Given the array of cyber threats organizations face these days, it’s virtually impossible to “win” at cybersecurity. There will always be some hacker or entity who’s one step ahead. A more realistic approach is to manage the risk. When we stop trying to reach some nirvana-like state of protection, and focus instead on lowering risk, we can achieve the cybersecurity sweet spot: prudent protection balanced with business efficiency. That’s the focus of “Getting Your House in Order.”
While you can never eliminate your cyber risk entirely, integrating the work of IT Security and IT Ops can dramatically lower your organization’s risk profile. While creating such an integrated approach can be challenging, here are five steps that will move your teams in the right direction.
Align IT security goals with business goals to balance pragmatic security and operational requirements. If security is an obstacle to getting the job done, the business will go around it. But if security fails, then the whole business could be at risk. Thus, an IT organization’s mission is not to secure the organization or to ensure functionality — it’s to do both. You have to enable the business to function in a world where it’s faced with a lot of threats. To do so, you must make risk trade-offs and base security decisions on operational need. For example, due to the potential threat social media access poses, many companies simply prohibit access. That’s fine for an engineer, but what about your corporate communications team? Their ability to do their job depends on access to those channels, so cutting those employees off is a problem. Finding the right balance is key.
Create shared objectives and responsibilities.Ensure that Ops and Security teams are pointed in the same direction, agree on what’s critical for business operations, and who’s doing what and for whom. Start by achieving 100 percent asset visibility. Data from 1E’s Getting Your House in Order report shows that most companies don’t know what’s on their network, in terms of both devices and software. Next, upgrade and patch based on an agreed set of shared key performance indicators. Data currently shows that the average time to patch is 102 days. A delay of that length creates an extremely large window of vulnerability — you need to move much faster. Finally, for those systems that cannot be patched, establish compensating controls to mitigate the risk.
Establish Key Performance Indicators. The dirty little secret of IT security is many logical outcome measures don’t work in this context. For example, the number of intrusions prevented would be a logical statistic. The problem is that we don’t (and can’t) know how many total intrusion attempts occur. If your network intrusion detection system stops 100 attempts, that’s great if there are only 101, but not so good if there are 10,000. Overall, the industry has come up with few useful outcome-based performance measures, and the ones that exist require a lot of investment and sophistication to manage. However, useful KPIs do exist, because meeting certain input metrics will still lower your risk. For example, what percentage of machines are up-to-date with patching? How many are upgraded to Windows 10? Establishing and meeting these kinds of input KPIs will reduce your company’s cyber risk and allow you to credibly report improvement to the C-suite or the Board.
Develop a clear, shared incident response plan. It’s highly probable, if not inevitable, that you will experience a breach. That’s why being fully prepared is critical. To start, identify who is responsible for what actions in the event of a breach, and be specific — say exactly who, in what role, takes what action. Integrate these plans with your legal and public relations teams to communicate clearly and effectively. The same communication rules that apply to any other business crisis apply to a cyber incident.
Update your action plan, KPIs, and priorities at least annually.The cybersecurity space moves quickly, so it’s imperative that your plans and approach keep pace. By adapting your priorities to new and emerging threats, you’ll be in a much better position to protect the organization. Beyond threats, there are other reasons to adapt as well: You open a new location, acquire another company, or there’s a new law (like GDPR) that demands a change in your plan. Cybersecurity is not a static state; it’s constantly evolving and adapting, and you must do the same.
When cybersecurity experts talk about managing the human element, they’re mostly referring to end users. But the human element is also critical for implementation. If IT Ops and Security don’t work well together, all of the technical solutions on the market won’t help. Changing the mindset and approach within your IT organization to pragmatically managing risk, as opposed to defeating adversaries or maintaining functionality at all costs, will give you a much greater chance of maintaining an advantage over growing threat. And that’s good for business — which is really the point of all this activity anyway.
Michael Daniel was Special Assistant to President Barack ObamaBarack Hussein ObamaA simple fix can bring revolutionary change to health spending US and UK see eye to eye on ending illegal wildlife trade Top nuclear policy appointee removed from Pentagon post: report MORE on cybersecurity; he is CEO of the Cyber Threat Alliance.