A Brave New World
Cyber security is making its way to the forefront of every enterprise’s agenda. Even for organizations that are not at the point where it’s an overwhelming priority, it’s a safe bet that cyber security is an area of deep concern in their boardrooms. As we delve deeper into the 21st century, enterprises that have been operating successfully for years and even decades with very little thought to digitization, let alone cyber security, scramble to address the challenges of a cyber space full of threats.
This danger is only made more real in the minds of decision-makers as the media reports a new high-profile cyber attack almost every week. Over a period of weeks in early 2017, the WannaCry ransomware disrupted businesses across the globe, affecting multiple sectors and industries. Before organizations even had a chance to catch their breath, NotPetya struck just weeks later, delivering another devastating blow to a number of sectors and industries who were still recovering from the previous ransomware crisis. According to industry reports, cyber attacks are becoming more frequent and only increasing in scope.
So how do businesses react to this new challenge? Businesses throw money at the problem.
In a 2017 report, research and advisory firm Gartner forecasts that global spending on enterprise security will reach US$96.3 Billion in 2018, an increase of 8% from 2017.
This is a good thing, right? They are focused on security and are spending money in the best interest of security. Good. Great. Problem solved. Or is it?
In the mad dash to beef up enterprise security and protect their assets from cyber threats, many fall into some bad spending habits.
Fear of Loss
In the face of an immediate threat, the natural reaction is to stand up defenses with all haste. This is exactly the approach that businesses are taking, and understandably so as they are most concerned with avoiding loss. Much of cyber security spending is framed within the scope of how much money the business would lose in the event of a potential cyber security attack. In fact, one of the most commonly-used practices for selling cyber security solutions is to make the fear real for the decision-maker. This fear-based approach helps sell solutions but leads to poor spending practices such as supplementing existing business systems with cyber security requirements, investing in focused, specialized solutions and spending budgets in a reactive, short sighted manner.
This approach, that many businesses take, is the equivalent of treating each cyber security requirement that crops up as one tree in a vast forest of similar requirements. Businesses are dealing with each tree on its own, as they come upon it when they should consider the whole forest to navigate it properly.
As the old saying says, “They can’t see the forest for the trees.”
Image source: https://mariekalake.com/2017/05/15/i-cant-see-the-forest-for-the-trees/
The Cyber Security Transplant
Many of today’s businesses function on systems and processes that were created before today’s rapid digitization and were designed without taking those implications, cyber security being one of them, into account.
As business leaders and decision makers come to recognize the need for cyber security processes and solutions to do business in this new era, the most common approach is to supplement their existing systems and processes with cyber security solutions. Since the transplant of added security functions and requirements surpasses the original design of many of these established processes, enterprises end up with unintended and less-than-efficient results.
Doing One Thing Well
If a business is presented a need for firewalls to lock down network activity and secure its people, there is no question that it would be a valuable and worthwhile spend. The general practice after this would be to determine what requirements the business would have of a firewall solution and go out shopping. Shortly after that, if the need for a patch management solution is brought up, the determination could be easily made that this brings value to enterprise security and represents an urgent need, as well. This would prompt another search for a solution, this time for patch management. In the end, the sensible choice would be a vendor who performs that one specialized function the best and for the most reasonable price. And then, it’s on to the next problem to solve.
This kind of implementation is not uncommon. It makes sense. It’s straightforward. There are clear results. There’s no need to fix something that isn’t broken, right?
It’s easy to fall into the practice of addressing requirements as they arise, however, there are drawbacks to spending enterprise security budgets on tactical, point solutions. It’s difficult to gauge that the money being spent on point solutions is the most effective use of that money. Without an overarching strategy, spending occurs as need rises and does not take into account the priorities of those needs. Additionally, there is the risk of overly-complex systems. An enterprise that goes long enough building a cyber security program in this manner will eventually have a program that is an unwieldy frankenstein-like amalgamation of technologies that do not talk to each other or work together. Any deficiencies in the system become difficult to diagnose, as well.
