How Business Leaders Can Reduce the Cyber Fog
Why has it become so complex? The explosion of data usage across your business, the exponential volume of security solutions, and the constantly evolving threat landscape have created the perfect conditions for what we here at Abacode call the “Cyber Fog.”
You can start to feel hopeless when you see the following graphic that depicts all the security tools and vendors available in the marketplace:
And guess what? Most of these tools do the same thing. This is a primary cause of Cyber Fog!
Looking at this graphic evokes walking into a SUPERSIZED Cyber Home Depot. All of a sudden there are shelves and shelves of similar items in the aisle, and you’re stuck looking for a guy in an orange vest.
How do you choose? What exactly do you need? Why do you need it? How much do you have to spend?
Relax. Here’s the good news. You do not have to be a cyber expert to effectively manage and overcome Cyber Fog. To emerge out of the Cyber Fog, all you need is to understand cybersecurity well enough to know what’s most important for your business. Then you empower your cyber leaders, partners, and teams to deliver your desired outcomes.
As the leader, your role is to improve the integration and alignment between your leadership team and your technical team. This will facilitate your overall cybersecurity strategy and keep the misalignment from hurting your business top line and bottom line.
This is where your big opportunity lies, in setting the conditions that will allow your cybersecurity program to deliver what the business needs in the most cost-effective and risk-effective way possible while minimizing any Cyber Fog you might be experiencing.
Address Three Conditions to Reduce Cyber Fog
When it comes to pushing back the Cyber Fog, I recommend tackling three conditions: confusion, control, and cost. Let’s briefly look at each:
- Confusion: Did you know that the Crown Jewels of the British Royal Monarchy have an estimated value of between three and five billion pounds? While I am sure there are lots of other unbelievably valuable items in the Royal Collection, you can be confident in guessing the Crown Jewels have many extra layers of protection and security around them.
I use the Crown Jewels example because it is a common comparison with cybersecurity professionals and data. Cybersecurity is indeed about protecting your organization’s crown jewels – those assets (e.g., data, systems, applications, etc.) that are most critical to accomplishing your organization’s business mission.
But wait, there is more! Like the extra layers of protection and security for the Crown Jewels, your data needs what is known as Defense-in-Depth – i.e., the concept of wrapping layers of security around all your data to ensure it is properly secured and protected.
The big challenge here is that not all your data requires the same level of protection; because layers cost money and also introduce points of failure or compromise.
So how do you get it right?
Getting it right requires very clearly identifying what data your business has and needs and where it’s located (e.g., on-premises, in the cloud, or with third-party providers). Then you need to break that down further into categories (e.g., regulated, non-regulated) and then determine by data type (i.e., Restricted, Controlled, Public) how exactly it should be protected based on your compliance requirements and risk tolerance.
If you’re serious about getting out from under Cyber Fog, do not delegate this task. This is a critical task for the Executive leadership team to be involved in because it is foundational to establishing your risk profile and security posture. Everything that comes vis-à-vis cybersecurity, stems from this initial activity.
- Control. You have the control to decide where your data is stored and processed, and you have control to work with your cybersecurity team to determine which solutions and security controls (layers) you will place around your data to keep it safe. This is your risk tolerance.
I have seen many organizations (both big and small) spend into the millions on cyber solutions that no one ends up using. Sure, it was originally bought to meet a need; but that was 18 months ago, and now those solutions are offering little to no protection and costing a lot of money – because, guess what, things constantly change!
So, what’s the best approach here?
If funds are tight, look native first. This is a terrific way to put a base layer of defense around your data. Platform vendors such as Microsoft, Apple, and Amazon have all made particularly timely progress in embedding strong security solutions into the native platforms you are already using – e.g., Office365, Azure, AWS, etc. Ask your security leaders, partners, and teams about this. Do not sacrifice layers if your data is worth it.
Next, you should align your cybersecurity products and services to a diagnostic assessment against an industry framework to identify where you have gaps in risk exposure across your estate.
