We’ve seen tremendous advances in technology over the last 15 years or so, but security continues to struggle as much today as it did a decade ago.
A large part of the problem is that security professionals and their leaders have bought into myths that hamper their ability to move their organizations forward and achieve maturity – the kind of maturity that’s necessary to be able to survive and recover from a cyber attack.
In no particular order, here are the four myths that security organizations need to stop believing and how they should move forward.
Myth #1: Cybersecurity risk can be eliminated
As a security professional, you know this isn’t true, right? Cybersecurity risk cannot be eliminated. It can only be managed. However, judging by the enormous sums of money companies waste attempting to achieve impenetrability, it seems this myth has life in it yet.
The problem is at the top: Senior executives and Board of Directors don’t understand the nature of cyber security. They think if they throw enough money at the problem, it will go away. But we know that’s not the case. Senior executives and Board of Directors must be educated on the inevitable nature of a cyberattack and how that risk is managed.
Myth #2: There’s a cybersecurity silver bullet somewhere-we just haven’t found it yet
Nothing will prevent your organization from being the target of a cyberattack. There isn’t a single technology solution, employee training/awareness program, insurance policy, contractual agreement, or anything else that can protect your organization 100% from a cyberattack.
The best you can do is implement a balanced, yet strategic risk management program that enables the CEO to stand in front of the executive suite and explain with confidence, “We understand our risk exposure, and we have the ability and financial resources to recover from an event should the inevitable happen.”
Myth #3: The security organization effectively operates as a silo
How much success has your security organization had to date? If it’s operating in a silo, that success is limited. Yes, the security person is primarily responsible for cyber security, but he/she can’t do it alone. To be effective, security must be a team sport. This team includes the employees who handle employee training and awareness, people who oversee business continuity and operations, staff who purchase cyber insurance, the lawyers who contract with clients and suppliers and, of course, the C-suite and Board of Directors. These groups need to work together to the same end, otherwise there will always be gaps in your security posture.
Myth #4: Regulatory compliance = security
It amazes me that organizations continue to use regulatory compliance requirements as the primary framework for their cybersecurity efforts. While newer regulations and frameworks like the NIST Cyber Security Framework and New York Department of Financial Services guidelines are risk-based, the vast majority of organizations I speak to aren’t using them appropriately. Organizations need a maturity-based cyber risk management framework with short-, medium-, and long-term benchmarks. The framework should be reviewed and updated quarterly and tested annually.
It can be difficult to explain to the Board the inevitability of a cyber attack, or to align disparate groups to work toward the same objective. But these things must be done if organizations are going to actually improve their security posture and mature their security programs. It’s time security professionals are honest with themselves-and with upper-management-and start making real progress toward resiliency.