Whether it's ransomware taking the world by storm, or a company losing huge amounts of customer data, we are bombarded with stories about the latest data breach or cyber-security threat. This is a growing trend that is being exacerbated by the fact that we rely on technology more than ever. New developments such as the Internet of Things (IoT), Artificial Intelligence (AI) and Machine Learning are opening new doors for businesses, but also contribute to the fact that the attack surface is growing larger by the day.
These high profile breaches are having a huge effect on businesses for many reasons. Not only are the fines getting larger, and set to increase even further once new EU General Data Protection Regulations (GDPR) come into force next year, but consumer trust is at an all-time low. Consumers are becoming increasingly savvy and many have even boycotted companies that mishandle data. In short, breaches and protecting against them are costing companies more and more per year, to the point that cyber-security is undoubtedly an issue of business risk. Yet, in spite of all of these highly publicised attacks and rising costs to the business, the vast majority of organisations still see cyber-security as an IT issue, with business leaders and their IT security teams either unwilling or unable to collaborate to affect change.
The Gap of Grief
A large part of this problem is that CISOs, and security staff in general, are often unable to translate the challenges and risks, challenges and problems of cyber-security to the rest of the company, particularly the board. This is creating what I call a “Gap of Grief”, referring to the void in understanding of how security issues can create huge problems in an organisation. To give an extreme example of how damaging such a gulf in communication of vital information can be, in 1986, the Space Shuttle Challenger tragically broke apart 73 seconds into its flight, killing all seven crew members. This was all caused by a faulty instrument that the technical crew predicted was going to fail under the specific weather conditions on the day of the launch. However, they had no way of reporting the risk back to the right people, with the appropriate urgency and confidence.
In cyber-security terms, the problems created by not effectively being able to report security issues to the appropriate people at the right time are myriad. We have seen examples of this in the past when a major breach occurs. The CEO tours television and radio studios in a bid to dispel negative press and to assure the public that their data is safe with the company. This often backfires when it becomes apparent that the CEO has very little knowledge of their company's cyber-security operations, let alone how the breach occurred or how many customers were effected. The CEO is effectively sent over the top without a helmet.
This is a problem born out of complexity. As the bad guys have evolved their techniques, companies have upgraded theirs with shiny new tools that are increasingly difficult to understand, especially for those outside the security team. Consequently, this has further extended the gulf in understanding between the IT department and the rest of the company.
Additionally, risk and value are hard to prove in security and most security professionals are bad at communicating both. Many a CEO has been left baffled by the prospect of spending money on a data breach that hasn't yet, and may never happen. Without an adequate explanation of the potentially catastrophic business risks – financial, operational and reputational – it is nigh-impossible to convince senior executives of the value of cyber-security investments, nor understand where to prioritise these investments. This is why security professionals urgently need to become better storytellers, ditching the jargon for clear, concise and actionable advice in terms that the business understands. Likewise, business-leaders must also ensure that the people they've charged with defending their networks understand the overarching objectives of the business, to ensure that they are both pulling in the same direction together. After all, we've proved time and time again that a siloed approach to security does not work. Security needs to be driven by the business, not just IT.
To create a business-driven security strategy, businesses must first identify where their assets or “crown jewels” are, and where they are most vulnerable to attack. Through this, they will be able to assess the risk to the business if those assets were compromised, and allocate resources appropriately.
Secondly, they should build a defence strategy tailored to those particular assets and vulnerabilities. This should include having clear cost/benefit relationships outlined. The strategy should be holistic – it should include people and process, as well as the investment in tech.
Thirdly, companies need to determine the gaps between their current security situation and where they would like to be in an ideal world, and get to work immediately on plugging those holes. During this phase the most disparate areas should be the ones addressed most urgently, having been ranked in accordance with the risk they pose to the company.
This entire process needs to be constantly repeated throughout the business. It is also crucial that there are response plans in place should a breach occur.
There is a case to be made that cyber-criminals are winning the battle in the cyber-war. Major breaches are occurring with alarming regularity, and they keep getting bigger. Vendors are bringing out new products that are trying to level the playing field, but this will never happen if the right people within a company aren't engaged with cyber-security. If there is not a change in the way we think of cyber-security, and a business driven strategy is not put in place, then this is a trend that will continue to grow apace.
Contributed by Rashmi Knowles, EMEA field CTO, RSA
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.