Three mistakes to avoid while setting up your cybersecurity program

In my previous article, I have provided some guidelines to help SMBs in setup a cybersecurity program. While that article focus on things to-do, this article illustrate common mistakes, so that you can avoid them.

Before I highlight the mistakes, let me ask three questions and maybe you can think of some answers before you continue reading so that you can do a self-reflection:

• What is the first step when I set up a cybersecurity program in my organisation?
• How much budget do I need to allocate?
• Who should I hire ? or what tool should I consider purchasing ?

1- Skipping the security risk assessment

It might be good to systematically implement some of the common defensive techniques to reduce the risk of certain threat scenarios (Ex: use backup to prevent ransomware attacks, or MFA to prevent phishing). Nevertheless, this approach is not always effective, and the implemented countermeasure might not correspond to your biggest security risk.

Draining your cyber security budget on a set of licensed security tools, or even hiring specialised security staff to implement specific or predefined goals might still leave your organisation exposed to other threat scenarios. Some of these threat might be easily mitigated without spending nearly anything. This is why performing a comprehensive cybersecurity risk assessment should be your first step. Anything you do before the comprehensive assessment should not be counted upon.

In fact, your adversaries are often aware of most common defensive techniques, and are aware of their effectiveness, and probably have a way to bypass - at least some of - them. It doesn't matter what defensive technique you implement. What really matters is what defensive technique you are missing, and how long it would take a threat actor to find out about such gap.

2- Spending the entire available budget

As in any fight, the available resources to defend yourself are often constrained. The good news is:

"Attackers have bosses and budgets too."[1]

You might still argue that "each attack group might have a boss and a budget, but your budget is supposed to counter them all together". The answer is that defense doesn't necessarily involve spending as much as all your adversaries do.

You rather need to have winning strategy. By thinking one step ahead of any potential attacker, you can often optimize your spending by setting the right goals.

3- Hiring the wrong talent, or licensing the wrong tool

Many companies around the globe are still struggling to attract the right talent, in order to set up, scale up or even replace the exiting security staff [2]. Besides, the spectrum of skills needed for various security roles varies considerably.

Finding the candidate who tick all the boxes is probably beyond your reach, and you might not even need it anyway. This is why having a good prior knowledge of different security disciplines can help you focus on the right candidate. This also makes the discussion with the candidate more pleasant, which also gives a good impression about the role. Let me cite a few set of security skills here:

• Offensive Security, or Penetration Testing: This is the kind of skills needed to "break things", i.e. attempt to compromise a system (Organisation's infrastructure or data).
• Security Operations, Security Event Monitoring and Security Analysts: This is the kind of skills that you need to build the so called Security Operation Center (SOC), allowing you to have better visibility on malicious traffic incoming-to/ outgoing-from your organisation.
• Incident response, Forensics, and Threat intelligence : These skills are often considered part of security operations, but can be dedicated of specialised.
• Application, Product Security, and Security Architects: These skills are dedicated to long term improvement into your security posture, by promoting the security principles and best practices.
• Security Governance: This is needed for leadership roles to bridge the gap between the technical team and the rest of the organisation. Compliance is often considered part of this category.

Keep in mind that the skills above illustrate only one dimension of skills. You also need to take into account what set of tech stack the candidate is familiar with. Security in web, mobile, cloud or desktop application might have things in common, but each might have a unique knowledge that is specific to that tech stack or execution environment.

On the other hand, many security tools are being marketed as the ultimate solution to most security problem. A regular decision maker usually focus on keeping the business running securely, and having a tool the "does it all" sounds like a perfect solution. I have already mentioned a number of limitation with some security tools in my previous article, so check it out.

Conclusion

The challenge with cybersecurity for organisation is likely to keep growing in size and complexity. The mistakes highlighted in this article are due to wrong decision, based on misconceptions.

I think that overcoming these avoidable mistakes requires a shift in how business owners and decision makers perceive the cybersecurity challenge in their organisations.