It’s Not Just Cybersecurity Management
Two takeaways from an explosion of cybersecurity chaos are:
- We continue to spend and expand the markets for cybersecurity technologies, yet
- The causes of the breaches increasingly point to a set of people/process vulnerabilities versus technological exposures.
If someone just dropped in from Mars, they might wonder why we spend so much on technology and spend virtually nothing on the base causes of attacks? My experience in Managed Security Services says that most companies today lack any sort of thoughtful strategy for defense against cyber attacks and have never bothered to create even a basic Risk Management Framework.
The Best Place to Start
While this is not rocket science, it seems that companies without a formal or even a designated CISO claim that they don’t know where to begin. Like most other apparently complicated problems, the best place to start is with a list and guideline (aka, a Risk Management Framework), like the current, revised version available free to anyone at NIST (The U.S. National Institute of Standards and Technology).
This particular framework will provide a disciplined and structured process that integrates risk management activities into your system development life cycle and will enable your executives to make better and more informed decisions. Making better risk decisions involves understanding what your information assets are and where they reside, the costs to protect and defend against a breach and the degree to which you are willing or able to accept varying levels of risk.
If you don’t know this stuff, it will be impossible for you to make any kind of risk decision, which is where I have found most businesses to reside on the threat landscape over the past five years.
There are several other elements that go into determining what is referred to as risk decision fidelity, which includes probability and quantitative and qualitative analysis, but long before it is necessary to go there, getting a simple risk management structure in place will elevate most businesses from “I have no clue” to “I now have a clue” which is like a 100% improvement over the current state.
Determine the Consequences
The formula is pretty simple and all companies, even small ones, can figure out how to implement some version of a Risk Management Framework (RMF). The first step is to identify both systems and data that are critical to business continuity by determining the adverse consequences to the organization if a breach causes organizational assets to become compromised. This includes the integrity and availability of operational systems and the information assets processed, stored and transmitted by those systems.
Know Your Data
The list should start with information assets, aka, data. This is not hard to do. It’s like inventorying your attic. You go up there and start identifying things by category. Pretty soon you will have a list of all your stored junk. You should approach your data in the same way. There are two primary objectives for this task. One, you will now know exactly what information you are storing so that when the regulators start dropping by (and they will soon), you will be able to tell them what PII you are storing and processing.
And two, you will have a good idea about what data needs to be protected and what doesn’t.
Understand Your Systems
Next, do the same thing with your systems. Some are critical, some aren’t. But some that aren’t critical, also provide gateways to those that are. There are tons of guidelines that will help you do this work.
Assess Security Controls
As you look at the NIST RMF, you will see the step that calls for assessing your security access controls. All of the steps are important but because you are simply trying to get a foundation in place, this is one step you should definitely obsess about. Getting controls in place and then testing them thoroughly will assure that you have a fundamentally secure system in place. Failure to do either will almost guarantee that you will be exposed. And if this risk management phase is not performed correctly, the ability to legitimately accept the risk is virtually impossible.
Another critical step is that of monitoring. The purpose of the monitoring step is to maintain an ongoing situational awareness about the security and privacy posture of the system and the organization in support of risk management decisions. Note that ongoing situational awareness as it relates to the organization goes to the root causes of most breaches, which is human error.
Whether it is falling for a phishing attack or inadvertently losing or misplacing key assets or credentials or risky mobile device behaviors or unchecked third party access, the greatest risk in cybersecurity emanates from people and processes. It is essential to any sort of cybersecurity or risk management program that employees at all levels (particularly at the CXO and board levels) fully understand and are continually aware of the potential threat categories and are aligning their behavior appropriately to those threats.
This requires continual education and training along with close attention to processes. The good news is that it is relatively inexpensive to get it done. The bad news is that it requires commitment from the top.
A Pragmatic View of Risk Management
NIST takes a very pragmatic view of the whole RMF requirement. It provides a slew of subcategories and offers suggestions for creating task lists and baselines so that we can measure progress against our objectives. It also recommends that companies incorporate regulations, emerging threats and technological advances. If it appears that updating and reworking cybersecurity systems is becoming cost prohibitive, NIST suggests that companies should strive to find a good balance between developing the best cybersecurity efforts possible at the most reasonable and affordable cost.
Don’t Do It Alone
This does not mean that companies can just blow off the fundamentals on cost alone. In order to create a basically secure environment, all companies should either run their own SIEM or hire a third party who can manage a fully functional, state-of-the-art SIEM/SOC and threat detection and prevention system for them. This usually doesn’t mean going to your MSP who is now magically an MSSP and buying their version of a SIEM service. You should find a provider who has a long track record of successful service delivery in the space with a sophisticated offering.
You cannot do this yourself and you should not try.
The formula for that balance between good security and cost should start with fundamental data and systems protection and include education, training and process hygiene, but any additional technology cost beyond the basic SIEM/SOC should likely not be required. Unless our information assets are so valuable or your systems integrity so necessary to provide continuity for a business model that produces significant returns daily to its shareholders or principals, it is unlikely that the most advanced cybersecurity technology will be required.
Supply and Demand
You don’t have to adopt the complete NIST RMF or hire a whole team of cybersecurity analysts. Even if you could find qualified candidates amid this deep and expanding gap between demand for skilled resources and available supply, you likely could not afford them or they more likely will not want to join your firm.
Because in any domain where demand far outstrips supply, it becomes a seller’s market and these particular sellers can call their own shots, which includes the desirability of their next employer. If you are ACH Foam Technologies in Kansas City, you can feel pretty sure that you will not be able to attract highly skilled cybersecurity warriors.
But just a few small steps and minimal expense will move you way up the ladder of prevention.
For a few thousand dollars a month (less than one headcount), a basic Risk Management Framework and a renewed focus on people and process, most businesses will be able to improve their current state of readiness by 100% and reduce their exposure to future breach by 98%.
With the dawning of GDPR and CCPA-like regulatory requirements shuffling into place across the country, you will have to do all of this anyway just to comply, so you might as well just bite the bullet and do it now. In fact, choosing a provider who is an expert not just in cybersecurity management but has also unwoven the complexity around today’s compliance mandates will save you not just a lot of regulatory fine money, but also the headaches that go along with trying to figure out which end is up.
Two vectors with one stone is always a good deal.