Or a look into the psychology
I have written about this before and today I saw a question today on linkedin related (Thanks David) …….. But I ran out of words to post as a comment.
I want to start by suggesting that often security officers and auditors do not think about the companies assets in the same way they would think about their own possessions, this is at the least naive and dangerous at its worst.
In our personal life how many of us do not have a front door that is locked always? no one in a city nowadays leaves their front door open, this basic 101 level security – equivalent to the corporate firewall and the minimum every business has covered nowadays is a Firewall of some description.
Using the house analogy again, we add to the front door as we put up security cameras, ring door bells, Arlo, Eufy etc to make us a less attractive target than elsewhere on our street we have security screens on the doors, we ask the neighbours to look out for our property when we are away and we insure our property against theft.
This is because we each have the authority to spend money to protect our assets (house and contents) fully and there is no penalty if we get it wrong, what is the worst that happens? we lose our property but it was our fault and we do better next time to secure things.
When it comes to the company we work for, our mindset changes… We don’t want to spend money to provide coverage for a cyber risk that hasn’t happened yet, why? My personal opinion is few fold:
- If we request budget from the board and implement a cyber security solution, what happens if an attacker targets us through a different vulnerability? the answer is we would be questioned as to why we didn’t allow for this and why we spent budget in the wrong area.
- The noise from the Cyber security market is at fever pitch, every vendor has a solution or suite for Cyber Security and theirs is always the one your business needs and even the legacy vendors are trying this (Microfocus, Quest Software etc) to remain relevant with software solutions that are generations old now.
- There is so much conflicting information available and no one seems to know where to start to increase their cyber security posture and resilience – this is again due to point 1 above.
- Most employees do not look at the business they work for as their own, if they did then they would have the right conversations with the key stakeholders to ensure that they were aware of just what the risks are, if you have had that conversation and the stakeholders still do not listen then any attack becomes their responsibility. In most company breaches senior people lose their jobs when a company is targeted and information is stolen, so they will care.
The solution to this is not at all difficult, getting budget may be but once you have a plan in place it becomes much easier to implement a Cyber security programme and budgets that looked impossible before now have data to support them.
- Use a framework to start, there are a few choices either industry specific or not. Most are going to have several stages, maybe: Identify, Respond, Protect, Recover and Detect, in common though they are similar in that Cyber security is an evolving cycle and will never end, there is no golden egg that once purchased prevents all threats. The ASD is a great place for an Australian business to start looking.
- Build your cyber programme to incorporate what you have already implemented (end point solutions, Firewalls, cloud security) along with additional processes and products that you may need. make sure when budgeting you account for maintenance or changes in vendor licensing etc, e.g. companies like Broadcom will target between a 10-20% uplift every year for your existing solutions so account for that worst case and allow for specialist consultancy to ensure your business is not at risk.
- When selecting solutions ensure that the products can integrate when it makes sense with SIEM’s, SOC’s, other vendor solutions etc. Data from a single platform e.g. Endpoint is two dimensional, but add data from the network, or the CASB or whatever and you suddenly have much more detail than you could have with disconnected systems.
- Use specialist consulting, when you work in a company you have limited information and data to apply to a situation, your role is often a generalist as you have to relate to the business, talk to the stakeholders, manage expectations etc etc, but a specialist cyber security consultant doesn’t have that responsibility so firstly they can be more focused, but also they know the data of companies in your industry that have been breached, why? because they have consulted for them “post breach”. So use them.
- Use software vendor information, sales people can be frustrating but they have amazing insights that you don’t have, they speak with your competitors, they know about their competitors too and if you ask the right questions you can learn a lot for free. I am not advocating making a vendor do everything for free but a good vendor product will end up on your roadmap anyway for inclusion in your Cyber program.
- If a Cyber security vendor does not have an in country presence then DO NOT use them, find one that does have a presence. At best you will be limited to support hours for the Northern hemisphere, at worst you will not have support, or a person to speak with when you have a problem.
- When you purchase a solution, buy what you need not what the vendor wants to sell you. They are many cases where companies purchase products and never use, or at least do not use for 6-12 months and there is a large price tag with most of these solutions. Never believe, end of Q pricing, management won’t approve etc etc, the sales person infant of you is the only person you need to convince, make him or her do the internal justification to get whatever pricing you need.
The most important part of this is to build a Cyber Security program that follows known framework, this will ensure if/when you do have breach and your solution didn’t address it that you were doing the right thing. The Program also allows you to prioritise and demonstrate to your stakeholders what you are doing and what you need from them to ensure cyber resilience.
There is one certainty, if you have not been hacked you will be as soon as you become an easier target than your competitors, if you have been hacked you may not even know about it yet….