Cybersecurity, IT, and the Board
Why Should Leadership Put Stock in Cybersecurity?
For decades, The Board just didn’t take cybersecurity as seriously as the IT Team did. Even the Senior Leadership Team (SLT) of an organization often failed to give cybersecurity the attention it needed. But in the last 5-10 years, due to highly public security compromises and losses, cybersecurity has finally become a priority at the highest levels of business.
Yet many mid-size and smaller organizations (less than 5,000 employees) continue to think the way larger organizations did ten or more years ago: “It can’t happen to us. Nobody is interested in our information.” They are wrong—period.
Less “valuable” information is usually easier to reach; such information is a “low hanging fruit” and is targeted by malicious agents more and more. This problem is universal—whether or not mid-size and smaller organizations have formal Boards, they still have SLTs with a responsibility to their investors and owners to adequately protect information. And today, a lot of pressing security problems require support and direction from top-level management and the Board.
The Global Cybersecurity Problem
The inability of available resources to meet requirements for cybersecurity expertise causes a threefold problem for Global cybersecurity:
Demand for talented cybersecurity professionals outstrips supply by over 1,000%. The net result is that technical cybersecurity professionals demand—and generally receive—much better compensation, which further results in a workforce defined by frequent job-hopping to larger salaries. Even the government (as of December 2016) is challenging colleges, universities, and the industry to find, train, and employ 100,000 cybersecurity professionals by 2020. The Information Security Certification Consortium (ISC²) recently projected a cybersecurity talent shortfall of as much as 1.8 million professionals by 2022. This shortage in skilled cybersecurity professionals means that all data and digital systems are at risk.
Cybersecurity applications, solutions, and appliances are costly and often complex to configure and manage.
Cybersecurity management teams within organizations are significantly under-staffed not only because resources are hard to find but also because management doesn’t want to invest what they need to.
Many organizations, including some large ones, either still do not employ a dedicated cybersecurity management team independent of IT or simply add the responsibility of cybersecurity to the IT team. The latter approach is wholly inadequate. Cybersecurity regulations and data privacy regulations are onerous and ever more difficult to comply with without dedicated resources managing the organization’s cybersecurity operations—simply managing cybersecurity controls is insufficient. Organizations are, and will be, required to implement increasing amounts of governance to their cybersecurity programs to assure the SLTs (and perhaps the Boards) that all necessary and required steps are indeed being taken to protect the information for which each organization is responsible.
Below are big problems that management in some organizations claim they will address if (i.e. WHEN) they are compromised and if knowledge of the compromise becomes public. While this policy may be sufficient for preserving capital and expenses in the short term, it is a false economy. Sometimes it takes some or all of the SLT being fired in response to a breach or being sent to jail, or it takes the company going out of business—all of which can and do happen—for the weight of these problems to be adequately appreciated:
- Failure to properly protect information in compliance with regulatory requirements
- Inability to restore important business functions and services in a timely manner following an attack or breach
- Unauthorized incursions into corporate information
- Data leakage and theft of information
Silver Bullet Solutions
There are none. The answer is not technology, staff, or (necessarily) budget increases. If someone claims to be able to single-handedly solve these problems in the near, or potentially even mid-term future (5-10 years), he or she is mostly likely mistaken.
Perhaps you could solve all your security problems by hiring a “cybersecurity army” of experts, but even that would take years to build, and years more to imbue the “soldiers” with necessary experience. Plus, the required engineers necessary to build this “army” are still studying in universities. Furthermore, even if you got your army, each engineer would solve cybersecurity issues his or her own way. So if there aren’t enough experts, and they wouldn’t agree on a solution anyway, what can be done?
Quite simply, it comes down to management practices. There’s an oft-forgotten information security mantra: Good information security or cybersecurity is a combination of administrative, logical, and technical controls. But there’s a key ingredient missing from this mantra: cooperation. People within the organization should be working towards the same goals.
The reason most organizations are so reluctant to invest in cybersecurity infrastructure is because so much of it is ineffectively deployed and managed, leading to high costs and unused potential. Many Cybersecurity fixes are unnecessarily expensive because they attempt to fix the symptom of the problem and not the problem itself. Focusing on solving the problem, not the symptom, often reduces the financial commitments to cybersecurity but requires Cybersecurity Management Policy to be dictated from the top down. This drives a simple, efficient posture that can clearly demonstrate a return on investment. The difference between money wasted and well spent, in short, comes down to policy and not tools.
