Cybersecurity Chaos

Two of the takeaways from the explosion of Cybersecurity chaos over the last few years are 1) we continue to spend and expand the markets for cybersecurity technologies, yet 2) the causes of the breaches increasingly point to a set of people/process vulnerabilities versus technological exposures.

If someone just dropped in from Mars, they might wonder why we spend so much on technology and spend virtually nothing on the base causes of the attacks? My experience in Managed Security Services says that most companies today lack any sort of thoughtful strategy for defense against cyber-attacks and have never bothered to create even a basic risk management framework.

While this is not rocket-science, it seems that companies without a formal or even a designated CISO claim that they don’t know where to begin. Like most other apparently complicated business things, the best place to start is with a list and a guideline (aka, a Risk Management Framework) , like the one available to anyone at NIST (The US National Institute of Standards and Technology).

This particular framework will provide a disciplined and structured process that integrates risk management activities into your system development life cycle and will enable your executives to make better and more informed decisions. Making better risk decisions involves understanding what your information assets are and where they reside, the costs to protect and defend against a breach and the degree to which you are willing or able to accept varying levels of risk. If you don’t know this stuff, it will impossible for you to make any kind of risk decisions, which is where I have found most businesses to reside on the threat landscape over the past five years.

There are several other elements that go into determining what is referred to as risk-decision fidelity, which include probability, quantitative and qualitative analysis, but long before it is necessary to go there, getting a simple risk management structure in place will elevate most businesses form “I have no clue” to “I now have a clue” which is like a 100% improvement over the current state.

The formula is pretty simple and all companies, even small ones can figure out how to implement some version of a risk management framework (RMF). The first step is to identify both systems and data that are critical to business continuity by determining the adverse consequences to the organization if a breach causes organizational assets to become compromised. This includes the integrity and availability of operational systems and the information assets processed, stored, and transmitted by those systems.

The list should start with information assets, aka, data. This is not hard to do. It’s like inventorying your attic. You go up there and start identifying things by category. Pretty soon you will have a list of all your stored junk. You should approach your data in the same way. There are two primary objectives for this task. One, you will now know exactly what information you are storing so that when the regulators start dropping by (and they will soon), you will be able to tell them what PII you are storing and processing. And two, you will have a good idea about what data needs to be protected, and what doesn’t.

Next, do the same thing with your systems. Some are critical, some aren’t. But some that aren’t critical also provide gateways to the ones that are. There are tons of guidelines that will help you do this work.

As you look at the NIST RMF, you will see the step that calls for assessing your security access controls. All of the steps are important but because you are simply trying to get a foundation in place, this is one step you should definitely obsess about. Getting controls in place and then testing them thoroughly will assure that you have a fundamentally secure system in place. Failure to do either will almost guarantee that you will be exposed. And if this risk management phase is not performed correctly, the ability to legitimately accept the risk is virtually impossible.

Another critical step is that of monitoring. The purpose of the monitoring step is to maintain an ongoing situational awareness about the security and privacy posture of the system and the organization in support of risk management decisions. Note that ongoing situational awareness as it relates to the organization goes to the root causes of most breaches, which is human error.

Whether it is falling for a phishing attack or inadvertently losing or misplacing key assets or credentials or risky mobile device behaviors or unchecked third party access, the greatest risk in cybersecurity emanates from people and processes. It is essential to any sort of cybersecurity or risk management program that employees at all levels (particularly at eth CXO and board levels) fully understand and are continually aware if the potential threat categories and are aligning their behavior appropriately to those threats. This requires continual education and training along with close attention to processes. The good news is that it is relatively inexpensive to get it done. The bad news is that it requires commitment from the top.

NIST takes a very pragmatic view of the whole RMF requirement. It provides a slew of sub-categories and offers suggestions for creating task lists and baselines so that we can measure progress against our objectives. It also recommends that companies incorporate regulations, emerging threats and technological advances. If it appears that updating and reworking cybersecurity systems is becoming cost-prohibitive, NIST suggests that companies should strive to find a good balance between developing the best cybersecurity efforts possible at the most reasonable and affordable cost.

This does not mean that companies can just blow off the fundamentals on cost alone. In order to create a basically secure environment, all companies should either run their own SIEM or hire a third party who can manage a fully functional, state-of-the-art SIEM/SOC and threat detection and prevention system for them. This usually doesn’t mean going to your MSP who is now magically an MSSP and buying their version of a SIEM service. You should find a provider who has along track record of successful service delivery in the space with a sophisticated offering. You cannot do this yourself and you should not try.

The formula for that balance between good security and cost should start with fundamental data and systems protection and include education, training and process hygiene but any additional technology cost beyond the basic SIEM/SOC should likely not be required. Unless our information assets are so valuable or our systems integrity so necessary to provide continuity for a business model that produces significant returns daily to its shareholders or principals, it is unlikely that the most advanced cybersecurity technology will be required.

You don’t have to adopt the complete NIST RMF or hire a whole team of cybersecurity analysts (which is good, because you can’t). Just a few small steps and minimal expense will move you way up the ladder of prevention. For a few thousand dollars a month, a basic risk management framework and a renewed focus on people and process, most businesses will be able to improve their current state of readiness by 100% and reduce their exposure to future breach by 98%.

?With the dawning of GDPR-like regulatory requirements shuffling into place across the country, you will have to do all of this anyway just to comply, so you might as well just bite the bullet and do it now.

Two birds with one stone is always better.