Cybersecurity Chaos

Cybersecurity Chaos

Two of the takeaways from the explosion of Cybersecurity chaos over the last few years are 1) we continue to spend and expand the markets for cybersecurity technologies, yet 2) the causes of the breaches increasingly point to a set of people/process vulnerabilities versus technological exposures.

If someone just dropped in from Mars, they might wonder why we spend so much on technology and spend virtually nothing on the base causes of the attacks? My experience in Managed Security Services says that most companies today lack any sort of thoughtful strategy for defense against cyber-attacks and have never bothered to create even a basic risk management framework.

While this is not rocket-science, it seems that companies without a formal or even a designated CISO claim that they don’t know where to begin. Like most other apparently complicated business things, the best place to start is with a list and a guideline (aka, a Risk Management Framework) , like the one available to anyone at NIST (The US National Institute of Standards and Technology).

This particular framework will provide a disciplined and structured process that integrates risk management activities into your system development life cycle and will enable your executives to make better and more informed decisions. Making better risk decisions involves understanding what your information assets are and where they reside, the costs to protect and defend against a breach and the degree to which you are willing or able to accept varying levels of risk. If you don’t know this stuff, it will impossible for you to make any kind of risk decisions, which is where I have found most businesses to reside on the threat landscape over the past five years.

There are several other elements that go into determining what is referred to as risk-decision fidelity, which include probability, quantitative and qualitative analysis, but long before it is necessary to go there, getting a simple risk management structure in place will elevate most businesses form “I have no clue” to “I now have a clue” which is like a 100% improvement over the current state.

The formula is pretty simple and all companies, even small ones can figure out how to implement some version of a risk management framework (RMF). The first step is to identify both systems and data that are critical to business continuity by determining the adverse consequences to the organization if a breach causes organizational assets to become compromised. This includes the integrity and availability of operational systems and the information assets processed, stored, and transmitted by those systems.

The list should start with information assets, aka, data. This is not hard to do. It’s like inventorying your attic. You go up there and start identifying things by category. Pretty soon you will have a list of all your stored junk. You should approach your data in the same way. There are two primary objectives for this task. One, you will now know exactly what information you are storing so that when the regulators start dropping by (and they will soon), you will be able to tell them what PII you are storing and processing. And two, you will have a good idea about what data needs to be protected, and what doesn’t.

Next, do the same thing with your systems. Some are critical, some aren’t. But some that aren’t critical also provide gateways to the ones that are. There are tons of guidelines that will help you do this work.

As you look at the NIST RMF, you will see the step that calls for assessing your security access controls. All of the steps are important but because you are simply trying to get a foundation in place, this is one step you should definitely obsess about. Getting controls in place and then testing them thoroughly will assure that you have a fundamentally secure system in place. Failure to do either will almost guarantee that you will be exposed. And if this risk management phase is not performed correctly, the ability to legitimately accept the risk is virtually impossible.

Another critical step is that of monitoring. The purpose of the monitoring step is to maintain an ongoing situational awareness about the security and privacy posture of the system and the organization in support of risk management decisions. Note that ongoing situational awareness as it relates to the organization goes to the root causes of most breaches, which is human error.

Whether it is falling for a phishing attack or inadvertently losing or misplacing key assets or credentials or risky mobile device behaviors or unchecked third party access, the greatest risk in cybersecurity emanates from people and processes. It is essential to any sort of cybersecurity or risk management program that employees at all levels (particularly at eth CXO and board levels) fully understand and are continually aware if the potential threat categories and are aligning their behavior appropriately to those threats. This requires continual education and training along with close attention to processes. The good news is that it is relatively inexpensive to get it done. The bad news is that it requires commitment from the top.

NIST takes a very pragmatic view of the whole RMF requirement. It provides a slew of sub-categories and offers suggestions for creating task lists and baselines so that we can measure progress against our objectives. It also recommends that companies incorporate regulations, emerging threats and technological advances. If it appears that updating and reworking cybersecurity systems is becoming cost-prohibitive, NIST suggests that companies should strive to find a good balance between developing the best cybersecurity efforts possible at the most reasonable and affordable cost.

