Cybersecurity professionals are often considered wizards of their mysterious art. But just how important is cybersecurity and how well is it understood in your organization? And is it really protecting your organization?
Cybersecurity should be treated as business outcome-driven decision. Let’s talk about why cybersecurity is still largely misunderstood and why there’s increasing push-back from additional spending.
Here’s an exercise that proves the complexity of our understanding of cybersecurity:
Think About Bank Security
Securing a physical bank is really easy to understand. You’ve got cameras, locks, bulletproof glass, and maybe even an armed security guard. We all understand that from time to time a bank is robbed and we get it. That was one determined bad guy and he’ll probably get caught. We don’t think much more about it.
But when a digital bank is robbed (hacked) we’re all up in arms and want to know who’s at fault.
We react with everything from government regulation, new compliance initiatives, firing leadership (think Equifax), and certainly demanding cybersecurity technology changes.
Why the double standard? It’s simple. Fear, uncertainty, and doubt encircle what we don’t understand.
But all too often, these technologies are viewed as a mysterious black box. This thinking makes for bad decision-making.
Oftentimes business leaders are asking all the wrong questions!
- How much did we spend? (Spend doesn’t equal protection)
- What reports can I share with the board? (A report showing something out of your control like attacks doesn’t touch underlying problems)
- Are we compliant now? (Compliance has nothing to do with protection)
- What’s our financial risk? (This doesn’t help daily decision making or help prioritize the best security investments)
- What tools do we need? (Tools before people-process-technology is a recipe for disaster)
- What are the common threats to us? (You have no control over threats, only over your own priorities and readiness)
- And how much security do we need? (Nobody really knows…)
And in worst-case scenarios, business decisions are being made that are largely disconnected from the realities of cybersecurity risk. Executive decision-making demands a new level of scrutiny. Everything from product development to business strategy must place security front and center.
By not placing the right priority on cybersecurity, more than reputation and dollars are at risk. A study by Vanderbilt University researches used healthcare data to correlate mortality rates with a data breach. They discovered that after a data breach as many as 36 additional deaths per 10,000 heart attacks occurred annually.
“Breach remediation efforts were associated with deterioration in timeliness of care and patient outcomes,” the authors found. “Remediation activity may introduce changes that delay, complicate or disrupt health IT and patient care processes.”
Aging operating systems, use of open-source tools and platforms, outsourcing work to insecure third-parties, and not building security into all core processes are just some of the problems that must be addressed.
Clearly, there needs to be a new level of conversation and consideration in executive business decision-making.
So how do we get there?
The best cybersecurity initiative is one that envelops a solid understanding of an organization’s business context. This includes everything from the balance sheet to the people, processes, and technologies that drive business outcomes.
Without this clear understanding, the investments needed to protect the organization will be difficult to define.
Follow best practices, at a minimum. ISO 2700x and NIST are popular frameworks for securing an organization. Build tools, processes, and policies around these standards.
Measure levels of protection using security audits that measure the existence and use of controls. What’s needed is a clear picture of how well an organization is actually protected rather than what tools are used.
In the 2019 International Consolidated Airlines Group / Marriott International data breach, the main consideration was “Whether or not there was adequate, reasonable, consistent, effective data security to protect people’s data.”
Research firm Gartner, Inc. recommends the CARE standard for cybersecurity:
- C: Consistent – How do your controls perform over time?
- A: Adequate: Do your controls meet the demands of core business requirements?
- R: Reasonable: Do you have appropriate, fair, and moderate controls?
- E: Effective: Are your controls successful in producing desired results?
Clearly, cybersecurity must be better understood at all levels of an organization. Executive leaders must balance the need of running a profitable business with the best possible security program. Cybersecurity cannot be viewed as a “black box,” and must be part of all business decision-making.
Toughening data security policies like the California Consumer Privacy Act and the EU’s General Data Protection Regulation demand increased cybersecurity awareness and proactive action.
Cybersecurity must be baked into all our processes, products, and the way our organizations think.