The $100 billion-plus cybersecurity industry has failed corporate America. Despite all the advancements, there are still almost daily incidents of sensitive leaks of millions of people's data or some other criminal activity. The allegations of cyber-tampering by foreign adversaries of our national elections are making the consequences real. Yet, when it comes to securing sensitive data or keeping the bad guys out, most organizations still do not seem to understand what it actually takes and how hard it really is.
Cybersecurity is a complex endeavor, but its goal is simple enough. It comes down to your company’s ability to answer one basic question: Are we safe?
Taking Stock: Current Industry Approaches Aren’t Working
Security products exist for almost every known attack vector, and companies swallow them up like candy. Still, bad actors hone new strategies and continually unleash new attack methods at speeds far faster than the security industry can adequately address. In fact, according to Verizon’s 2018 Data Breach Investigations Report (registration required), there were 2,216 confirmed data breaches last year and more than 53,000 incidents that required investigation. And small enterprises are anything but immune, accounting for 58% of breach victims.
Because they deploy all the latest security products, many organizations believe they’re safe. However, statistics prove otherwise. Ponemon Research indicates that despite the glut of prevention tools, nearly two-thirds of small to midsize businesses find that exploits and malware evade their firewalls and perimeter defenses, and 81% discover that malware evades their anti-virus solutions. Many organizations are already compromised but don’t even know it since they lack the proper monitoring and detection systems and personnel they need to become aware of it. Throwing money at the problem hasn’t improved things. So, companies must rethink their strategies.
Evaluate Your Security Posture As A Physician Would
Many companies talk about the need for a holistic approach to security, but not enough practice what they preach. That has to change. We should think about cybersecurity as we do our own personal health. Is perfect health achievable? I’m not a doctor, yet I’ll venture a guess and say no, not really. But if our vital organs are in excellent shape and the only issue is a few excess pounds when stepping on the scale, that’s a pretty good outcome.
A proactive holistic view avoids the reactive, tunnel-vision approach to cybersecurity, where companies attempt to fortify gaps in their defenses as they arise. They acquire specifically designed products for endpoints and network infrastructure that operate in silos, leaving companies vulnerable overall. Alternatively, a holistic approach incorporates a complete program that considers everything necessary for full cyber health and hygiene, much like a world-class athlete gets treated and cared for by a doctor, conditioning coach, trainer, nutritionist and others.
What is your organization’s security posture today? What should it look like ideally? What are you doing to achieve that outcome? What changes should you employ if you’re not on track? A successful approach involves input and involvement from stakeholders across departments and up and down the company ladder and moves to implement policies and procedures along with the necessary teams and systems. It assesses risk practically and secures assets using a variety of means based on their value and importance to the organization.
Sound Security Involves Setting Priorities
It’s important to step back out of the weeds and properly evaluate the most critical assets and business processes that must stay safe and secure. This involves taking a big-picture view of the organization, with complete visibility into everything that makes it function. Be outcome-driven and recognize that you can’t prevent everything — prevention-based security is a myth. The key is continuous monitoring and responding to threats that do get through.
What are the hearts and lungs of your organization whose health and safety is absolutely essential? Do you house sensitive data records or host proprietary information? The National Institute of Standards and Technology (NIST) has developed a framework that helps firms prioritize resources and data assets depending on their critical value. The NIST framework also partitions cybersecurity tasks into five separate roles: identify, protect, detect, respond and recover.
Detect, Respond And Recover
To successfully address these essential cybersecurity functions means organizations must go well beyond having the protection component in place once they’ve identified and prioritized key assets. They must be able to detect threats, respond to them once they’ve bypassed protection solutions and recover as quickly as possible to mitigate any potential damage.
The detection phase requires continuous, 24/7 monitoring — after all, not only do cybercriminals work odd hours, they reside all around the globe. Successful monitoring requires skilled security analysts and engineers to sift through alerts and triage potential threats while ignoring the myriad false positive alerts signaled by their system. Their expertise is then required to respond to and hunt down threats and then remediate any issues that need to be resolved. When breaches cause damage, it’s largely due to an inadequate response that leaves an organization unable to recover.
However, once a company follows the NIST framework and addresses all of these distinct cybersecurity elements using a holistic, outcome-based approach, it can answer the question “Are we safe?” with an emphatic yes!