Think you have a good handle on cyber security?
Congratulations, you lead a significant company with smiling investors and lots of upside. But you also recognize that you’ve accumulated a pile of incredibly valuable proprietary and customer data and that, in this day and age, you’re one ugly click away from a public relations nightmare, loss of hard-earned IP, and fines or lawsuits that could severely harm the company. The worst part is, you don’t really know if you’re protected enough.
You’ve been given assurances by in-house technical support but in a language you don’t speak. You want security, but you’ve got a competitive business to run and you can’t be slowed down. You’ve been told that the “cloud” has to be leveraged in order to remain competitive, but you’re not really sure what that means.
You’ve authorized a lot of money for cyber security products but have no idea if your risks have been lowered.
You fundamentally need to know: is my data secure, whether parked or moving, and who can access it.
The good news is, there are ways to answer these questions with high confidence. But most companies don’t know how to think about cyber security in a strategic way.
And, in a sense, who can blame them? The problem of illicit access to data via Internet intruders and the immense cyber security industry that has been created in response, is tremendously complex. Most companies aren’t sure what the right approach should be.
We know something’s not working since at no time in our history has more money been spent on cyber security related products and services and yet at no other time have we been more successfully attacked. For over ten years we’ve seen high-profile data thefts and compromises that have embarrassed and financially injured well known companies. But these attacks continue today, successfully, almost weekly. Something’s not right. Why hasn’t this problem been fixed?
The primary reason is that many companies do not think of defending themselves in a strategic way or managing cyber threats as a corporate risk. Instead, money is flung at standard “anti-this or that” products focused on building that perimeter wall that time and again bad guys have breached or folks on the inside have rendered moot.
In fairness to senior decision-makers, the large cyber security industry that has grown up over the last decade and a half is incredibly crowded and noisy. It’s hard to know what is truly needed and effective. And, truth be told, the cyber security product world is not particularly incentivized to ultimately fix the problem of cyber attacks.
Some companies may still believe that sufficient law enforcement deterrence will mitigate cyber attacks. Sadly, this is a crime problem like no other before it. The anonymity and remote access afforded by the Internet make the arrest and incarceration of bad actors a rare occurrence. Attacks are going to increase, not decrease.
As such, companies must take responsibility to adequately protect themselves. No one is going to ride to the rescue.
There still may be companies who believe that they are not logical targets for attack and intrusion due to their relatively small size or “uninteresting” products or services. Today, everyone is fair game and an attractive target for at least two reasons.
First, all companies have data that can be monetized by criminal elements. Customer and employee data has terrific value in a now sophisticated black market of personal data that can be resold for any number of nefarious purposes.
Second, most companies today are part of a larger supplier ecosystem. While your product might be “uninteresting” nuts and bolts, they may be part of a supply chain that finds its way into a power plant. Many successful intrusions into sensitive industries begin with a compromise of a supplier system.
In our interconnected global economy, hardly anyone swims alone. Responsible cyber security is a must.
Cyber security is daunting but it can be demystified and made exponentially more effective and cost-efficient if companies are willing to take a more strategic approach to the problem than what is common today.
The first step is to gain needed perspective by making an honest, objective assessment of where the company stands in its ability to protect itself. Without such an assessment, a strategic plan will simply be an intuition plan.
A good assessment will inform a strategy by evaluating threats, vulnerabilities, current protections, and resilience. Sounds basic, but in our experience, many companies struggle even simply to identify and agree upon what is their most important data.
Armed with a baseline understanding, cyber security decisions become more informed, targeted, and efficient. This is especially helpful as technology enables or, in some cases, even forces companies to make choices that have tremendous security implications.
Two current dynamics have IT professionals scrambling: connectivity to remote devices and leveraging cloud services. Businesses are being forced down these pathways, like it or not, in order to remain competitive. But both come with significant security ramifications.
Cloud solutions, in particular, are highly attractive since, at minimum, they enable scaling without adding infrastructure. But “the cloud” also seems counter-intuitive to a more secure data environment. After all, why take data out of your own filing cabinets and put it in someone else’s? It doesn’t seem to make sense until the advantages, including security advantages, are demonstrated. As companies digitize more and more data, the potential attack vectors increase. The right cloud solution will actually reduce the attack surface.
Think about the way organizations already store and manage their most precious “data”, their money. Companies don’t keep their accounts receivable in a lock box in someone’s desk. Income is put in a bank for optimum security and convenience of transaction. Banks are a money cloud. Account holdings are ones and zeroes.
Cloud service providers act in an analogous way with valuable corporate data. But, like banks, there are many to choose from with differing cost and value propositions. Selecting the right provider should be informed by a cogent cyber security and financial strategy; it is more than simply an IT decision.
When trying to solve for cyber protection don’t simply allocate larger IT budgets to be spent on fixes, patches and the latest cybersecurity products. Instead, define an organizational digital strategy that will support and foster business operations (outline the core business processes and their dependence on technology). Next, create a map of the digital ecosystem that captures internal technology assets, external applications, communication channels and other internet facing “things” (e.g., office smart TV). This exercise will help to quantify an organizational value at risk. Based on that organizational value, the company can then decide how much risk it can tolerate and how much risk needs to be hedged. Bigger doesn’t mean better, therefore create an IT infrastructure that is custom-made to fit the direct business needs.
Kevin R. Brock (Founder, BrockCRS)
Mr. Brock brings a rare mix of experience from the highest level of the FBI, the Office of Director of National Intelligence, acclaimed management firm Booz Allen Hamilton and his own entrepreneurial initiatives.
Michael Abboud (CEO, TetherView)
Mr. Abboud has more than 15 years of Healthcare and Business Technology experience leading teams across multiple industries to successful outcomes. His early career was in global operations assisting with transitioning IT platforms at Goldman Sachs.