We are a culture of “likes,” numbers and ratings. In today’s age, we have easy access to any public information on the internet, and thanks to the explosion of big data, we also have the ability to view, manipulate and compare numbers in a variety of ways. We’ve been conditioned to ask for the numbers in order to analyze them and tell a story, and this conditioning applies to everything from our personal Instagram accounts to our FICO credit scores. Ratings and the data behind them are important to our society, and nowhere is this more evident than in the business world.
Every business leverages data to evaluate their strengths and weaknesses. Whether you run a Fortune 100 financial institution or a smaller regional bank, your numbers tell the story of your organization’s appeal and economic health. Numbers inform not just the direction of your company, but they also explain its current standing. So, what if we started using a unified rating system for evaluating cybersecurity like we do in all other aspects of business?
This system is already underway. The U.S. Chamber of Commerce recently announced that finance titans like Goldman Sachs, Morgan Stanley and JPMorgan Chase, as well as retail giants like Starbucks and Home Depot, are combining efforts to establish shared principles for cybersecurity ratings. Meanwhile, the U.S. Chamber of Commerce has stated that a central security ratings system would allow organizations to review their own scores to identify weaknesses and seek the ratings of their partners, vendors or acquisition targets to evaluate risks.
There is no one-size-fits-all prescription for evaluating cybersecurity, and based on each organization’s size, industry or needs, developing these standards will require a tailored approach. From my perspective, having an offensive strategy and becoming more attacker-resistant are some of the most important aspects of cybersecurity -- and they should play a major role in defining these new ratings. With this approach in mind, here are the top areas I think every organization needs to consider when assessing their security posture, regardless of size or industry:
Know Where Your Risk Is Coming From And Have A Clear Understanding Of Your Data
To protect your business from hackers, you need to have an idea of where your risk is and the areas of your business you’ve accounted for. Penetration testing (or pen testing) is the standard for organizations to proactively secure computer systems, networks, web applications and other vulnerabilities that criminal hackers/attackers may try to leverage to gain access. Implementing pen testing is important, but understanding the output and value of a security assessment is key; you need auditability, clear-cut metrics and actionable data to understand what’s been tested and how and what’s been fixed versus what hasn’t.
Think Like A Hacker: Always Be On The Offensive
We believe that offense is your best defense -- thinking like a hacker will help point to your company’s security vulnerabilities. Point-in-time security is not the ideal model, as IT teams are constantly dealing with changes in their environments. Therefore, an annual security check-up will leave you vulnerable. As technology constantly changes, so does the threat landscape. Security approaches need to evolve with the times. Malicious hackers take a 24/7 approach to breaching you, and they only need to be right once to take down your site or worse. Security teams need to constantly monitor and keep up to date with new hacking methods, which makes continuity key.