This does not mean that companies can just blow off the fundamentals on cost alone. In order to create a basically secure environment, all companies should either run their own SIEM or hire a third party who can manage a fully functional, state-of-the-art SIEM/SOC and threat detection and prevention system for them. This usually doesn’t mean going to your MSP who is now magically an MSSP and buying their version of a SIEM service. You should find a provider who has along track record of successful service delivery in the space with a sophisticated offering. You cannot do this yourself and you should not try.

The formula for that balance between good security and cost should start with fundamental data and systems protection and include education, training and process hygiene but any additional technology cost beyond the basic SIEM/SOC should likely not be required. Unless our information assets are so valuable or our systems integrity so necessary to provide continuity for a business model that produces significant returns daily to its shareholders or principals, it is unlikely that the most advanced cybersecurity technology will be required.

You don’t have to adopt the complete NIST RMF or hire a whole team of cybersecurity analysts (which is good, because you can’t). Just a few small steps and minimal expense will move you way up the ladder of prevention. For a few thousand dollars a month, a basic risk management framework and a renewed focus on people and process, most businesses will be able to improve their current state of readiness by 100% and reduce their exposure to future breach by 98%.

?With the dawning of GDPR-like regulatory requirements shuffling into place across the country, you will have to do all of this anyway just to comply, so you might as well just bite the bullet and do it now.

Two birds with one stone is always better.

Andrew G.

IT Consulting and Business Mentoring

6 年

Worth to note that the base problem is the internet foundation - the open IP protocol. Till this is attended strategically (huge investment), nothing will change from the hacking perspective: plumbing the leaking foundation will always lead to more leaks from the upper levels.

回复

要查看或添加评论,请登录

Steve King, CISM, CISSP的更多文章

  • Connected Device Security: A Growing Threat

    Connected Device Security: A Growing Threat

    Many cybersecurity analysts have warned of the rapidly emerging threat from an expanded IoT space. And as you have…

    3 条评论
  • China’s Ticking Time-Bomb.

    China’s Ticking Time-Bomb.

    It should now be clear to even the casual observer that China has been spying on us for years and stealing reams of…

    7 条评论
  • Comparing Major Crises To COVID-19: A Teachable Moment

    Comparing Major Crises To COVID-19: A Teachable Moment

    Lessons from past financial crises might prepare us for the long and short-term effects of COVID-19 on the economy and…

  • The Escalating Cyber-Threat From China

    The Escalating Cyber-Threat From China

    A Modern-day Munich Agreement In an article penned back in May of 2015 in a policy brief published by the Harvard…

    1 条评论
  • Cybersecurity: Past, present, future.

    Cybersecurity: Past, present, future.

    We have made a flawed assumption about cybersecurity and based on that assumption we have been investing heavily on…

    15 条评论
  • Three Marketing Tips for Improved Conversion Rates

    Three Marketing Tips for Improved Conversion Rates

    While we are all devastated to one degree or another by this outbreak and with the knowledge that it will likely change…

  • Coronavirus in the Dark.

    Coronavirus in the Dark.

    So, yes. It is now very clear that the outbreak of the COVID-19 virus and the concomitant investor panic leading to a…

    13 条评论
  • Panicky Investors Issue Dire Warning On Coronavirus

    Panicky Investors Issue Dire Warning On Coronavirus

    Sequoia Capital just issued a dire warning to its portfolio companies. “Coronavirus is the black swan of 2020.

    5 条评论
  • AI in Cybersecurity? Closing In.

    AI in Cybersecurity? Closing In.

    "AI Needs to Understand How the World Actually Works" On Wednesday, February 26th, Clearview AI, a startup that…

    8 条评论
  • Do CapitalOne Shareholders Have a Case Against AWS?

    Do CapitalOne Shareholders Have a Case Against AWS?

    An adhesion contract (also called a "standard form contract" or a "boilerplate contract") is a contract drafted by one…

    1 条评论

社区洞察

其他会员也浏览了