When the storm over a cybersecurity event settles, it’s easy to look back on a seemingly obvious technical deficiency like an unsecured elastic search server or missing patch and point fingers. Most of the time, security leaders will voluntarily or involuntarily take the fall, and soon thereafter the organization will start a fresh security journey, with a newly installed security leader and blank check to “get it right” this time.
It’s sad to see these technical post-ops continue to be the norm, when evolving to a business and risk approach to cybersecurity can produce a much better outcome, even if a cybersecurity event happens. Imagine instead of the foregoing, the aftermath of a cybersecurity event produces a narrative along the lines of “We’re disclosing a cybersecurity event that we knew was possible, that we were able to effectively minimize thanks to appropriate focusing resources, and that we’ll be able to recover from thanks to appropriate planning, reserve funds and sufficient insurance.” That’s successful cybersecurity risk management in action.
The world unfolding in real time thanks to COVID 19 may be the spark that finally causes organizations to evolve beyond a predominantly technical approach to cybersecurity. As we’re seeing in real time, years of advancements in technology and medicine can’t definitely prevent something really bad from happening. Organizational leaders have to accept that reality and prepare accordingly. Further, and more immediately impactful, the days of the security leader’s blank check are over. It’s unlikely that security spending will be as susceptible to other budget areas, but it certainly won’t avoid the same level of scrutiny, with every dollar spent under the microscope for as far as the eye can see.
In preparation for this shift, it’s time for all stakeholders to learn how to play together nicely, and to prepare for this changing world post Covid19. There are more connected devices than ever, more of us will be working off-site, and the risks will only become more complex. Cyber risk is getting worse, but understanding and managing it needs to get better immediately. Below are the top three reasons why cybersecurity should no longer be just viewed as a technical problem.
Reason 1: The Technical Language Limits a Secure Understanding
The security industry speaks in a language only they understand, a limiting vocabulary for specific problems that they would like to communicate with and solve with their own internal community. We recently met with a CISO of a large healthcare organization. Like every good healthcare CISO, he was focusing on patient health information as the top priority. It surely made sense if you looked at things from a data perspective. Personal health records are the most valuable on the dark web. And given all the recent healthcare breaches and financial consequences, it’s on the top of every healthcare CISO’s mind we’ve spoken with. So all their security efforts were geared towards HIPAA compliance and the various HIPAA components in regard to safeguarding patient information. That was the language they were fluent in, cyberspeak, healthcare regulation and compliance dialect.
But after installing an evolved approach and solution, we quickly discovered a cyber risk that was completely off the radar. They were completely blind to the fact that they had manufacturing facilities producing a large supply of a critical blood testing compound, which could be impacted by a cyber event against the control systems. And they didn’t even have a firewall around the technology running these facilities. They never thought to look there because those operations didn’t use any protected health information.
Reason 2: The Technical Dollars Don’t Ensure Financial Sensibility
An important question security leaders often do not have the answer to is: “What does cybersecurity mean to us as a business?” Often they are focused on the technical solutions.
But in our uncertain times, it’s critical for the scope of impact to be examined from all sides of the business, and all risks to be considered and analyzed. There are cyber risks that go beyond a technical security mechanism that need to be accounted for, particularly if they can create a liability for the company that needs to be mitigated.
Imagine a CISO of a large petrochemical refinery, quite capable in understanding how to protect his perimeter. But regardless of security know-how, one of his biggest risks was an explosion caused by a cyber-attack that over-pressurizes valves at the facility. This CISO was completely blind to the fact that the company’s property insurance policy had an exclusion for cyber attacks. This is something we recently witnessed, and if an event like this would actually happen, it would cause billions in damages that could not be recouped from the insurance program. The voice of the dollar echoes far and wide, beyond the pure technology solutions and the CISO.
Reason 3: The Technical Reports Don’t Measure Quantitatively
Security leaders often measure success qualitatively, displaying colors in the shade of a traffic light to stratify risks and priorities. This will begin to change as budgets will be scrutinized more carefully by the CFO and other executives. And fiduciary responsibility will be heightened for board members, as more stakeholders will demand to know if the dollars are making an impact, and if the money for security is being allocated most cost-effectively.
The current state of a cybersecurity program will no longer be just a technology inventory or a gap analysis. It will be defined quantitatively as far as spending an appropriate amount to maintain the requisite technical maturity needed to protect against risk that an organization would otherwise face. Recognizing also that cyber risk scenarios are not created equally. Why should a CISO be allowed to spend $1 million dollars to only marginally decrease the probability that they would get hit with a $10 million-dollar event when concurrently they could spend the same $1 million dollars to more greatly reduce the risk of a $50 million event.
Cybersecurity is a business problem that requires a business solution. Stakeholders outside the security organization will never be tech gurus. But they can read financial statements and be able to quantify cyber risk from a cause and effect perspective. Our world may never be the same, but the framework to communicate cybersecurity is already in place. There are many tools to provide clear visibility into business impact and ensure both unity and security for the enterprise for many years to come.