Should you beef up the cyber insurance? Should you invest in tools? Should you train your staff? Should you focus on monitoring and quick responses? Security initiatives similar to any other program get a finite budget. On the other hand, the threat landscape is constantly evolving. Executives also know there are no silver bullets out there.
In 2022 and coming years, Executives will need to rely on the lens of People, Process & technology to find holistic solutions in firming up their cyber security programs. We would have already solved it if it was just a technology or a tool problem.
So, I have put up this long list of top items for your holiday reading. This list is a mix of philosophies, best practices, and advice based on lessons learned from 2021.
I have put these in bite-sized bullets for digestion.
These should act as reminders.
These may guide new ways to build security programs.
As always, I would love to hear from you about your experiences. Enjoy the read.
- Being compliant does not mean being secure. Compliance does not reduce your attack surface.
- Investments in Cyber Security do not equal buying insurance. Instead, It is investing in accelerating your transformation.
- CEOs want to see ROI correlation to security investments. Cyber Security Executives should use metrics like improvement in business productivity, time to market when thinking about their initiatives, and the impact those have on the broader organization. Cyber Security can not be about keeping you safe. It should be about moving you forward. (Does your new patching solution reduce the need for system downtime? What were the savings in productive hours? for how many people? )
- Every security conversation should not lead towards adding more tools. If anything, organizations have too many tools.
- Knowing your current posture and Cyber Security blind spots is more valuable than it is realized. Successful & secure companies are proactive.
- Organizations that treat Cyber Security as crucial as performance or quality will continue to do well. Rest will learn those lessons the hard way. Pile of technical debt to cover security issues, expensive re-designs, hacks & breaches.
- People will (and have been) remain the most crucial asset. They will also continue to be the weaker links on a cyber security front. Investing in people and creating a Cyber security culture will pay for itself.
- Cloud has made enterprises inherently more secure. But remember, everyone carrying a smartphone doesn’t automatically become smart. Adapting & applying Cyber security for your organization and your industry standards is key.
- The threat landscape is ever-changing. Bad Actors need to be right once. You need to be right every time. Of course, the equation is set up against you. The only way is to stay on top of the game and ahead as much as possible.
- Identify your organizational Crown Jewels. They must be secured and audited. But a mechanism to recover & restore them in case of a breach will differentiate men from boys. (Accenture, a great recent example of it where they were able to recover & move on quickly.)
- While evaluating products, Cyber Teams focus too much on features. 80-85% of those will seldom be in use. Be it our car, mobile phone, enterprise tool, or software. A security executive must focus on the essential objective & solve it. Think - business capability matrix.
- No organization is immune to attack. 80% of enterprises have suffered a security incident in the past 12 months of 2020/21.
- About 45% of organizations are not armed to meet the cyber security challenges. At least 50% of the organizations waste significant time investigating low-level alerts and getting lost in the noise.
- 1/2 of the SMB organizations lack the right tools to detect, isolate, respond and clean up cyber threats. Moreover, massive integration gaps exist within organizations, which do happen to have the required tools.
- I am seeing almost every company drawing cyber liability insurances. However, About 50% of the organization would not know when to engage the legal team when an incident takes place. Is an intrusion taking place? Should legal be engaged upfront or post containment? Most organizations do not have a runbook to leverage their legal counsel and operating procedures in such cases.
- People directly in charge of an asset know everything is penetrable. They focus on investing in cyber-attack resilience. Those who gloat about their security programs mostly are not responsible for an(any) asset.
- "Return to office date is history". "Omnicron may turn into an endemic in 2024". These articles & deep dives confirm- remote work is here to stay. It is high time organizations focus on improving endpoints visibility for employees & associates. For the past 2 years, 55% of executives have been concerned about endpoint security and lack of visibility.
- Elapsed time to identify, remediate, contain a threat is critical. In today's day & age, automation in incident management, threat detection, and threat containment is crucial. It is not humanly possible to make a decision based on manually sifting through logs from hundreds of devices & systems which may run in GBs.
- A considerable number of enterprises with investments in incident management tools may still lack a disaster recovery plan and incident responsiveness. While companies use NIST and MITRE-based frameworks, fewer than 40% of companies conduct exercises for incident responses.
