Cybersecurity breaches still make headline news almost daily, though companies spend more money than ever on people and defensive technologies. This existential crisis cannot be eliminated, but it can be much better managed.
Bad actors come in many forms, from well-funded nation-states to undertrained employees clicking on the wrong links. Conventional warfare pits one army against another on an open field. In cyberwar, you rarely see them coming.
We also operate in an increasingly distributed ecosystem. To chief information officers, sending everyone home in March 2020 felt like opening many new offices in one day. Employees, previously ensconced behind a firewall, suddenly seemed defenseless. Even without COVID-19, the shift toward software-as-a-service apps, mobile computing, and interconnected relationships has turned the perimeter into Swiss cheese.
Fortunately, companies can influence organizational behavior and reduce tactical errors to become more secure. The following are areas that many organizations need to address.
The average chief information security officer (CISO) tenure is two years, less than half as long as a chief information officer (CIO). That results in a lack of continuity and ability to learn from mistakes. The high turnover comes from burnout and the pursuit of better-paying opportunities. CISOs also become sacrificial lambs when blame for a major breach gets assigned, causing many to wonder if CEOs have their backs.
CISOs often report to CIOs and are wary of conflicting objectives. CIOs can prioritize revenue-generating projects, broad digital transformation initiatives, and infrastructure-related, “keep the lights on” investments. While it is understandable to associate security with IT, it’s inherently a risk management proposition requiring cyber/technical acumen.
When treated as a risk issue, cybersecurity can become more an exercise in transference than mitigation. There are limited but not insubstantial costs of a breach that can be insured, but preserving reputation and resiliency is worth investment.
Decades of offshoring IT gutted early career ladder rungs. Lower but more realistic entry requirements, and certification programs, are wellsprings for the essential supply of new security talent.
Greater security comes with less convenience. Employees prefer the path of least resistance and may push back on security initiatives. No one likes logging in to applications using two-factor authentication, but it’s much safer. Trained employees become a human firewall.
Employees rarely see themselves as stewards of their own data, thinking IT has sole responsibility for securing it. Privacy regulations drive a welcome, lean data mentality, but security should never shoulder the full, or even primary, responsibility.
Gartner predicts that by 2025, 40% of corporate boards will have a dedicated cybersecurity committee. The work is evolving from periodic, rote reviews of qualitative traffic-light indicators on IT control framework checklists. Quantitative measures of risk exposure (e.g., Factor Analysis of Information Risk) are an improvement. Boards could assume a broader mandate to assess how well the management team protects and creates value from data while complying with privacy and other regulations.
Cybersecurity practitioners can be challenged to communicate with laypersons, compromising access to funding and crisis management. In addition, spending on cybersecurity can come in spurts following significant events; the pound of cure, not the ounce of prevention. Companies should treat security as a competitive advantage, not a regulatory burden to minimize.
Poor IT housekeeping. Numerous unglamorous but essential tasks get overlooked, like keeping software patched and Secure Sockets Layer (SSL) certificates up-to-date. Cyber risk rating firm BitSight measures attentiveness to these issues from the outside and quantifies the likelihood of a breach due to poor IT housekeeping.
Inadequate governance, risk, and compliance. Many companies lack security policies or fail to enforce them. NIST, ISO, and other standards bodies offer roadmaps to well-controlled environments, but many companies have yet to start the journey. Passing vendor risk assessments and being SOC 2 compliant (a voluntary standard from the AICPA) are becoming essential to keeping customers and growing revenue.
Outsourcing responsibility. Outsourcing to a managed security service provider (MSSP) is a well-established tactic, particularly for companies that need to secure resources quickly or that cannot hire and retain an adequate staff. However, the MSSP route can devolve into outsourcing responsibility for the program while satisfying compliance obligations. Let’s face it, no one should care more about a security posture than the company.
People and processes are more important and should be considered before tool selection and implementation.
Vendor selection. Broadline vendors like Microsoft appeal to security customers in the pursuit of “one throat to choke,” functional interoperability, or bundled price discounts. While offering only foundational security tools, Microsoft will allow customers to integrate other best-of-breed vendors, usually SaaS-based and artificial intelligence-powered, to create defense in depth.
Trusting tools. People and processes are more important and should be considered before tool selection and implementation. Unfortunately, shiny new objects, and eager vendor sales reps, can obscure this truism.
Great exposures. Outside of heavily regulated industries, programs for two key attack surfaces are either immature or non-existent. Vendor risk management needs more attention because companies operate in an interconnected world, and security is only as strong as the weakest link. Almost every company has moved to the cloud in one form or another. However, many still have to address the fundamental data security and privacy compliance consequences. Confirming user identity and controlling administrative access to applications are related safeguards.
OT security. Colonial Pipeline’s breach highlighted vulnerabilities within operating technology (OT), the networks running critical infrastructure, and manufacturing facilities. Plant-level engineers can wrongly assume that these systems are air-gapped or be reluctant to touch old code and shut down a line.
Flying blind. Data mapping gets dismissed as an exercise in painting the Golden Gate bridge yet, without a map, how would a CISO know what to protect? Privacy regulation is driving better mapping, and companies should develop a comprehensive understanding of data assets.
Vulnerability by design. Facebook popularized moving fast and breaking things, and disruptive companies aspiring to unicorn valuations can cut corners. Even “normal” companies pay less attention to the security aspects of applications and new products than is wise.
Companies' cybersecurity challenges are not insurmountable. As with all worthy endeavors, companies must take collective action to become secure, resilient, and valuable.
Craig Callé is CEO of Source Callé LLC, a consulting firm focused on data security, GRC, vendor risk, ESG, and privacy. He is a former CFO of Amazon’s Digital Media and Books businesses and other companies and was an investment banker at Salomon Brothers.