Request Demo

Integrated Risk Management

Data Breaches WILL Happen: The Three Pillars Of Mitigation


As we’ve all seen in the predictions for 2019, more and more cyber attacks and data breaches are expected. Statistically, it only makes sense: with more organizations embracing digitization, the more organizations that are at risk for an attack.

For CISO’s today it is more a matter of when than if you will be attacked. Don’t lose hope though. I’m not saying throw in the towel and bring down the firewall. Instead, as a modern security leader, you must prepare yourself for a shortcoming. Just like any other business unit leader, you will miss projections, and there will be times where missteps occur. What we must do as security leaders is to reduce the probability that a data breach will happen and aid in the response when it does.

People and culture

The foundational aspect to both reducing the probability of a data breach as well as mitigating the damage when it does is your entire organization. To date, information security has been confined to one business unit and to this point that has been fine - the tools and platforms that the entire enterprise had access to passed through IT as their integration and procurement was too complex for anyone else. Not so anymore. The ability to rapidly adopt new tools has spanned beyond the IT team into the entire organization. Without a risk-aware culture, these business units that take in new technology are creating an ever-expanding attack surface. As more information comes to light about the Marriott data breach, it is more and more suspected that the intruders accessed the systems through employee credentials. With a robust risk-aware culture in place, you are not eliminating the possibility of a breach but significantly reducing the risk of a data breach.

The face value of propagating a risk-aware culture (reducing the probability of a breach) aside, there is a more public-facing reason for educating the entire business on risk: a business’ employees are its greatest advocate or weakness. When a breach does occur, an organization’s employees can come to its defense. We haven’t seen this event take place, where employees come to the defense of an employer on their data security, but we have seen the opposite. Returning to the Marriott data breach, Vox reported that some employees stated that the centralized reservation system (the primary source of the data) was difficult to secure. While this is not the source of Marriott’s problems, it does not help their position. By implementing strong culture practices and education around digital risk, employees can turn into advocates when a breach does occur - helping support your argument that you did everything possible to ensure it didn’t happen.


Gartner predicts that by 2022, business continuity teams will be rolled up into the greater risk management organization - no longer a free-standing unit. The digitization of an enterprise is a tectonic shift in the way these organizations approach their business. These shifts result in a need to rethink the structure of the organization. Siloed, fragmented organizations will fail at a higher rate than those that are integrated and collaborate. The same is true for security organizations: when a breach occurs, especially today, the entire enterprise falls under scrutiny. Stakeholders, both internal and external, demand answers. The increased education and access to information that these audiences have means that almost every aspect of the organization falls under scrutiny. When a breach occurs, the knowledge that the security organization (or lack thereof) was fragmented and the disparate teams weren’t communicating can be especially damning. The converse of that, though, is also true: an integrated risk approach can become an asset in your defense of a breach. Rather than hiding an incomprehensible org chart, you can say that your integrated team was doing everything possible to reduce that risk of a data breach.


The last piece of your risk reduction needs to come from a solution to augment your team’s ability. The tools that your team uses can be seen as a symbol of how your organization sees your business unit. In the event of a data breach, everything falls under scrutiny - even the tools you are using. Spreadsheets are a hard sell when you’re trying to convince an angry customer base that you’re taking security seriously. The tools available to security leaders today are too useful and easy to use for your organization to run on spreadsheets. Using tools with a live threat feed, AI backed risk remediation plans, and built around an integrated risk management approach show your CEO, your board, and the public that you are doing everything in your power to reduce the risk of a data breach.

It’s When Not If

The powerful combination of culture, people, and technology can significantly reduce your risk of a breach, but not eliminate. There’s no such thing as a completely secure organization that is still functioning. As security leaders, we cannot allow ourselves to be held to different standards than any other business leader: CFO’s will miss revenue projections, COO’s will miss unit demand, and CISO’s will be present for a breach. It will happen. All business leaders, though, must work to make sure it doesn’t, and so do security leaders. Security leaders have an advantage, though - security, unlike many business functions, is a team sport. By developing the three pillars of a secure organization: culture, organization, and solution, you can both mitigate the risks of a data breach while also lessening the blowback when it does.

You may also like

Prioritizing Cyber Risk Management ...
on July 6, 2020

The risk posed to organizations by cybersecurity threats is large and increasing. COVID-19 related adjustments at home and at work, the move to a remote workforce, and increasing ...

Alison Furneaux
Critical Capabilities of IT Risk ...
on June 22, 2020

Risk management is rapidly becoming the foundation of organizational security efforts, replacing checklist compliance as a cornerstone of a successful security program. This shift ...

What is Cyber Risk Management
on June 21, 2020

Risk management is a fundamental component of any successful organization and has been since the dawn of corporations as we know them. The primary function of risk management as a ...

Cybersecurity Risks Have Changed ...
on June 10, 2020

CyberSaint will host a cybersecurity risk management webinar, live on June 17th, 2020at 12:00pm EST and available on-demand when you register to attend with this link.  The recent ...

Alison Furneaux
What is NIST SP 800 30
on June 10, 2020

The National Institute of Standards and Technology’s Cybersecurity Framework (CSF) is known in cybersecurity as the gold standard framework for computer security guidance, it can ...

Cybersecurity Maturity Model ...
on July 1, 2020

Why DFARS / NIST SP 800-171? A few years back, the United States Department of Defense (DoD) released a new regulation, a Defense Federal Acquisition Regulation Supplement, or ...