Since starting a cyber risk intelligence firm almost two years ago, I’ve had a great opportunity to meet with companies of all shapes and sizes across every industry sector. As far as their cyber defense operations go, I’ve also had a great opportunity to collect data on how industry as a whole is positioned against the cyber threat.
Graphing this data on an imaginary bell curve in my head draws an interesting picture: over 80% of the companies I’ve met with fall into the big fat part of the curve over a label “Immature.”
I’m not using the word “immature” in a negative sense. Instead, it’s simply an apt description arrived at from measuring companies against certain accepted criteria usually associated with well-positioned against the cyber threat. The word could just as easily be used to describe a company’s sales or marketing efforts as well given other relevant criteria that indicate what it means to be well-positioned in those areas too.
Among other things, to be cyber “immature” typically means that your company has:
• No (or nominal) “top level” distinct cyber defense organization (e.g. CSO org or other similar division run by appropriate leadership)
• Few or no professional INFOSEC or other security staff members and management (i.e. Instead they have IT personnel who wear the “other duties as assigned” hat)
• Small or no cybersecurity defense operations (e.g. SOC or NOC)
• No (or nominal) Industry-based governance, compliance and regulation program
• No SIEM, Threat Intelligence or similar data analysis function distinct from IT management
• Small or nominal cyber defense budget
In most cases, the companies I meet with openly label themselves as immature when it comes to cyber defense. In fact, across the market, cyber is only now truly getting noticed as the major “top level” threat to a company’s employees, products, customers, brand and reputation, partners, etc. that it actually represents (and deserves).
Unfortunately, the climb to maturity is steep and you’re fighting against the wind the whole time.
It sounds frustrating and, for sure, gnashing of teeth abounds, but there’s at least one thing businesses can do with relative ease that is a big bootstrap in lessening some of the immaturity impact and helping climb the hill:
Adopt a risk intelligence-driven situational awareness approach to knowing the enemy and yourself.
It may sound squishy given all the buzzwords and hype surrounding cyber/threat intelligence these days, but it’s actually just a way to refer to something that’s pretty straightforward.
Risk intelligence is what you get when you overlay and align data on who you are as a company – your products, employees, software and hardware in use, locations, industry sector, data you store, IT assets and many more things that make you “you” – on top of data on the cyber threats that are out there.
Expressing it as an abstract formula:
Risk Intelligence = (High-Level Threat Intelligence + Context) * Continuous Data Collection/Intuitive KPIs
This may sound obvious and commonsensical, but too often firms that are already struggling to get off the ground when it comes to cyber defense rush to blow their budget and tie-up already-limited human capital on expensive tools and other resources that are largely unused (or inefficiently used) in terms of how they should be implemented appropriately.
In other words, they get started doing all manner of things before knowing if they’re the right things, the most efficient things, the most important and relevant things or not. Cart before the horse. All fur coat and no knickers. All dressed up, nowhere to go. You get the idea.
However, a simple intelligence-based approach to staying on top of threats and how they matrix across your company’s own characteristics pays big (and early) dividends.
In fact, via first-hand experience implementing risk intelligence functions in immature organizations, I can confirm that this kind of approach helps companies:
• Get to know themselves in ways they didn’t before – When you start cataloguing all the things about your business that could be vulnerable in any way to cyber exploit, the benefits are manifold, widespread and transformative.
• Start to perform effective triage and prioritization – One of the hardest things to do in a “cyber immature” organization is to know what to focus limited resources on for the biggest result.
• Make better use of existing cyber solutions and resources – Tools are great as are lots of human assets, but research shows most solutions are grossly under-utilized (or not at all) due to lack of knowing exactly what to use them against.
• Do efficient reporting and info-sharing within the organization – One of the biggest “time-sucks” and wastes of good labor in cyber ops today is untimely, irrelevant, inaccurate, stove-piped data analysis and reporting that’s usually “OBE,” or “Overcome by Events” once it’s delivered.
• Bring security operations more in-line with other top-level business domains – Sales, marketing, finance, HR are all well-tread business areas with proven impacts on success that are easily understood, analyzed and discussed. Simply put, cyber needs to clean up its act before it will get a seat at the table with the big boys of bizopps.
• Create cross-company cyber awareness – When you can accurately and simply assess your situation with simple, powerful and highly-relevant metrics, communicating it becomes easier and more people benefit.
• Form an information basis for governance, compliance and regulation programs – If you’re going to be compliant, you have to have the facts. Over time. Every time. Period.
• Do incident response and, more importantly, pre-response with real impact – If you always know what you – specifically – are most likely to see based on real data trends, game-planning, red teaming and overall strategy and tactics gets, well, more realistic. It’s also really, really useful to know just how bad a problem can ultimately be (lawyers, anyone?).
• Buy, hire and plan for the long haul – A persistent, dedicated risk intelligence function gives the business side of things (you know, the guys who pay for everything?) a reason to believe what you say you need is really needed. And buy it for you.
Cyber defense is just one important part of guaranteeing the success of a business. Just like anything else a business does, it has to develop from a solid foundation in verifiable data into repeatable, measurable processes that mitigate or eliminate risk. With simple risk intelligence, any business can go from nothing to something much, much faster.