Three Cyber Risk Theories: Timeless Security Strategies for Today and Tomorrow
In my last article Three Considerations for the Next Frontier in Cyber Risk I outlined three critical areas organizations should consider when preparing for future cybersecurity risks. These were addressed in full during my session at CDW’s Executive SummIT in Dallas, Texas last month, which can be viewed at the end of this article.
Technology innovation, while necessary, creates more change (and cyber risk) for us to navigate. Most organizations are transforming their digital ecosystems or optimizing their current business processes in some way. As the pace of change accelerates, cyber risk proliferates. So how do we prepare for the next arc of digital transformation, and with it, the next frontier in cyber risk?
Below I introduce three cyber risk theories with practical steps you can take as you prepare your organization for current and future cyber risks.
Theory: #1 Systemic Cyber Risk Disruption
This theory suggests that systemic cyber risk is disrupted through careful and consistent focus on limiting the reach of future incidents.
The more attack paths you expose to threat actors, the more opportunities for them to find and exploit exposures. How does your organization limit its exposures and the reach of potential security incidents? Three strategic actions to consider include:
1.???? Reduce the avenues of potential attack
2.???? Remove non-essential interconnections
3.???? Minimize concentration risk
I recommend organizations start by identifying classes of potential attack points to remove. For example, remove reliance on passwords and replace them with passwordless, phishing-resistant multi-factor authentication (MFA). Additionally, phase out VPNs that provide unfettered access and instead use single application access solutions. Finally, consider your organization's concentration risk. As technology consolidation continues to increase (and we adopt more platforms over point solutions), evaluate how deeply concentrated your organization’s risk is becoming with monolithic platforms. While you may not be able to fully eliminate concentration risk, it is possible to minimize and manage it.
Theory #2: Business Language Blending
This theory suggests that blending cyber and business risk language garners greater support for security programs and resource needs.
The focus of this approach comes down to communication. Using the business’ lexicon, speak to the value of security programs by demonstrating how it supports the business. Three strategic actions to consider include:
1.???? Articulate the value of security through the lens of business value
2.???? Align security costs to customer acquisition and retention costs
领英推荐
3.???? Help Finance grok security as a “cost of sales” and R&D expense
For instance, removing passwords not only reduces the avenues for potential attack but it also reduces friction for your coworkers—saving them time while increasing productivity. Communicate how your security program contributes to generating revenue by enabling sellers, be it through reducing friction in the sales process or by building trust with prospects and customers. This will help reduce the perception of security being solely a support function and culminate in better program resourcing.
Theory #3: Cyber Efficiency Innovation
This theory suggests that optimizing existing resources has an equal or greater chance of providing more value than procuring a new solution.
Sometimes to make the biggest security impact it takes extending the value of existing capabilities and solutions rather than adding new ones. Three strategic actions to consider include:
1.???? Maximize outcomes of current investments
2.???? Leverage native solution capabilities
3.???? Automate the basics
Consider the current technology stack your organization has in place—are the security solutions being utilized to their full potential? Are the solution capabilities properly tuned, managed and monitored? Have all the available integrations been activated? Equally, have you leveraged the full suite of capabilities from your native solutions? Oftentimes, your native capabilities may have untapped security value to harness.
The last and most important action is to automate the basics. Many of today’s top security incidents are a result of a basic security failure: a missing patch, MFA bypass, a missing agent on a workstation. Automation ensures enforcement, configuration persistence, and self-healing when controls stop working or decay over time.
Do these three cyber risk theories resonate with you? Watch the video below for the full presentation which covers more detail on the above with steps to consider as you navigate the future of cyber risk.
Share your thoughts or questions in the comments, below.
?
I help founders sell their services in MENA region | Generated over $1.1M deals from my client in 9 weeks
10 个月Cybersecurity isn't just about defense; it's a language, an efficiency game, and a key to innovation. Marcos ????
Chief Technology Officer at Crunch
11 个月Interesting theories, would love to learn more. What are your thoughts on the strategic actions outlined in the article? - Marcos Christodonte II, NACD.DC
Founder and CEO DDN, DDN.QTE, Conference Board ESG Center Fellow, PwC Partner (Ret.), USC Marshall Professor (Fmr.),
11 个月Thanks for the insight Marcos Christodonte II, NACD.DC and love systemic risk being the first theory and your recommendations. #QTE leadership. #corpgov
CEO @ SnapAttack | The threat hunting, detection engineering, and detection validation platform for proactive threat-informed defense
11 个月Well said Marcos Christodonte II, NACD.DC! The more we can evolve to a risk-based vernacular the more we can move beyond talking about specific technologies and trends to solve technical problems without business context. Unrelated note, I love that you incorporated your talk along with your article to add more value to the article. Made me want to both read and watch and I appreciated both.
Co-Founder & CEO at Armis
11 个月Thank you for sharing Marcos Christodonte II, NACD.DC , great article.