The volume, velocity, and impact of cyber-attacks creates significant challenges for organizational leaders. However, unlike other business functions, it rarely sees a fair share of proactive planning. Despite a lot of talk, my many years in the Government and on the private side in the cyber security industry has yet to convince me anything other than this is true.
This doesn’t mean resources are not made available. Often, huge amounts of time and money are poured into vendor deployments, yet all too often this is without the proper context and planning to guide decisions. This is true for SMEs and industry leading enterprises alike as an ever-complex threat landscape combines with the opposing force of fixed budgets to create a gnawing uncertainty in security posture. All of this leaves company decision-makers feeling isolated as they attempt to make sense of a myriad of countermeasures.
This uncertainty can be nullified by asking a few simple questions in advance. Ultimately, the most important thing is to understand the risk specific to the organization you are defending and using this to focus efforts, as opposed to being distracted by the overall threat. The primary task of protecting key assets should take priority however much events, social media, news and vendor marketing try to convince otherwise.
Dig deep into these priorities. What actually needs to be protected? Is it core intellectual property? PPI? Continuity of operations? Customer call centers? Patient or client data? Initially you may answer ‘all of it’ however, decisions need to be made on priorities. Core intellectual property cannot be replaced, for example, while website defacement is not an existential threat to most organizations.
Once this is fully mapped out, it is a case of understanding how these business-critical functions can be impacted by an attacker, which represent the bigger concern and what are the possible cascade effects of malicious actions. While bigger organizations may outsource this to a specialist, it may be cost-prohibitive for smaller companies to do so, who can start by identifying the cyber risks to PPI and IP in their company.
Ultimately, the next step is to identify security issues that could impact these specific ‘at risk’ assets. There is a wealth of publicly available information to guide this process. The Center for Internet Security (CIS) web page, for example, is full of such insight, importantly much of which is not overly technical.
Eventually, strip this process back, and you have a tailored list of what you are trying to protect, and from what attacks. From this foundational platform, it is far easier to make informed choices on exactly where precious resources should be invested. Often, as an unintended side-effect, this process also kickstarts a culture of basic security hygiene, for example, encouraging a healthy patching routine or employee education programs.
Bottom line, just running such a planning process brings awareness with senior stakeholders, insight and perhaps most crucially, focus. These are all crucial in helping navigate the increasingly complex vendor landscape. As the CEO of a cyber defense company, I know there is a confusing plethora of products and services available which can confuse those charged with making critical defense decisions. My hope is that as people see where they are vulnerable, it relates to our strengths. What is abundantly clear, however, is that we must move on from the current process of throwing cyber solutions at the problem without regard to an internal assessment of critical needs.