Today is the first day of Cybersecurity Awareness Month, a fitting occasion to reexamine some key principles that security organizations should keep in mind as they establish a cyber-risk mitigation program that their leadership can trust.
In recent years Haystax Technology and our parent company Fishtech Group have helped a diverse array of government and private-sector organizations develop and deploy data-driven cybersecurity solutions. This experience has given us a front-row seat on the main issues organizations have had to confront as they strive to assemble the most effective cybersecurity program possible.
The following are among the most common lessons our partner organizations have learned:
- Cyber-hygiene is not enough: Most cybersecurity efforts have focused on cyber ‘hygiene’ through compliance with a set of recommended but unenforceable standards. Rather than checking boxes, however, what’s really needed is a holistic cyber-risk framework that is much more analytically sound and scientifically grounded — in other words a solid commitment to risk-based assessments and responses — in order to accurately understand and prevent the most serious cybersecurity threats. Security teams should ask important questions like “which threats are most likely to occur?” and “what are our greatest vulnerabilities?” Translating these into business terms is key, and measuring them so that risks and countermeasures can be prioritized is essential.
- Network data is not enough: Many organizations are still trying to detect their biggest external and internal threats based mainly on network logging and aggregation. But the fact is that the earliest indicators of such threats lie in human actions and attitudes. Thus, security teams that are proactive and focused on data-driven cybersecurity need to find ways of bringing in more unstructured data from unconventional sources that will reveal behaviors well in advance of an actual event. After all, you can’t discipline or fire an end-point.
- Technology alone is not the solution: To hear many security vendors tell it, they’ve already developed the perfect all-encompassing cybersecurity solution. The reality, however, is that a truly holistic cyber-risk management program requires a well-thought out and well-coordinated set of protocols and routines that encompass people, process and technology. No tool on its own will protect an organization if the server room door is left unlocked, or if staff aren’t drilled not to click on a suspicious email. Continuous training and education, along with easily understood policies implemented from the top down with no exceptions, are just as critical as the best firewall or SIEM tool.
- Cybersecurity must start at the top: A bottom-up approach to cybersecurity, often originating in the IT security unit, is common. But securing C-Suite buy-in after the fact can be a struggle. In today’s environment where a robust cybersecurity risk management program is essential to the ongoing viability of the entire organization, the commitment and momentum must come from the top. Moreover, cybersecurity must be a consensus priority for all elements of leadership, starting with the CEO but vitally including the CIO, CISO, CTO, CFO and the top legal and risk-management leaders in the organization. And because a holistic approach involves people and process (see above), HR also must be on board. Since a cyber attack can impact the organization’s systems, finances, people, facilities and even reputation, it really is a matter of all C-Suite hands on deck.
# # #
NOTE: To learn more about how Haystax Technology’s artificial intelligence-based approach is revolutionizing cybersecurity, read our joint Haystax-Forrester Research paper.