Shifting the Paradigm – Strategy over Technology
By: Yair Solow
Does this sound familiar? Utilizing legacy security tools to protect an organization with limited budgets against an ever-growing landscape of threats while also migrating over to the cloud? Welcome to the remarkable and unenviable task facing today’s CISO.
The average tenure for today’s CISO is roughly 18 months. Much of this limited time is spent patching past inefficiencies rather than focusing on tomorrow’s challenges. The cyber sentries are fighting on an asymmetric battlefield, facing a systemic disadvantage, leaving too many CISOs destined for failure.
The starting point for giving CISOs a fighting chance is to get into the mind of the attacker. What motivates them and how can we use that to our advantage? Most cyber criminals are motivated by money but are also limited by financial constraints. An attacker can only ‘invest’ so much in an attempted breach. Understanding that a hacker’s weak point is financial, we need to frustrate them relentlessly. By making it as hard as possible to breach our systems, we can quickly convince attackers that there are easier targets out there.
By studying previous breaches, companies can learn important lessons to ensure they do not become tomorrow morning’s headlines. For the vast majority of CISOs, the last cutting-edge security tool or solution they deployed will have been designed to address a recent challenge. While that tool may be technologically excellent, it was most likely a response to a recent attack, trend or threat – a threat which is already yesterday’s weapon. The unfortunate reality is that whichever tool was recently utilized will probably soon be obsolete. Cyber criminals never stand still. A new threat is already on the horizon.
The time has come to change the paradigm. Taking a different approach, we can change the rules of engagement in the world of cyber defense. By looking at things strategically rather than tactically, CISOs can finally gain the upper hand. It’s not dependent on AI, big data, blockchain or whatever the latest ‘magic’ tool may be. Addressing yesterday’s attacks with solutions that may be redundant is not the answer, nor is ignoring the problem. Additionally, the problem lies not only in technology. Cyber risk is all-encompassing. The cyber battle is fought in processes and procedures, human resources, physical security, cyber intelligence and administration. A strategic approach that identifies risks and prioritizes solutions accordingly is the path to success.
Cyber risk management may not be the most sexy or exciting element of cyber security, yet it is the most crucial piece of the puzzle. It is the framework which holds the puzzle together. Without clearly defining the risks, cyber defense will always be limited to deploying tools to address outdated threats. Unless strategic risk management becomes a priority, significant cyber threats will persist.
So how do you get started? The shift to a more strategic line of defense requires a three-phase process:
Phase I - Start by identifying and categorizing your assets. What are your crown jewels? What would cause real disruption to your business? What will cause you reputational damage? What might damage you financially? No less important, what can you live without, at least temporarily?
Phase II – Quantify the impact of a potential attack on the assets defined in phase 1 and then correlate the probability of an attack on them. This is where it becomes critical to align your physical security, people, processes and resources. This is where your cyber intelligence and real planning can be the difference between millions of dollars lost or saved.
Phase III - It is all about constant maintenance and updating of your cyber risk program. Now that you have completed phase I and II, you have the guidelines and structure to improve your risk posture. Address the burning issues and constantly improve. You are only as protected as you chose to be.
Overall, cyber risk management is not about eliminating all of the risks, rather it’s about managing them. Cyber security is not confined to the work of a CISO. It is a business decision which requires proactive rather than reactive steps. Deciding which cyber risks are tolerable and which are not, will do more to defend your assets than any single tool. It means that if and when a breach takes place, an effective procedure is already in place to mitigate and minimize loses and ultimately, keep your business running successfully.