The Knee-Jerk Response
In the two scenarios above, the spending is not only on point solutions, but also reactionary. A need arises, the business spends. An audit finds the need for around-the-clock monitoring, the business goes shopping for a Managed Security Services Provider. A company gets hacked, they go shopping for Incident Response Consultants. This practice of reactionary spending lacks strategy and contributes to the many pitfalls that spending on point solutions gives rise to like difficulty in gauging cost-effectiveness of solutions and a short-sighted approach to spending.
Every new cyber security problem is just like another tree in the forest and enterprises are dealing with them on a case-by-case basis without any thought to what other trees they may encounter in this forest or how much more forest there is to travel.
Cyber Security is Everything
To some, it may not be clear how these challenges of building a cyber security program arise, but they are rooted in the fact that cyber security is a relatively new business challenge.
Enterprises approach cyber security as a reality of doing business in a modern world, but approach it as a new component or tool to be added to existing business processes. This is simply not the case. Cyber security changes the way business is done and affects all business processes. Cyber security is everything.
Businesses who hope to implement highly-effective cyber security strategies have to adopt a holistic approach to building those strategies. They have to take a step back and consider their organization as a whole and how cyber security changes every part of it.
Image source: https://www.newscientist.com/article/2075030-who-do-you-think-you-are-4-rules-can-help-you-know-yourself/
Sun Tzu said “If you know the enemy and you know yourself, you need not fear the result of a hundred battles.”
An effective cyber security program is built on this very same tenet. The foundation of a cyber security strategy is a thorough assessment to identify the enterprise’s assets, critical business processes, and the threats to those assets and processes. A comprehensive accounting of these things will enable an accurate risk assessment to determine the priority in which those risks need to be addressed.
From the Ground-up
Armed with the knowledge gained from a comprehensive assessment, enterprises can begin to craft a strategy for their organization that takes into account the whole and not just its disparate parts. A holistic approach provides the ability to visualize how the enterprise is implementing security within the organization from end to end.
A strategy formulated in this manner has the advantage of looking at all the risks that a company must deal with and prioritizes them by severity, impact to the organization, cost, opportunities to integrate solutions together, and level of difficulty to implement.
There may be a low priority risk that needs addressing which could cost the same as a high priority risk that the enterprise had not taken stock of before. The enterprise would have the ability to weigh spending decisions against each other. Adversely, a medium priority item that costs more than four low priority items might have to wait longer to be addressed. Maybe a decision-maker has resolved that the medium level risk is time-sensitive and would like to mitigate it sooner.
These decisions are complicated and involve serious consideration, but they could not even be considered at all without a full picture of an organization’s risk profile.
A holistic cyber security strategy contends that cyber security touches all facets of a business. Under this approach, business processes would generally need to be re-designed with cyber security considerations integrated at the foundational level. A holistic approach to designing a cyber security strategy builds solutions from the ground-up to integrate into new business processes that function with cyber security features baked in as opposed to deploying solutions that are to be grafted onto existing business processes.
Consideration of an overarching, comprehensive cyber security strategy also allows for the design of platforms that consist of integrated solutions, instead of point solutions. This is because an overview of cyber security requirements allows for more advanced, forward-thinking spending strategies. Processes are developed that integrate security controls from their inception. Solutions can be selected based on their ability to integrate with already-existing technology in the environment.
The Forest Emerges
With the adoption of this holistic method, enterprises become secure by design and not by necessity. Enterprises can make a departure from a fear-based approach to cyber security and begin an approach that is risk-based. Businesses can begin to deal with navigating the forest, as a whole. Decisions are no longer tactical and short sighted. They become strategic and insightful. Spending is no longer reactive. It becomes proactive and anticipatory.
With this new way of thinking, enterprises can begin to see the forest through the trees.