Cybersecurity Is Not a Device
Jamie holds a challenging, daunting position at her highly reputable organization. She’s in charge of cybersecurity. She drew the short straw, and now her board of directors -- made up of investment bankers, former C-level executives and current leadership -- has set an expectation that it won't be the next company on the front page of the Wall Street Journal for having a major security breach.
“Are we secure?” the board members ask, expecting a confident response from Jamie. The answer to this looming question is never a straightforward “yes” or “no,” and Jamie knows this. But how does she communicate that to the board of directors? It’s complicated, complex, difficult to track, scary and expensive. This multifaceted problem can’t be solved by simply buying another security device. It takes a programmatic, trackable, risk-based approach. It takes time and perspective.
Like Jamie’s board of directors, stakeholders in most organizations want the peace of mind that comes with confidently knowing secure practices are in place. Unfortunately, most aren’t aware of all that is involved in getting there. Cybersecurity remains among the hottest points of contention when speaking to leadership, executives and corporate boards across the globe. The problem: What is needed for a company to be secure varies greatly, and no one seems to understand how to capture exactly what it is or how to manage it. Non-technical leadership is required to make business-sensitive, strategic decisions on cyber-centric matters, and often with a lack of knowledge of how to make such conclusions. Through client trials, industry perspective and a benchmark for what “good” looks like, I'm hoping to help simplify the equation, remove misconceptions and provide strategic guidance for building peace of mind at your organization.
Common Cybersecurity Misconceptions
We find that many organizations believe cybersecurity is a device, such as a modern firewall. Perimeter defense, universally associated with a firewall, is of critical importance. While device-based solutions to cybersecurity management remain the most common misconception, we find many firms also have complementary programs that provide a false sense of security. Devices don’t prevent data breaches on their own -- mature processes do.
A second misconception: Public companies must be compliant with the Sarbanes-Oxley Act to feel a sense of security in the cyber arena. SOX was designed to implement and test controls that are necessary to prevent a financial misstatement. Many controls critical to a mature cybersecurity program exist outside the scope of SOX.
Attributes Of A Mature Cybersecurity Program
The scale at which one builds an effective cybersecurity program is seemingly endless. No matter how large or small your budget is, those dollars must be spent wisely among full-time employees, security devices and process refinements. To instill peace of mind, sometimes the wisest investment is understanding what you’re investing in. It's important to make distinctions when it comes to particular areas of risk. For example, in terms of controls, a need would be user access controls, while a nice-to-have feature would be continuous monitoring and auditing and control mapping to a trusted framework. For perimeter defense, necessities would include modern firewalls, routers and switches, while some beneficial add-ons might be security information and log management. And in terms of software, anti-virus and anti-malware programs are a must, whereas a software-defined perimeter would be a bonus.