The Solution Starts with Support from the Board
The technical aspects of cybersecurity require technological products—each adding complexity to the solution and to management efforts. To minimize cybersecurity cost, labor, and support activities, it’s up to management to dictate policy. They can start by adopting a version of the well-known Occam’s Razor philosophy. Restated in cybersecurity terms, the philosophy teaches: Other things being equal (i.e. for the same level of cybersecurity), simpler solutions are better than more complex ones.
Less complex solutions are easier to manage (which means they will actually be managed); use configurations and produce results, reports, and logs that are easier to interpret (which means they will actually get read); and provide actionable info (which means the unexpected event will be detected and handled faster).
An organization could use the best technology in the world to address every known cybersecurity issue, but, if the technology is too cumbersome or complicated to be properly managed at a technical level and at an organizational level, it will likely offer limited defenses against a skilled intruder.
All of these technological solutions need to work together, use the same basic information about the organization’s environment, and produce results that other technologies and management can utilize to make effective decisions. With today’s powerful computers and applications, this should be a simple problem to solve—but it doesn’t appear to be simple. Why is that?
Building Your Cybersecurity Management Program
Good cybersecurity programs are always based on the Peter Drucker management adage: “If you can’t measure it, you can’t manage it.” In the cybersecurity world, this translates into “If you don’t know you have it, you can’t secure it!” Most organizations know they have a lot of IT solutions and systems but don’t know exactly what they have, where it is, what it does, how it’s been configured and secured, whether it’s been fully patched, who uses it, or what data and applications each system uses.
If organizations don’t know this basic information, how are they able to securely manage it? The following non-exhaustive list of actions will help them make positive progress:
Start taking IT housekeeping activities seriously. Keep current, accurate records for hardware, software, configuration, and location. Companies have a tendency during initial growth to relegate these tasks to the back burner to be “done later.” But later never comes. You need to prioritize the initial boring grunt work, as it will later support more effective and efficient responses to security incidents.
Promote rapid response to security incidents with current and accurate information. Incident response teams cannot respond rapidly to a situation if they spend minutes or hours trying to determine what went wrong, whether the problem is important, and how much effort should be spent on resolving the issue. Make sure your information infrastructure knowledge and records are helping your security team, not holding them back.
Account for patch management schedule and lag time. Patch management tends to be a much slower process than advised by vendors. You also can’t patch something if you don’t know what it is, where it is, or what it does. You need to rigorously track your resources and your patch schedule.
Commit to identifying and recording information about all IT assets used by the organization. Yes, it sounds like a mammoth task, but it doesn’t have to be. There are ways to effectively and efficiently audit and track this environment, creating an atmosphere of support for your security team.
Record-Keeping for IT Assets Can Make Or Break Security
For an organization, thorough knowledge of all its IT assets and records, and how important they are to the organization, places it in a much better position to simplify its approach and makes security less complex to manage.
As a by-product, this knowledge also makes an organization’s approach much more secure, increasingly resilient, and harder to compromise. Organizations in general must manage their security and IT environments much more formally, which requires SLT or Board support. If this support isn’t given, sooner or later bad things will happen to their IT, and it will impact the entire organization, including the Board. Explaining the situation to the Board requires a non-technical, business approach. Any other explanation will fail. Once they understand what the problem is, why it exists, and how you propose to resolve it, most SLTs and Boards will realize that it is in their best interests to provide support.
So, What is the Formula for a Strong Security Posture?
Strong, supportive management leading skilled and enthusiastic IT and security teams, with the correct mix of documented requirements, processes, and technology, is all that is required to explain the inexplicable, reduce the complexity of current approaches, and simplify IT and security management.
Organizations increasingly need to maintain a strong yet flexible security posture to comply with ever changing national, federal and international regulation, especially in the area of data privacy. Infringement of some of these regulations is not only expensive and can damage the reputation of the organization, but increasingly fines are also imposed on members of the SLT and potentially even Board members.
This is why alignment of security policy with business goals is essential. This is what will determine whether money is being wasted or prudently invested. It’s not always easy to translate between the languages of business goals and cybersecurity technology, but that’s our background here at Novacoast. It’s certainly a minefield, but one that can be successfully navigated with experience.