When it Comes to Cybersecurity, Take a Good Look in the Mirror

Recently, we participated on a webinar panel – What You Need to Know about the FFIEC Cybersecurity Assessment Tool – where audience members were asked the following question:

How would you rate your organizations’ cybersecurity maturity level today?

Possible options (taken directly from the FFIEC CAT) for the attendees were:

  1. Baseline – meets the legal minimum; compliance-driven objectives
  2. Evolving – risk-driven objectives in place; cybersecurity formally assigned and broadened beyond protection of customer info
  3. Intermediate – detailed, formal processes with consistent controls; risk management integrated into business strategies
  4. Advanced – formally assigned throughout the business; automation and continuous improvement
  5. Innovative – cutting edge practice potentially extending beyond firm

Interestingly, a majority of attendees put their organizations’ cybersecurity maturity level at “Evolving”.

There are two ways to look at this:

  1. The pessimist would say that organizations have a long way to go still with protecting information (the regular stream of data breach headlines back this up).
  2. A more positive outlook is that through real self-assessment, understanding where we are and where we need to reach is a good thing.

Many folks who aren’t in cybersecurity and/or don’t follow cyber-related news have an enormous false sense of security. People are too trusting and too curious. Cybercriminals know this and use it to their advantage. So it’s good to see that as security professionals many are taking a good hard look in the mirror and recognizing where we are at. Now the question becomes what do you do/where do you go from here?

Clearly doing the same thing over and over again isn’t working. Cybersecurity is not a technical problem, it’s a business problem in a technical venue. Cybersecurity should and can be viewed in the same way other parts of the business are run.

Another important self-assessment to make is knowing you cannot defend everything perfectly. There simply are not enough resources or budget to do so. Shifting from a reactionary mindset to proactive, data-driven intelligence approach can help you focus on your biggest cyber risk areas.

Look at data, analyze it, understand trends and make decisions. This approach is relied upon to run other areas of the business – it’s what business intelligence is all about. And it can be applied to cyber risk mitigation. The business and IT security sides of the house need to work together and look at cyber from a risk perspective. What are your high value targets (what would a “bad guy” go after and why?)? Then what vulnerabilities and threats are out there that apply to your targets?

Looking at your cybersecurity program and your risk posture through this lens can help you unearth big problems that are coming or identify active threats to your sensitive information and brand. An organization’s appetite for risk is fluid – when all is quiet on the cyber front, there is typically less urgency. That urgency level increases significantly if an organization is breached. But waiting for all hell to break loose isn’t usually a good strategy from a risk management perspective.

In spring, we’re told to change our batteries in the smoke detectors as a precaution. I’d suggest we take a step back and take an honest look in the mirror to see where we’re at from a security perspective and how we can use threat intelligence to drive more effective risk mitigation decisions.

Author: Sam Erdheim

Sam Erdheim has more than 15 years of experience across all facets of marketing and product management for enterprise software companies. Mr. Erdheim has spent the past 10 years in the information security space, most recently serving as Director of Marketing for AlgoSec, a security policy management vendor, where he was responsible for leading the strategy and development of the company's corporate and product positioning, content and communications. Prior to AlgoSec, Mr. Erdheim served as Director of Marketing at Lumension, an endpoint security provider, where he drove a comprehensive demand generation program that supported more than a third of the sales pipeline and created an automated email nurture campaign that received a Gold Medal from MarketingSherpa. Previously, Mr. Erdheim served in product management and marketing roles for other technology companies such as Softek (acquired by IBM Global Services), iLumin (acquired by CA) and Thomson Financial. Mr. Erdheim is a graduate of Tufts University.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: