Dealing with shades of grey in cyber security

Life is full of challenges and as we grow older, life tends to appear more challenging and brutal. In the world of cybersecurity, there are several gray areas that need to be addressed. Based on discussions with industry friends, listening to conferences, executive leaders, and reading industry reports, the following are some common challenges and anti-patterns that lead to unclarity in cybersecurity at a high level, along with potential solutions:

1.?Security is rarely considered when measuring job success - What percent of developers could vouch that their pay grade changed or rewarded because they were security conscious?

?Therefore, rewarding security aware and following good security hygiene behavior is necessary.

2.?Security trainings aren’t effective – Spending millions on tech can give some confidence to executives but the major sources of cyber threats found in the human brains in the form of curiosity, ignorance, apathy and hubris. (Introduced vulnerabilities in the code, didn’t patch in time, clicked wrong link)

Technology is a critical piece of the cyber security puzzle but just as with the car containing all the latest safety technology, the best defense remains a well-trained driver. Security training is the best security investment.

3.?Design isn’t of significance rather delivery - more than 50% of security issues are introduced in the system before writing single line of code. Right design and implementation are important. Testing isn’t a solution.

Build processes to identify and fix all known issues in the history of the company at design and implementation phase.

4.?????Unclear roles and responsibilities - what is expected and how needs to be done is most important. You don’t want your car driver to fly your charted flight.

Bring clarity, hold accountable. Right people for right job. No more assumptions.

5.?Not Investing in right areas or not finding talent - Cyber security hasn’t got its due yet. Knowledge, Skills and Abilities are limited.

Don’t solve all the problems yourself. Make use of MSSP. As per industry reports utilization of incident handling/ forensics folks is about 30%. It is difficult to retain such a talent.

6.?Blind trust - Unable to imagine insider attacks - Whether we like it or not insider attacks are common or accidentally insider did something.

One solution that I’d suggest is

?????????????????????????????????????????????????????????????i.?????Limit access/ zero trust model

????????????????????????????????????????????????????????????ii.?????limit opportunities, and

??????????????????????????????????????????????????????????iii.?????reduce motives.

7.?Business understands finance but not security - In most organization security posture depends on the understanding of leadership of security.

Try to spend more time with leadership and give insights into what is happening in the industry, current risks company is facing and impact of that on dollars.

8.?Security posture of the company depends on the multiple factors - leadership and their understanding of cyber security, standards, contracts, financial obligations, bank balance, shareholders, industry that you are operating in, your competition and so on.

It is getting better with time. 2021's Log4j kind of events could fetch attention of leadership. However, it is important that one takes pragmatic approach to manage risk.

9.?Missing governance - Security is a leadership topic. If they aren’t taking responsibility rest assured, nothing would change. Weakness in security governance creates systematic gaps and vulnerabilities in the system and culture.

Companies run due to proper governance in place. Need of balanced approach to security is important. Things cannot be changed in a day; it is a journey.

10.?Culture doesn’t facilitate change sometimes - Changing culture certainly isn’t easy and it is the MOST difficult problem in dysfunctional organizations.

Leadership plays a major role here. Emphasizing what is important, rewarding good behavior, discouraging bad behavior and model the behavior you want and so on.

11.?Competing goals and priorities is one of the biggest problems - Every role has a goal to achieve and will have well defined priorities.

Build relationship with stakeholders, do the right messaging, and take pragmatic approach to make progress.

12.?Decisions are made frequently based on intuition rather than data - Ten people will have 11 different opinions when it comes to conflicting topics

Take help of data. They speak for themselves.

13.?Missing attention to cyber security - Top leadership, they look at KPIs. Mostly finance, customer, and operations. What about security related ones?

Try to get the attention to the topic. There is no silver bullet unless security incident creates havoc in the organization, and you start losing customers.

14.?Loads of assumptions - Statements like “I haven’t seen a breach in my entire career” or “we are doing fairly good”.

Make use of data and educate people. Knowledge hesitates, ignorance is fearless.

15.?Security is a technology topic - Everything can be solved using technology. This is one of the most bizarre things many believe.

Security is about people, process, culture, communication and of course technology too.

16.?Change management is difficult - especially security related ones as they could potentially impact entire company.

It is important to collaborate and gather support of key people

1. Stakeholders,
2. Influencers and
3. Sponsors

17.?Security is a cost – no time for security. We are under tremendous pressure to deliver to customer blah blah

If done right way security helps in a generating revenue in long run. Customer will pay additional money for better security.

18.?Impulsive buying – 30% of tech is never used as per industry reports. People in general want to buy all software due to job insecurity or due to discounts. “We’ve world class software in place but… incident happened.”

It’s not software but its people who manage software is a challenge. Will cost-benefit analysis reveal the reality?

In conclusion, cybersecurity is a complex and evolving field, and it is important to address the challenges that come with it. By following the potential solutions mentioned above, businesses can enhance their cybersecurity posture and minimize the risks associated with cyber threats.