Theresa Payton posted Jan 10, 2014 11:42 AM
The last 18 months of headlines are not just a rough patch for organizations regarding cyber-crime. They are a sign of escalating threats and new tactics deployed by cyber-criminals. Need proof? Cyber security as a risk issue moved to the top 3 risk factors faced by businesses on the Lloyds of London Risk Index for 2013. That’s quite a jump from it’s 12th place standing only 2 years ago.
The first question executives typically ask me, “How much security is enough security?”. The answer is a complex one and should be individualized to your organization’s risk tolerance. Consumers and business professionals alike should focus on the fact that internet security will always be changing. Every new technology that we adopt becomes tomorrow’s attack surface for cyber-criminals. Combatting internet threats requires a comprehensive approach, some of these components include understanding your data architecture, knowing your vendors, sharing information within your peer group about cyber-crime, developing relationships with law enforcement, implementing tools, updating processes to protect your digital assets, and educating employees, contractors, and suppliers on what you require them to do in order to safeguard your organization.
Based on my time in the banking industry, the White House, and serving our clients, I have some ideas on how to change the conversation, save you time and money, all while improving your security posture. We have to change the security conversation. Instead of a pure tool focus, the emerging best practice for improving your threat posture is a focus on 4 rules:
1. Golden Rule: Security & Privacy First
We can point to plenty of examples where security was built after the system was designed. When you do that, it feels as if a car sales person handed you a bag of balloons and duct tape and said, “This is your car’s air bag, be safe!”. Security and customer privacy must be your golden rule before you build one framework.
2. Security = Revenue
Security should be & can be a revenue generator. How does that happen? By forming a security practice in your company with a framework to formulate ideas and foster innovation
3. WD40® your technology supply chain
Some of the best and brightest security teams do not realize they have rusty leaks in their supply chain. WD40, or the way to prevent and remove rust, requires an upfit and update of your vendor management program.
4. Recognize that you will be breached eventually: rapid response and recovery is key
All companies need to practice a digital disaster at least once a year. Name your worst digital nightmare and create a scenario-based exercise to test out your rapid response and recovery plan. Make it realistic, time yourself, and grade your performance during the exercise. Be brutally honest with yourself about what is missing in your rapid response plan and work on improving your grade.
We’ll get into more detail when we meet. In the meantime, get your tough questions ready!