If you’ve been in the cybersecurity field for a while, you’ve probably noticed that there’s less emphasis on formal disaster recovery and business continuity plans than there used to be. CISOs still create plans, but it’s not the centerpiece of cybersecurity operations in the same sense. As security technology evolved, people started focusing more on technology solutions that they hoped could prevent problems altogether.
There’s some magical thinking involved in that, and ironically, one of the biggest struggles CISOs face now is how their organizations think about cybersecurity problems, i.e., that there shouldn’t be problems. That’s not the world we live in. Having difficulties is not the issue. Rather, thinking there are magic solutions that can eliminate every weakness is the problem. We need to rethink cybersecurity to accommodate this reality and create a holistic response for when problems inevitably arise.
Cybersecurity Incidents and the Reactive Loop
At too many companies today, there’s a reactive loop that occurs whenever the organization experiences a cybersecurity incident. The company reacts usually by purchasing a new software product that can allegedly prevent such incidents in the future. Inevitably, another incident happens, and the reactive loop starts again.
This is destructive because it eliminates the possibility of a more integrated and proactive response. One potential explanation for this cycle is that as cybersecurity technology evolved and incorporated artificial intelligence (AI) and machine learning (ML) elements, people began to put too much faith in its power to eliminate problems. AI and ML are incredibly powerful tools, but they aren’t magic.
Meanwhile, company networks remain at risk, and the average cost of a data breach has grown to more than $4 million. Along with this, organizations may have to absorb other costs that are not included in the original tally, such as higher cyber insurance rates and damage to the organization’s reputation with customers, partners and job candidates.
Organizations can break out of the reactive loop by rethinking cybersecurity and making the business case for an aggregate approach. The first step is accepting the fact that there are no perfect solutions, which leads to a greater focus on desired outcomes rather than tools. The next step is to calculate the cost of downtime and disruption and use the results to advocate for a more comprehensive approach.
Reduce Complexity by Focusing on Outcomes
Modern cybersecurity threats like ransomware and social engineering are more sophisticated, and they target users as the weakest link. That’s even more true with millions more people working from home, which expanded the attack surface. To counter the threat, new cybersecurity solutions have flooded into an already crowded marketplace.
The availability of new solutions isn’t a negative development, but a growing cybersecurity marketplace does make it more challenging for CISOs to sift through the options and build a cyber stack that works for their organization. Determining the correct cybersecurity model must take the assets that have to be protected into account, along with the organization’s size, workforce, region and infrastructure.
Focusing on desired outcomes instead of tools can help CISOs get the clarity they need to break the reactive pattern and adopt a more proactive approach to security. In practice, that’s a recognition that replacing tools may be necessary but not sufficient. In other words, accepting that problems will occur and addressing them using technology, people and processes. We need this mindset because it’s clear that repeating the same pattern and expecting a different outcome is untenable.
The Business Case for a Different Strategy
The way cybersecurity executives justified investments in old-school disaster recovery and business continuity plans can inform how CISOs make the business case for a holistic strategy today, i.e., by documenting the cost of downtime and potential revenue loss from a breach and proposing a comprehensive plan to reduce exposure. The numbers will provide a sound argument for investment.
Another point CISOs can make in a business case for change is that threats are proliferating at such a rapid pace that protecting assets requires agility. The reactive model closes the barn door after the horse has escaped, whereas a proactive model anticipates emerging threats across multiple vectors and drives mitigative action across people, processes and technologies.
Thirdly, because the attack surface has expanded, CISOs need broad cooperation to address distributed threats. They need to collaborate with business unit executives, contractors, supply chain managers, etc., to counter threats. CISOs also have to stay up to date on how threats are emerging through law enforcement and cybersecurity analysts. And most will require a partner to execute a truly all-encompassing approach that includes employee training because of limited internal resources.
CISOs who seek cybersecurity partners should evaluate prospective partners’ ties to a solution (or ecosystem) and ensure that the partner agrees that people, processes and technologies are all essential components of the strategy. In other words, CISOs should ensure partners aren’t trying to sell them a particular product and agree that a holistic approach is best.
The strategy should focus on outcomes, inventorying assets that require protection, and then involve developing and deploying the appropriate safeguards -- hardware, software, staff and services -- that can achieve the company’s security goals. The defense strategy should include detection and response services and also remediation services to help the organization recover from any incident.
When vetting potential partners, it’s a good idea to ask if it’s possible to speak with a customer who has worked with the cybersecurity organization through a breach and to inquire about training services and recommended processes. Notice that this prescription recognizes reality -- that cybersecurity incidents will occur -- and addresses them fully.
That’s the only way to break the reactive pattern. CISOs who successfully make the business case for change can create a cybersecurity strategy that is capable of managing the scale of the challenge they face today. It involves rethinking cybersecurity and focusing on outcomes instead of tools, but that part of the business case should be the easiest to make since we know relying on tools alone doesn’t work.
Peter Trinh is SME -- Cybersecurity at TBI