- Enterprises across the board are reeling with talent management challenges. Finding security talent was a challenge, but with the Great Resignation 2021, talent retention has become a headache. Re-skilling your people and leveraging a robust partner ecosystem will be necessary for 2022.
- Operational disruption (60%), Sensitive data compromise, or loss(64% of enterprises) is top of the list of damage from a cyber security intrusion.*
- Executives from mid-size Organizations seemed to be most concerned with losing sensitive data. At larger organizations, Executives are most anxious about the revenue impact from a cyber attack.
- Some of the best tools for identification, detection, isolation rely on interconnection to communicate, exchange information, and recognize patterns. Lack of integration among the tools & systems continues to be low-hanging fruit for executives in 2022 looking to gain rapid mileage from existing investments.
- Enterprises invest in purpose-driven tools. New tools may be acquired as the goalpost or the leadership changes. With time, tools overlap, silos build up. These tools can be studied & rationalized. Often it can unlock a significant spend reduction in the license & maintenance costs.
- It is incredible how many organizations invest in expensive security tools but do not have the MFA enabled. 45% of the compromises still originate password compromises. Get it done. Now.
- Businesses are well versed in tracking traditional risks like delayed projects, cost overruns, or business impacts. However, they need to consider risks originating from digital transformations. Think about Risks associated with PII data, its movement, laws governing data storage, privacy laws, etc. Data and its associated risks are a new frontier in itself.
- Inherent biases in the application or data quality issues can lead AI applications can misguide organizational focus. These can also open companies to new risks.
- Gartner predicts that in 2 years, privacy laws will cover 75% of the population. With GDPR, CCPA, and more laws in the making, the grip on a consumer’s data, privacy will continue to get tighter & complex. So, CISOs and leaders need to advance and automate their privacy management systems. They need to ensure a process to capture, scrub or remove data if requested by their customers or readers.
- Gartner also made a startling prediction- by 2025 threat actors will weaponize technology environments. We are already seeing signs of it. Oil and Gas, Utilities, School districts, Water utilities do not have consumers' PII data alone. The population's daily lives depend upon these utilities/service providers. Hence, It's essential now to prepare for ramped-up cyberattacks towards these spaces in the coming years. They will not come for the consumer data you have, but weaponize your facilities against the customers you serve.
- A significant number of Mckinsey's surveyed companies(48%) reported "being able to identify the risk" as their biggest challenge with digital and analytics risks. If you can not identify or measure the risk, it is hard to manage or plan for those.
- The majority of companies approach their assets, then study security controls around those assets, and then work on how to fill the gaps, add procedures, tools. It is time the conversation becomes rather business-focused. What are the business crown jewels? What type of disruption is non-negotiable? What is the organization's risk appetite? It is a much approachable problem to solve when the focus is shifted upside down. Once those questions can be answered, focusing on security controls, tools become more meaningful.
- It's time to define a data-driven approach to cyber risk assessments. Being able to associate $ values to risks, their likelihood is important to convey and move the business into action. It will also guide security budgets - "Where should we invest, first?". Leaders can prioritize and ask 'what level of financial risk organization is ready to take?'
- Communication is the key to garnering attention and improving cyber security within an organization. Cyber Security is top of mind for CEOs/Boards. However, their focus is often on aspects like Shareholder value, business growth & competitive edge. Reporting on Traffic lights (red, yellow, green) won't convey the context and meaning of actual risk to organization vs business KPI. Communication must be in the business language. A tool implementation, a current list of vulnerabilities, and technical details, or a technical roadmap will fog the actual impact or risk to the organization. It will also confuse the non-technical board/CEOs for being unable to get to the crux of the matter.
- If as an investor I know you(your company) have the right cyber security practices in place, would you not become a better company to invest in? Am I willing to see erosion in share price value due to an overnight cyber-attack that stuns the enterprise? SEC is already working on a Cyber Disclosure policy in this regards
References: The above insights have been gained from tons of reading materials over the past 3 months and experiences with customers. I am quoting notable links that are a constant source of knowledge.