Even the most insulated CXOs and C-suite members are certainly cognizant of the constant stream of news related to cyber attacks. News feeds are full of reports of IT security breaches, to the point where awareness is no longer an issue. My own mother mails me cybersecurity articles cut out from her local newspaper.
Good executives devote time to understanding the risk in their organizations and play an active role in implementing cybersecurity practices, if for no other reason than to attempt to stay off the evening news and avoid the impact to stock prices. Boards have increased their interest, as well, as they recognize that cyber risk management and regulations require their oversight as much as any other risk to the business.
But no matter how much attention (or budget) is lavished on cybersecurity, executives need to understand that getting hacked isn’t a matter of if but when. This is the new normal in cybersecurity, and it changes the approach to preparation and risk management.
Mitigating Cyber Risk Means Understanding Time
In cybersecurity terms, there is protection time and exposure time. Protection time can be defined as the collective ability of your security policies, controls, people and processes to identify and protect the confidentiality, integrity and availability of your sensitive information and IT services for a certain amount of time against specific threats. You can think of protection time in more simplistic terms as being analogous to a fire-proof safe that you buy for your home that can protect cash up to 400 degrees Celsius for 30 minutes. You know what it can protect (cash), for how long (30 minutes) and against what threat (a 400-degree fire).
Exposure time acknowledges the fact that we live in a world full of hackers who get better at their craft every day. It is composed of the time it takes to detect, respond and recover from a cyber attack that is attempting to penetrate the protections described above. In our analogy, it would be the equivalent of a home alarm system that can detect a fire and contacts a call center, which attempts to confirm with the homeowner whether the alarm is legitimate and sends the fire department to extinguish the fire. Ideally, the exposure time is less than the protection time, in order to avoid the loss of confidentiality, integrity or availability.
Mitigating cyber risk means increasing the protection time within the necessary limitations of a budget. But it also means building the necessary organization and orchestration to minimize exposure time, because no amount of protection will be foolproof, as we’ve seen time and again from the parade of breaches in the news.
Protection Must Be Subordinate To The Needs Of The Business
Increasing protection time, though, is limited by more than budget. If security were the only consideration, organizations would simply disconnect from the internet and worry only about the insider threat. Obviously, that is not possible today, with trends towards ever-increasing digital business transformation. Protection is limited also by a need to conveniently enable secure business communications and transactions, not only internally but with an ever-expanding pool of partners, vendors, customers and the coming internet of things.
The way this manifests can be seen in resistance to certain security controls, such as the requirement to use passcodes on mobile phones (something that former Yahoo CEO Marissa Mayer famously refusedto do) or the use of cloud services that circumvent the controls of the security organization altogether (also known as “shadow IT”). Security organizations struggle to meet the expectations of business users for both ease of use and prevention of breaches, especially when business users have a perspective that security is the responsibility of the security organization exclusively. But in the ongoing balancing act, business priorities will always take precedence.
Reducing Exposure Time Is The Fallback Plan
Since the pressures of budget, convenience and evermore skilled attackers are working to shrink protection time, organizations must plan for the inevitable. Someone in your organization is going to click the link in a phishing attack email that installs malware on their computer, which becomes the beachhead used to expand access to sensitive information. A server with a known vulnerability is going to go unpatched and allow an attacker to access it remotely. When that happens, the investment in reducing exposure time is going to pay off.
Exposure time is a combination of the time necessary to detect, respond and recover from an attack in progress. This requires monitoring the hybrid environment — both internal to your organization as well as with cloud providers — developing response procedures with training for those responsible and having appropriate recovery planning that includes the ability to restore from backups and communicate to internal and external stakeholders.
That may sound simple, but many organizations fail to invest adequately in this area, believing that their firewalls and other protective measures are adequate. Complicating the effort to reduce the exposure time is a common disconnect between IT security and IT operations teams, who often use different tools and have different priorities. IT operations is primarily interested in the performance and availability of IT services, and it tends to have jurisdiction over making changes to systems in production. A security team that is trying to shut down the exfiltration of data from a database will not typically have the authority to shut down that database, for example. Executives can help by emphasizing that security is everyone’s responsibility and work to reduce the artificial boundaries between teams that can increase exposure time.
The fundamental truth that the C-suite needs to understand is that there will come a day when a successful cyber attack will occur in your environment. Knowing this provides the catalyst for helping your organization prepare for that eventuality adequately.
- Content by: Travis Green on Sept 12, 2018
- Originally posted at: https://www.forbes.com/sites/forbestechcouncil/2018/09/12/explaining-the-new-normal-in-cybersecurity-to-the-c-suite/#46897c19568a
Ready to protect your data? What You Can Do:
- Immediately, install a FREE 30-day Trial of EZProtect Antivirus and connect it to your Salesforce org(s) to start scanning files, document uploads, or chatter for viruses or malicious content. Once this is complete, you will have a sense of how many files your organization scans per month and you will be well poised to convert to a paid plan.
- You may also download the full brochure with FAQs and schedule a demo to better understand how the tool works inside and outside of Salesforce by visiting www.adaptus.com/portfolio/ezprotect/.