this culture, cybersecurity becomes part of the conversation early and often…and at each stage of the development. By making it part of the DNA, each member of the process is encouraged to consider how to secure their part of the project.
Cybersecurity Threats are getting more Sophisticated
The level of sophistication from cybersecurity threats is growing astronomically. No longer are the traditional tools adequate to protect the enterprise. Enterprises are fighting an adversary that is gaining ground exponentially faster than they are. In essence, no one enterprise is able to adequately protect themselves and must rely on the expertise of others that specialize in this space.
Traditional thinking need not apply. The level of complexity and skills required is growing at a blistering clip. If your organization is not willing or able to put the resources behind staying current and actively engaged, the likelihood of trouble is not far way.
THREE WAYS TO REDUCE CYBERSECURITY RISK
While the risks are increasing, there are steps that every enterprise large and small can invoke to reduce their risk profile. Sadly, many of these are well known, yet not as well enacted. The first step is to change your paradigm regarding cybersecurity. Get proactive and do not assume you know everything.
Patch, Patch, Patch
Even though regular patching is a requirement for most applications and operating systems, enterprises are still challenged to keep up. There are often two reasons for this: 1) disruption to business operations and 2) resources required to update the application or system. In both cases, the best advice is to get into a regular rhythm to patch systems. When you make something routine, it builds muscle memory into the organization that increases the accuracy, lessens the disruption and speeds up the effort.
Regular Validation from Outsiders
Over time, organizations get complacent with their operations. Cybersecurity is no different. A good way to avoid this is to bring in a trusted, outside organization to spot check and ‘tune up’ your cybersecurity efforts. They can more easily spot issues without being affected by your blind spots. Depending on your situation, you may choose to leverage a third-party to provide cybersecurity services. However, each enterprise will need to evaluate their specific situation to best leverage the right approach for them.
Challenge Traditional Thinking
I still run into organizations that believe perimeter protections are the best actions. Another perspective is to conduct security audits with some frequency. Two words: Game Over. While those are both required, security threats today are constant and unrelenting. Constant, evolving approaches are required today.
As we move to a more complicated approach to IT services (SaaS, Public Cloud, Private Cloud, On Premises, Edge Computing, Mobile, etc), the level of complexity grows. Now layer in that the data that we view as gold is spread across those services. The complexity is growing and traditional thinking will not protect the enterprise. Leveraging outsiders is one approach to infuse different methods to address this growing complexity.
One alternative is to move to a cloud-based alternative. Most cloud-based alternatives have methods to update their systems and applications without disrupting operations. This does not absolve the enterprise from responsibility, but does offer an approach to leverage more specialized expertise.
The bottom line is that our world is getting more complex and cybersecurity is just one aspect. The rate of complexity and sophistication from cybersecurity attacks is only growing and more challenging for enterprises to keep up. Change is needed, the risks are increasing and now is the time for action.