There are several useful security frameworks out there such as the following:
- Center for Internet Security’s Top 20
- National Institute of Standards and Technology Cybersecurity Framework
- International Standards Organization 27001 Standard
Your organization can use any of these to build, benchmark, or improve your cybersecurity initiative. Your cyber leaders, partners, and teams should be able to identify how the framework is performing and what risks specific tools mitigate. If you don’t know, find out the answer to these two questions:
- Do you know which cybersecurity framework(s) your business uses?
- Have you seen how the business is performing against that framework?
One more factor here is that you may be getting pressure from a supply chain standpoint. That is, those with whom you do business are requiring your organization to fill out security questionnaires or prove that you have some level of cyber due diligence in place. Implementing security against a best practices framework is the best way to answer the mail on those data calls. In fact, gaining a third-party attestation of your compliance is even more powerful. Then, you just present a letter or certificate that shows you meet a certain level.
- Cost: Cost is another condition in which Cyber Fog can creep in if you’re not careful, leaving you in one of two camps: “Sure, whatever we need” (blank check), or “No, I don’t care; let’s wait before spending more” (no check). I have talked with dozens of CFOs and financial folks who all have the same question: “Why are we spending so much on this stuff? It all seems awfully expensive!”. They are right.
According to the Spends and Trends: SANS 2020 IT Cybersecurity Spending Survey, the leading drivers for security spending are regulatory compliance, reducing incidents and breaches, and keeping up with the evolving threat landscape. All valid.
While the truth is good cybersecurity does cost money, there are usually some efficiencies you can gain by a precise understanding of where your cyber spend is occurring. Cyber Fog does not like such precision!
This is another critical leadership activity, because as the SANS report highlights, close to 70% of organizations do not evaluate the effectiveness of their security spending, thus leaving CISOs and their staff unable to justify needed expenditures to corporate management.
One way to help justify your cyber spend is to adopt a consistent and repeatable way to measure the Return on Investment (ROI). There are numerous ways to do this, but the important part is that you decide on a way and stick to it, so that so all things are considered equally.
Quantitative risk analysis is compelling data for decision-makers showing the efficacy of their cyber spend. Let’s take a simple example. Perhaps you’re concerned that a data breach could disrupt your business operations. You’re evaluating a $100,000 cybersecurity solution to mitigate that risk. By using a Risk Exposure formula, you can estimate how much damage this particular risk could cause. The IBM 2019 Cost of a Data Breach Report studied over 500 companies that have experienced a breach and determined that the average cost of a data breach is $3.9M.
So, for our example, this would be your Single Loss Expectancy (SLE), $3.9M.
Next, we need to determine how likely it is that a data breach will occur for you. For the sake of discussion, let’s say based on your industry research and assessment results, you determine you will experience a data breach on average once every 5 years.
That means there is a 20% chance annually that you will experience a data breach. This is your Annualized Rate of Occurrence (ARO).
The Annual Loss Expectancy (ALE) of the data breach is then calculated using the following formula:
ALE = SLE * ARO
For our example then, ALE = 3.9M * .20 or $780K
That means based on the severity of the data breach, it is reasonable to expect that you could lose $780K annually because of this risk. Therefore, it would be advantageous to examine the feasibility of the $100,000 security solution before purchasing.
This type of basic analysis gives you a good starting point to assess how much you are spending on data protection.
Please remember this is a simplified example to demonstrate the point that determining and managing your cyber risk and spend is dependent on what business outcomes you need to achieve (i.e., data breach protection) and within what budgetary parameters.
Emerge from the Fog
Avoid becoming a software target. As a business leader, you own the cybersecurity initiative. Take time to discuss your cybersecurity needs with your business leaders and cyber partners. Make a clear determination around what data is critical and essential for you to survive and operate as a business or organization.
From there, you can work with your security leadership, teams, and partners to develop a cost-effective and risk-effective security program and budget that works for you and your business.
You will be able to do this with minimal Cyber Fog and without feeling like you must protect every file in the universe with 463 tools from the Cyber Home Depot at a cost of millions of dollars.
Be smart, be prudent, and be informed to reduce the confusion, complexity, and cost that produce Cyber Fog.
If you can do that well, you are on your way to turning your cybersecurity challenges into a competitive advantage for your business.
I hope you found this article useful and if so, please share it with someone in your network.