Cloud Hosting

Share

Share

Share

Email

In a world where cyberattacks have become the norm, organisations have no other option but to make cybersecurity a top priority. Cyberattacks can affect the very ability of an organisation to fulfill its mandate.Many cybersecurity leaders and teams voice concern around lack of funding and minimal executive support at all levels of the organisation (including the CISOs). However, this is just a reality and not the root cause. Therefore it is critical to understand and introspect the root causes, which organisations can easily miss out, as a result of which the companys true security risk reduction suffers. While many companies have understood the implications of cyberattacks but they are still lagging behind implementing the security measures.

Here are the top five cybersecurity pitfalls organisations face and what they should do to overcome them:

Today a number of cybersecurity programs are attempting to boil the ocean instead of focusing on whatsmostimportant for the business.Enterprises must know which business process and information are of the utmost importance and make efforts to protect them.

Some organisations which have made attempts to identify the most critical data and assets to protect, though it often tends to leave integrity and availability concerns and focus solely on data theft (confidentiality). Business continuity and IT disaster recovery programs and plans traditionally work to ensure that they are able to react to availability issues from any type of outage.In many cases, these efforts are disjointed and data integrity risks are largely left to be managed by the quality or compliance department.

Chief Information Security Officers(CISOs) can helptheir companies connect deeply with their business. They can understand worst-case scenarios for information theft, manipulation, which is not limiting thinking to IT systems. Once the company plans to focus on the most critical elements of business, they can easily build speed and depth to protect them. For example: If acompany has 1,000 IT systems and 10 different functional areas, comprising 500 business processes, then where does the company start to protect its system?Is everything critical? We have seencompanies fail to answer this question and significantly slow their efforts on a critical control or focus only on one risk dimension (e.g. compliance, or data theft).

One can easily identify the most critical to business elements by just imagining what a CEO would be most concerned about if a cyberattack hit at 3 a.m. The CEO wont be concerned about the technical details but he would rather focus on business riskandoperational impact. When you keep this in mind you would be able to focus on your information security program.

Today, themedia plays a key role in educating people about cybersecurity breaches. At the same time, the media distracts the enterprise. This is mainly due to privacy-driven data breach reporting laws,and media attentiontends to focus more on customer breaches and exposed personal information rather than the pitfalls or reasons for such an event.

This reporting bias doesnt account for all of the internal and external attack types and the companies true risk impact profile. Employees might end up reading media stories on security breaches, they may get into a reactive mindset or start exhibitingconfirmation biasthat may or may not be applicable to the particular situation of your company. This kind of thinking can distract you from your organisations biggest risks.

One cannot control the kind of articles your employees read but thereis a strategy to avoid knee-jerk reactions to specific vulnerability and breach-related news. The company can leverage news media in a way that provides isolated value instead of creating a distraction by getting deeply involved in threat intelligence and sharing with other companies. One can evaluate the inputs from the media so that you can rationalise what you should react too and act upon.

Judging from the social media backlash about the vendor circus at major security conferences and events, there is some recognition and reflection about the cyber tool sprawl. When it comes to technologies like AI, machine learning and blockchain, we are often promised silver bullets and told that these tools would be implemented as soon as possible. This creates a sense that, if these are not deployed, then they would face an imminent failure in protecting the company.

We recently learned about a smaller organisations security leader who was proud to have acquired seven marquee threat detection tools. When we asked him about howhe had the ability to leverage them all effectively, his reply was that he focused on one thing which gave him the most actionable data. He was using only one threat detection tool at a time. The other six were still running and producing logs and alerts, but no one was looking at them.

It is a known fact that the companys strategic architecture practices may not yield full potential at the beginning. But bybringing adeeply experienced, big-picture security architect on board to develop an ecosystem of cybersecurity tools will help it scale appropriately. CISOs need to look past the initial funding for cool tools towards the more comprehensive total cost of ownership (for both internal and external resources), linkages to business scope, ability to drive down risk and plans for appropriate scale.

One should know the basics as these matters the most to any organisation. According to theCenter for Internet Security Critical Security Controls(CIS CSC), there are the top four basic controls, which include inventory and control of hardware, inventory, and control of software, continuous vulnerability management and controlled use of administrative privileges. However, many organisations report ineffective or incomplete efforts in all four of these fundamental efforts. Meanwhile, investments may be focused more on toolsand controlsthat are popular in the market.

The solution is to prioritize some core efforts and basics in order to ensure that your team isnt spread so thin working on shiny new tools that it obstructs progress on critical building blocks.

The CIS CSC provides a robust and periodically updated playbook that includeshardware and software inventory, vulnerability management, controlling admin privileges, secure configuration (hardware/software) and maintenance and monitoring of logs.While they all seem essential for any security program, not many companies have solid progress and maturity towards these.

While connecting the dots betweenprioritizing business riskandsolidifying the basics,companies should leverage business risk to drive privileged access security programs.

Many a time it happens that a company buys a tool but does not implement it fully and then moves on to the next new thing or realises that they dont have the resources to execute, scale up or support after the initial investment money runs out. This does not help in reducing risk in the organisation.

Getting to theappropriatescale with these efforts is the only way to fully achieve the risk reduction efforts that your money, time and effort would have costed you. Scaling is hard but it is where the magic happens with risk reduction. The appropriate scale connects directly back to the business risks where you plan to reduce.

Companies that achieve appropriate scale leverage solid and consistent project management and measurement methodologies. They think proactively about the total cost to achieve the desired risk reduction. They dont run after new tools when they see their peers implementing in their companies. Since many CISOs have a maximum of two years of tenure in the role, they may not be focusing on long-haul solutions at scale.

(Views expressed above are the personal opinion of Rohan Vaidya, Regional Director of Sales India, CyberArk)

Visit link:
Cybersecurity perils: What CISOs must bear in mind - Elets