Think You Have a Good Handle on Cyber Security?

Congratulations, you lead a successful and significant company with smiling investors. While growing your company, you’ve accumulated a surplus of incredibly valuable and proprietary customer data. This is great for data analytics and optimizing your customer research initiatives but now you’re one ugly click away from a public relations nightmare, loss of hard-earned IP, and fines or lawsuits that could severely harm your company. The worst part? You never see it coming.

You’ve been given assurances by in-house technical support but in a language you don’t speak.  You want security, but you have a competitive business to run and you can’t be slowed down. You’ve been told that the “cloud” has to be leveraged in order to remain competitive, but you’re not really sure what that means.

You’ve authorized a lot of money for cyber security solutions but have no idea what’s happening under the hood or if your risks have been lowered.

“Is my data secure and who can access it?” All you need is an answer, yet it’s proven very difficult to find.

Good news. There is a way to answer these questions with high confidence, but most companies don’t know how to think about cyber security in a strategic way.

It’s a huge undertaking, so who can blame them?  The problem of illicit access to data via Internet intruders and the immense cyber security industry that has been created in response, is tremendously complex.  Most companies aren’t sure what’s the right approach.

We know something’s not working since at no time in our history has more money been spent on cyber security related products and services–and yet at no other time have we been more successfully attacked.  For over ten years we’ve seen high-profile data thefts and compromises that have embarrassed and financially injured well known companies. These attacks continue today at an alarming rate. So why hasn’t this problem been fixed?

The primary reason is that many companies do not think of defending themselves in a strategic way or managing cyber threats as a corporate risk.  Instead, money is flung at standard “anti-this or that” products focused on building a temporary perimeter wall that is inevitably breached.

In fairness to senior decision-makers, the cyber security industry has grown over the last decade and is incredibly crowded and noisy.  It’s hard to know what is truly needed and effective. Some companies still believe that sufficient law enforcement deterrence will mitigate cyber attacks. In reality, the anonymity and remote access provided by the Internet make the arrest and incarceration of bad actors a rare occurrence.

Companies must take responsibility to adequately protect themselves.  No one is going to ride to the rescue.

There still may be companies who believe that they are not logical targets for attack and intrusion due to their relatively small size or “uninteresting” products or services.  Today, everyone is fair game and an attractive target for at least two reasons:

1.) All companies have data that can be monetized by criminal elements.  Customer and employee data has terrific value on the digital black market of personal data that can be resold for any number of nefarious purposes.

2.) Most companies today are part of a larger supplier ecosystem.  While your company might be a provider of the “nuts and bolts”, you are still part of the supply chain that finds its way into a power plant or a business operation of similar magnitude.  Many successful intrusions into sensitive industries begin with a compromise of a supplier system.

In our interconnected global economy, hardly anyone swims alone.  Responsible cyber security is a must.

Cyber security is daunting but it can be demystified and made exponentially more effective and cost-efficient if companies are willing to take a more strategic approach to the problem than what is common today.

The first step is to gain needed perspective by making an honest, objective assessment of where the company stands in its ability to protect itself.  Without such an assessment, a strategic plan will simply be an intuition plan.

A good assessment will inform a strategy by evaluating threats, vulnerabilities, current protections, and resilience.  Sounds basic, but in our experience, many companies struggle even simply to identify and agree upon what is their most important data.

Armed with a baseline understanding, cyber security decisions become more informed, targeted, and efficient.  This is especially helpful as technology enables or, in some cases, even forces companies to make choices that have tremendous security implications.

Two current dynamics have IT professionals scrambling:  1.) Connectivity to remote devices and 2.) Leveraging cloud services. Businesses are being forced down these pathways to remain relevant in their industry. Both of these innovations are becoming essential in the business world, but they come with significant security ramifications.

Cloud solutions, in particular, are highly attractive since, at minimum, they enable scaling without adding infrastructure.  But “the cloud” also seems counter-intuitive to a more secure data environment.  After all, why take data out of your own filing cabinets and put it in someone else’s?  It doesn’t seem to make sense until the advantages are demonstrated. As companies digitize more and more data, the potential attack vectors increase.  The right cloud solution will actually reduce the attack surface.

Think about the way organizations already store and manage their most precious “data”, their money.  Companies don’t keep their accounts receivable in a lock box in someone’s desk.  Income is put in a bank for optimum security and convenience of transaction.  Banks are a money cloud.  Account holdings are ones and zeroes.

Cloud service providers act in an analogous way with valuable corporate data.  But, like banks, there are many to choose from with differing cost and value propositions.  Selecting the right provider should be informed by a cogent cyber security and financial strategy; it is more than simply an IT decision.

When trying to solve for cyber protection don’t simply allocate larger IT budgets to be spent on fixes, patches and the latest cyber-security products. Instead, define an organizational digital strategy that will support and foster business operations (outline the core business processes and their dependence on technology).

Next, create a map of the digital ecosystem that captures internal technology assets, external applications, communication channels and other internet facing “things” (e.g., office smart TV). This exercise will help to quantify an organizational value at risk. Based on that organizational value, the company can then decide how much risk it can tolerate and how much risk needs to be hedged. Bigger doesn’t mean better, therefore create an IT infrastructure that is custom-made to fit the direct business needs and finally answer the question “is my data secure and who can access it?”

Contributor:

Kevin R. Brock (FounderBrockCRS)
Mr. Brock brings a rare mix of experience from the highest level of the FBI, the Office of Director of National Intelligence, acclaimed management firm Booz Allen Hamilton and his own entrepreneurial initiatives.

Michael Abboud (CEOTetherView)
Mr. Abboud has more than 15 years of Healthcare and Business Technology experience leading teams across multiple industries to successful outcomes. His early career was in global operations assisting with transitioning IT platforms at Goldman Sachs.