Why You May Need To Get Out Of The Cybersecurity Business
Cybersecurity has never been easy, but as connected things and cyberthreats multiply — and Gartner says securing the mobile workforce has become an imperative — it is becoming even harder. This creates significant new challenges for organizations and their top leaders.
Gartner says that by 2024, three-quarters of CEOs will have personal liability for cybersecurity incidents that may hurt people, property or the environment. The firm expects such events to happen with increasing frequency. Gartner also adds that the financial impact of cyberattacks on cyber-physical systems resulting in fatal casualties is likely to exceed $50 billion by 2023.
As a CEO, you are always ultimately responsible for your business. But most of the time you can hire the right people to get the job done. If you run a manufacturing company, you can onboard experts to run your plants. You also can find scientists or people in disciplines such as logistics.
Hiring cybersecurity experts is another matter. The 2020 (ISC)² Cybersecurity Workforce Study says there is a shortage of more than 4 million cybersecurity professionals worldwide. HBR notes (paywall) that “cyberattacks are increasing at an alarming rate, but most companies don’t have the talent they need to adequately protect their data and their customers from growing cyber risks.”
Even when you can find cybersecurity experts, it can be hard to retain them. Competition for talent is fierce, and it puts you in a battle with the hottest technology companies. A recent Nominet report found that CEOs and CFOs stay aboard 8.4 and 6.2 years on average, respectively. CISOs only stay in their jobs 18 to 24 months on average.
Some companies make cybersecurity the job of technology generalists. This can lead to misconfigurations and significant underutilization of existing security investments.
Rethink Your Security Policies
Many technologies provide pretty good cybersecurity features out of the box. But they are only as good as how you set them up and configure features to support your security policy. Yet many companies do not spend enough time developing a global security policy, then asking how technology can support the policy.
Sometimes that is because companies overindex on the technology and believe that a collection of poorly integrated, best-of-breed software is enough to minimize their risk. But a loose collection of software may obscure important decisions needed to implement an effective global security policy, which is a cybersecurity best practice. Further, once a global security policy has been established, it takes a lot of time and effort to implement or update this policy across IT environments with an array of point security solutions. But if you use an integrated platform, you can typically push your security policy updates across your IT environment within seconds.
A common hallmark of an effective security policy is zero trust network access (ZTNA). ZTNA uses context or identity to create boundaries around applications. This hides applications from unauthorized parties. ZTNA also verifies the context, identity and policy adherence of those seeking to access applications. This limits the potential for unauthorized parties to access applications and stage lateral attacks.
Conduct An Audit Of Your Security Stack
It can be difficult to understand where things stand with cybersecurity, especially for a large organization. To get a handle on that, do a complete audit of your security technology stack.
I’m not talking about a security audit. What I’m referring to is an audit of your cybersecurity technology stack, how it’s implemented and what policies are in use.
This will help you understand what has and has not been implemented. For example, during a security audit, one company found security hardware in boxes under a desk. The generalist technician explained that he had not yet gotten around to implementing this costly gear.
Conducting a security audit will also enable you to learn what security policies are lacking. And you will get a better sense of your true level of risk.
Know What It Means To Be In The Security Business
Given the risks and challenges noted above, it’s important to understand the implications of handling cybersecurity on your own. Cybersecurity is not like other do-it-yourself (DIY) projects.
As a customer mentioned to us, you can build your own birdhouse, but don’t build your own security operations center (SOC). It’s just not the same level of DIY.
If you engage in DIY security, make sure you consider and address everything from hiring to implementation to maintenance — and all these things entail.
Identify Best Practices With MDR Provider Partners
You can avoid taking a DIY approach by using a managed detection and response (MDR) provider. (Full disclosure: my company is an MDR provider.) Now you won’t have to focus on tactical, day-to-day security. But you will want to work with your MDR partner to understand how to co-manage on strategic aspects of security, such as implementing the proper governance and educating staff on best security practices.
Ask yourself if you are comfortable having this partner respond to threats based on your playbook. This is important because if all a service provider can do is send you emails saying that things are going south, that’s not really helpful. You need someone to take action — fast.
Fast action is key because cyberattacks spread like wildfire and can create new costs every minute. According to a 2020 report from RiskIQ, the per-minute global cost of cybercrime is expected to reach more than $11 million by 2021.
Make sure you choose an MDR provider that can respond to threats on your behalf. Provide that company with a preapproved playbook so it knows how to respond to various scenarios. And empower the MDR provider to make the security policy changes that you need.
You can take a DIY approach to cybersecurity. But that can put you and your organization at a much higher risk. Ask yourself whether you should be in the cybersecurity business. Unless you are truly an expert in this complicated discipline, it’s often best to leave cybersecurity to the experts.
Separating yourself from the tactical day-to-day management of cybersecurity challenges will reduce your personal liability. More importantly, it will enable you and others in your organization to focus on the things that make a difference in moving your business forward.
Originally published on Forbes.