Our organization is simply not a target. We’re not going to be breached. We have the best-in-breed technology in place to prevent a massive security incident. Our organization has a rigid perimeter, with a soft, chewy center. You know, like a tootsie pop. We’re well postured to stop the external attacker. Slowly, the nagging noise of my alarm clock rudely nudged me from the dream world. It was back to reality. Ironically, these statements weren’t and aren’t fiction.
Think about it. Do you treat your technology as a cost center, or is it a business enabler? If the former is true, the bigger question you should be asking is: by not adequately prioritizing cybersecurity, am I putting our company and others at risk? I’ll let you answer that.
Poll from CSG Cybersecurity Event
Your Job Could be at Stake (at minimum)
The Equifax breach is still fresh on everyone’s mind, and for good reason. Amid mounting pressure, the top executives stepped down.
What is almost certain in today’s breaches is that if one occurs, the top officials are going to be under a lot of pressure, and potentially have their jobs put at risk. Don’t misread this as fear, but a sobering reality that should motivate any CEO into some form of self-preservation. Most importantly, the cascading effects of a major breach may not be known for years. Never let a breach go to waste.
They are case studies, lessons learned, pearls of wisdom, that if applied, can make your organization more secure. Integrating this mantra from the ground up, simply won’t work. It is critical that it start from the leadership.
It’s a Business Risk, Not an IT Risk
Too often technology is used as a compliance checkbox. Do we have a SIEM? Check. Do we have a firewall? Check. Do we have a patch management program? Check. Do any of these systems or alerts generated from the systems ever get checked? Well, um, no. But we bought the best in the Quadrant, so we’re covered, right? Well, no. Not even the best in breed technology can be set and forgot about. It is time to stop thinking our security technology is the sole answer. Because the business leverages technology to function, it’s necessary for the business to assess those systems, and the security of those systems, as an overall business risk and not just an IT risk.
People, Processes and then Technology
Preventing such a large breach or even incident is nearly impossible—at least today. Against the most determined adversary, it is truly only a matter of time. The weakest link in many incidents is the humans,
and is often the area that gets the least amount of attention. It is time to focus effort on that area, all before addressing the technical aspects of security. Your new priority list for cybersecurity might look similar to this:
- Develop a cybersecurity strategy and communicate it to all areas of the business
- Prioritize your adversaries and have each business unit participate in enumerating who your adversaries might be.
- Understand what your adversaries are after.
- Understand your security resources on hand (people).
- Hire or outsource what you do not have in house
- Continuously train and educate all personnel and tailor training to fit their role.
- Identify the cybersecurity technology gaps that exist and use the above priorities to fill them.
Although not comprehensive, this list may allow you to arrive at a new conclusion or even strategy for your security program, or even, your business. Michael Riggs, CEO of Jack Cooper Holdings Corp may have put it best by saying, “Any CEO who’s not putting [cybersecurity] at the top of their priority list is crazy.”
It’s only a matter of time until your organization is targeted, which is why even the best-in-breed technology isn’t bulletproof. Failing to acknowledge that cybersecurity is a business problem and not just an IT problem will foster a culture where security isn’t just a cost center or required set of checkboxes, but rather a tool to better enable the business.
Matt Hosburgh is a passionate security practitioner, currently working as a Cyber Threat Hunter. He has over 14 years of experience in a variety of security disciplines, which includes experience supporting systems and networks for the Intelligence Community and as a Senior Security Analyst for United States Citizenship and Immigration Services (USCIS).
Matt holds a graduate degree from the SANS Technology Institute, and maintains several GIAC Certifications, to include the GSE.