<img src="https://ws.zoominfo.com/pixel/4CagHYMZMRWAjWFEK36G" width="1" height="1" style="display: none;">
Request Demo

Integrated Risk Management

Data Breaches WILL Happen: The Three Pillars Of Mitigation

down-arrow

As we’ve all seen in the predictions for 2019, more and more cyber attacks and data breaches are expected. Statistically, it only makes sense: with more organizations embracing digitization, the more organizations that are at risk for an attack.

For CISO’s today it is more a matter of when than if you will be attacked. Don’t lose hope though. I’m not saying throw in the towel and bring down the firewall. Instead, as a modern security leader, you must prepare yourself for a shortcoming. Just like any other business unit leader, you will miss projections, and there will be times where missteps occur. What we must do as security leaders is to reduce the probability that a data breach will happen and aid in the response when it does.

People and culture

The foundational aspect to both reducing the probability of a data breach as well as mitigating the damage when it does is your entire organization. To date, information security has been confined to one business unit and to this point that has been fine - the tools and platforms that the entire enterprise had access to passed through IT as their integration and procurement was too complex for anyone else. Not so anymore. The ability to rapidly adopt new tools has spanned beyond the IT team into the entire organization. Without a risk-aware culture, these business units that take in new technology are creating an ever-expanding attack surface. As more information comes to light about the Marriott data breach, it is more and more suspected that the intruders accessed the systems through employee credentials. With a robust risk-aware culture in place, you are not eliminating the possibility of a breach but significantly reducing the risk of a data breach.

The face value of propagating a risk-aware culture (reducing the probability of a breach) aside, there is a more public-facing reason for educating the entire business on risk: a business’ employees are its greatest advocate or weakness. When a breach does occur, an organization’s employees can come to its defense. We haven’t seen this event take place, where employees come to the defense of an employer on their data security, but we have seen the opposite. Returning to the Marriott data breach, Vox reported that some employees stated that the centralized reservation system (the primary source of the data) was difficult to secure. While this is not the source of Marriott’s problems, it does not help their position. By implementing strong culture practices and education around digital risk, employees can turn into advocates when a breach does occur - helping support your argument that you did everything possible to ensure it didn’t happen.

Organization

Gartner predicts that by 2022, business continuity teams will be rolled up into the greater risk management organization - no longer a free-standing unit. The digitization of an enterprise is a tectonic shift in the way these organizations approach their business. These shifts result in a need to rethink the structure of the organization. Siloed, fragmented organizations will fail at a higher rate than those that are integrated and collaborate. The same is true for security organizations: when a breach occurs, especially today, the entire enterprise falls under scrutiny. Stakeholders, both internal and external, demand answers. The increased education and access to information that these audiences have means that almost every aspect of the organization falls under scrutiny. When a breach occurs, the knowledge that the security organization (or lack thereof) was fragmented and the disparate teams weren’t communicating can be especially damning. The converse of that, though, is also true: an integrated risk approach can become an asset in your defense of a breach. Rather than hiding an incomprehensible org chart, you can say that your integrated team was doing everything possible to reduce that risk of a data breach.

Solution

The last piece of your risk reduction needs to come from a solution to augment your team’s ability. The tools that your team uses can be seen as a symbol of how your organization sees your business unit. In the event of a data breach, everything falls under scrutiny - even the tools you are using. Spreadsheets are a hard sell when you’re trying to convince an angry customer base that you’re taking security seriously. The tools available to security leaders today are too useful and easy to use for your organization to run on spreadsheets. Using tools with a live threat feed, AI backed risk remediation plans, and built around an integrated risk management approach show your CEO, your board, and the public that you are doing everything in your power to reduce the risk of a data breach.

It’s When Not If

The powerful combination of culture, people, and technology can significantly reduce your risk of a breach, but not eliminate. There’s no such thing as a completely secure organization that is still functioning. As security leaders, we cannot allow ourselves to be held to different standards than any other business leader: CFO’s will miss revenue projections, COO’s will miss unit demand, and CISO’s will be present for a breach. It will happen. All business leaders, though, must work to make sure it doesn’t, and so do security leaders. Security leaders have an advantage, though - security, unlike many business functions, is a team sport. By developing the three pillars of a secure organization: culture, organization, and solution, you can both mitigate the risks of a data breach while also lessening the blowback when it does.

You may also like

Conducting Your First Risk ...
on January 30, 2023

As digital adoption across industries increases, companies are facing increasing cybersecurity risks. Regardless of their size, cyber-attacks are a persistent threat that must be ...

Your Guide to Cloud Security ...
on January 26, 2023

Cloud computing refers to the delivery of multiple services via the internet (also known as the “cloud”), including software, databases, servers, storage, intelligence, and ...

Compliance and Regulations for ...
on January 9, 2023

Compliance for many cybersecurity programs has been the cornerstone and the catalyst for why many programs exist in the first place. Since the rise of the information technology ...

Cyber Risk Quantification: Metrics ...
on January 6, 2023

Risk management is the new foundation for an information security program. Risk management, coupled with necessary compliance activities to support ongoing business operations, ...

Padraic O'Reilly
Cybersecurity Maturity Models You ...
on January 27, 2023

Cybercrime has forced businesses worldwide into paying billions of dollars yearly. As more of the population becomes dependent on technology, the fear of cyber attacks continues ...

Top 10 Risks in Cyber Security
on December 23, 2022

Increasing cyber security threats continue creating problems for companies and organizations, obliging them to defend their systems against cyber threats. According to research ...