As we’ve all seen in the predictions for 2019, more and more cyber attacks and data breaches are expected. Statistically, it only makes sense: with more organizations embracing digitization, the more organizations that are at risk for a cyber attack.
For CISOs today it is more a matter of when than if you will be attacked. Don’t lose hope though. I’m not saying throw in the towel and bring down the firewall. Instead, as a modern security leader, you must prepare yourself for a shortcoming. Just like any other business unit leader, you will miss projections, and there will be times when missteps occur. What we must do as security leaders is to reduce the probability that a data breach will happen and aid in the response when it does.
People and Culture
The foundational aspect to both reducing the probability of a data breach as well as mitigating the damage when it does is your entire organization. To date, information security has been confined to one business unit, and to this point that has been fine - the tools and platforms that the entire enterprise had access to passed through IT as their integration and procurement was too complex for anyone else. Not so anymore. The ability to rapidly adopt new tools has spanned beyond the IT team into the entire organization. Without a risk-aware culture, these business units that take in new technology are creating an ever-expanding attack surface. As more information comes to light about the Marriott data breach, it is more and more suspected that the intruders accessed the systems through employee credentials. With a robust risk-aware culture in place, you are not eliminating the possibility of a breach but significantly reducing the risk of a data breach.
The face value of propagating a risk-aware culture (reducing the probability of a breach) aside, there is a more public-facing reason for educating the entire business on risk: a business’s employees are its greatest advocate or weakness. When a breach does occur, an organization’s employees can come to its defense. We haven’t seen this event take place, where employees come to the defense of an employer on their data security, but we have seen the opposite. Returning to the Marriott data breach, Vox reported that some employees stated that the centralized reservation system (the primary source of the data) was difficult to secure. While this is not the source of Marriott’s problems, it does not help their position. By implementing strong culture practices and education around digital risk, employees can turn into advocates when a breach does occur - helping support your argument that you did everything possible to ensure it didn’t happen.
Gartner predicts that by 2022, business continuity teams will be rolled up into the greater risk management organization - no longer a free-standing unit. The digitization of an enterprise is a tectonic shift in the way these organizations approach their business. These shifts result in a need to rethink the structure of the organization. Siloed, fragmented organizations will fail at a higher rate than those that are integrated and collaborate. The same is true for security organizations: when a breach occurs, especially today, the entire enterprise falls under scrutiny. Stakeholders, both internal and external, demand answers. The increased education and access to information that these audiences have means that almost every aspect of the organization falls under scrutiny. When a breach occurs, the knowledge that the security organization (or lack thereof) was fragmented and the disparate teams weren’t communicating can be especially damning. The converse of that, though, is also true: an integrated risk approach can become an asset in your defense of a breach. Rather than hiding an incomprehensible org chart, you can say that your integrated team was doing everything possible to reduce the risk of a data breach.
The last piece of your risk reduction needs to come from a solution to augment your team’s ability. The tools that your team uses can be seen as a symbol of how your organization sees your business unit. In the event of a data breach, everything falls under scrutiny - even the tools you are using. Spreadsheets are a hard sell when you’re trying to convince an angry customer base that you’re taking security seriously. The tools available to security leaders today are too useful and easy to use for your organization to run on spreadsheets. Using tools with a live threat feed, AI-backed risk remediation plans, and built around an integrated risk management approach show your CEO, your board, and the public that you are doing everything in your power to reduce the risk of a data breach.
It’s When Not If
The powerful combination of culture, people, and technology can significantly reduce your risk of a breach, but not eliminate it. There’s no such thing as a completely secure organization that is still functioning. As security leaders, we cannot allow ourselves to be held to different standards than any other business leader: CFO’s will miss revenue projections, COO’s will miss unit demand, and CISOs will be present for a breach. It will happen. All business leaders, though, must work to make sure it doesn’t, and so do security leaders. Security leaders have an advantage, though - security, unlike many business functions, is a team sport. By developing the three pillars of a secure organization: culture, organization, and solution, you can both mitigate the risks of a data breach while also lessening the blowback when it does.