Due to the inherent complexity of their business models and the multiplication of attack surfaces and attack vectors which comes with them, many large organisations now assume that breaches are simply inevitable. This “when, not if” paradigm around cyber-attacks is fundamentally changing the dynamics of cyber security.
Historically, cyber security has been viewed as an equation between risk appetite, compliance requirements and costs. Compliance and costs were always the harder factors. Risk, which is difficult to measure and quantify, was always some form of adjustment variable.
And risk is about uncertainty. The “when, not if” paradigm brings certainty where doubt was previously allowed (or used to manipulate outcomes). So:
• Cyber-attacks WILL happen;
• Sooner or later, regulators WILL step in;
• They can now impose BUSINESS-THREATENING fines around the mishandling of personal data;
• Media interest has never been higher around those matters: Business reputation and trust in a brand WILL be damaged by high-profile incidents.
As a result, the risk-based constructions which have been the foundations of many cyber security management practices, are weakened.
Are we spending enough?
Compliance requirements remain (if anything, they are getting stronger as privacy regulators flex their muscles in Europe and the US) and costs cannot be ignored, but “are we spending enough?” has become a much more common question across the boardroom table, than “why do we need to spend so much?”
For CISOs, protecting the firm becomes an imperative: This is no longer about doing the minimum required to put the right ticks in compliance boxes, but very often a matter of genuine transformation: It forces them to work across corporate silos, look beyond the mere technology horizon (which is often their comfort zone), and also look beyond tactical firefighting (which often dominates their day-to-day).
Knowing what to do is often the easiest part. After all, good practices in the cyber security space have been well known for over a decade. They still provide adequate protection against many threats as long as they are properly implemented.
True cyber resilience can only come from real defence in depth, acting at preventative, detective, mitigative AND reactive levels, AND across the real breadth of the enterprise – functionally and geographically.
The “when, not if” paradigm will often bring the Board’s attention and large resources onto cyber security, but with those will also come scrutiny and expectations. The challenge really becomes an execution and a leadership challenge for the CISO.
In large firms where a major overhaul of security practices is required, establishing a sound governance framework and operating model from the start will always be a key factor of long-term success for the CISO.
Equally important will be the need to put people and process first, and to identify the roadblocks which might have prevented progress in the past around cyber security matters.
Repeating the mistakes of the past would simply perpetuate the spiral of failure around security, as would an excessive or premature focus on tech solutions. There is no magical technology product which can fix in a few months what is rooted in decades of adverse prioritisation, lip service and under investment.
The CISO must appreciate that and place all transformation efforts in the right perspective: Change takes time and relentless drive, and there may not be quick wins. Managing expectations and staying the course will always be key pillars of any lasting cyber security transformation.
This article is based on a recent piece in Business 2 Community.