Cybersecurity can be a complex and overwhelming discipline. There is much written about every aspect ranging from how to effectively train your workforce to the re-identification of anonymized data to threat detection. Adding to the cybersecurity fog is complex technology environments that constantly change to accommodate the pace of business and digital transformation needed to remain competitive.
The intent of this post is to share thoughts on how to rationalize cybersecurity (governance, technical controls, and processes) and focus on what’s important to your business while blocking out the noise. Management of cyber risk is at the center of cybersecurity. Understanding the cyber threats to your business, the likelihood of them materializing, and their potential impact (financial, reputational) is fundamental. Casinos, steel manufacturers, hospitals, research organizations all face cyber threats. Granted, some of the threats may be more pronounced and the impact more catastrophic, but they all must understand the risk technology brings to their business.
The Cybersecurity Rationalization diagram describes the rationalization process at a high-level. Thoughtfully addressing these areas will help you effectively manage risk. Does this guarantee there will be no cybersecurity incidents or breaches? Absolutely not. Technology environments are too complicated, some technologies (e.g., TCP/IP) are inherently insecure, and humans, well, are humans. Taking these steps will reduce the number of incidents and their impact on your business.
- To understand cyber risk we must first identify the data collected and technology services provided. The sensitivity of data collected and critical nature of services influence business risk tolerance.
- Business leaders must determine their business risk tolerance. Will a breach or cybersecurity incident lead to reputational damage and significant loss of revenue? Will a breach result in significant harm to individuals (e.g., expose extremely sensitive information)? If so, the business risk tolerance should be low.
- Business risk tolerance influences the level of cybersecurity controls implemented. Cybersecurity controls range from identity and access management to endpoint protection to cloud security. Security monitoring (threat detection) and incident response is also included in the scope of cybersecurity controls. Risk averse organizations may require more extensive cybersecurity controls to reduce cyber risk.
- Threats to data and technology services are another factor that influence cybersecurity controls. A reasonable understanding of bad actors and associated threats to your business is required. This is important because it helps to identify blind spots.
- Vulnerabilities increase cyber risk. The importance of vulnerability management can’t be overstated. Bad actors exploit some type of weakness be it technical or human-based to accomplish their goal. Identifying, prioritizing, and remediating vulnerabilities is critical. Proactively addressing technical debt reduces the vulnerability management challenge.
- Regulatory (e.g., HIPAA) and customer contractual requirements contribute to business risk as non-compliance can result in fines and other damages. These requirements must be considered but should not drive definition of cybersecurity controls. Leading practices, relevant threats and risk tolerance should guide effective cybersecurity.
- If the disciplines outlined above are addressed in a thoughtful manner, the outcome is effective cyber risk management. A continual focus on threats, vulnerabilities, and effectiveness of controls while considering business risk tolerance will create the right culture. Combining this with cybersecurity governance will ensure alignment as the business needs change.
This is a high-level view into how to approach cybersecurity and manage cyber risk. In reality, each one of these disciplines (e.g, threat management, vulnerability management) require a focused effort to implement the needed capability. The challenge is balancing cybersecurity with cost, productivity, and user experience to reasonably protect data and services, and minimize the risk to people, society, and business. There is no easy answer to meeting this challenge, it’s a journey not a destination.
We live in a hyper-digital age and technology is critical in all aspects of our lives. Effective cybersecurity is more important than ever!