*Photo by schach100 from Pexels
The unfortunate state of where we are with cybersecurity can be attributed to the decisions we’ve made along the way. There are those who look at security in the most basic form and those who treat security as a strategic initiative that enables their business. However, what security entails is very clear.
Cybersecurity has three main goals:
- Confidentiality: Making sure people cannot acquire information they should not (keeping secrets)
- Integrity: Making sure people cannot change information they should not (protecting data)
- Availability: Making sure people cannot stop the computer from doing its job
How leaders and organizations achieve these goals is where paths diverge. We’ve seen compliance standards layout what is expected of businesses, and what they should do to meet the requirements of the standards. They even qualify specific third-party assessors in how to evaluate the security activities and outcomes. Full disclosure, TECH LOCK has a strong assessment organization qualified to report on compliance for PCI/QSA and ASV, HITRUST/HIPAA, NIST, SOC 2 Type II, and provisional status for DoD CMMC assessments. However, compliance is not necessarily security.
Security minimalists, those that go just a few degrees beyond meeting compliance requirements, and those who look at security as strategic to their business, place value on very different things.
Debunking the myths of those who minimize security:
I have coverage with my cybersecurity insurance policy if I get breached
This is a false sense of security because many cybersecurity policies are denied if the actions of an employee, like clicking on a phishing email, contributed to how an organization was compromised.
I have cash set aside for emergencies if my organization were to be hit by a ransomware attack or I know I have good back-ups to recover from a ransomware attack
Extortion levels among ransomware families are rising, and a business should always assume that their data has been exfiltrated. Paying the ransom doesn’t mean that the attacker, or another ransomware family, wouldn’t try again. Not paying the ransom can lead to data leaking to the public in order to escalate the situation and put pressure on the stakeholders. It’s not unheard of for the ransomware actors to cold call as part of their tactics to influence their threat campaign across employees, board members, and critical industry leaders.
I have up to date endpoint security and firewalls in place to protect against cyberattacks
As more people are working from home during the pandemic and no longer behind the traditional office perimeter, the attack surface of an organization has exponentially increased. Business applications moving to the cloud adds another layer of complexity and vector for compromise. 40 percent of security breaches are now indirect, as threat actors target the weak links in the supply chain or business ecosystems.
The movement from believing that being compliant was good enough for security to taking a strategic approach is really about maturity. For example, the HITRUST certification guidelines and standards are pushing in this direction with the measurement of quality in the execution, operation, and monitoring of security controls.
But the best signal that a company is looking at security through a strategic lens is when they strive to enhance their organization by assessing how they are achieving security against “best” practices. Not driven by compliance or looking for agreement that they are meeting reasonable security practices, these organizations strive to optimize and identify where they can do better.
One recent TECH LOCK customer wanted to measure how they were doing as compared to “best” security practices. This type of engagement looks at the following:
A review across the 32 domains of cybersecurity
- This includes policies, processes, and procedure reviews to help with root cause and gaps in written versus actual day to day security operations
An evaluation of the effectiveness of each security control implemented
- Scoring and credit is only given for fully implemented controls
- Interview driven engagement to assess process controls
Determine how each area\domain operates as part of the business
- Discussions reveal the depth of understanding and the practical implementation and agility within security operations
Obtain an understanding about what is critical to the organization
- Assess how cybersecurity and risk management are viewed and managed by leadership
- Identify areas of responsibility and where shared security collaboration is needed
Unlike other assessments where there are formalities in engaging with the customer outlined by the particular compliance standard, this one allows more focus on how to help organizations make cultural changes, shift perceptions, and achieve more effective outcomes. While security is all-encompassing, the goal is to simplify security decisions and leverage current investments as much as possible.
From our team of assessors and security experts, our advice and findings come from a security practitioner’s viewpoint going beyond that of a career auditor with a compliance background. Strategic security assessments around “best practices” is a trend we hope continues into 2021 because it will help organizations be more resilient against what may lie ahead.
If you are interested in learning more about strategic security and how to measure your organization against “best practices” contact us at firstname.lastname@example.org.