Cybersecurity risk management doesn’t need to be all or nothing

Cybersecurity should be a concern for organizations of all sizes, with fresh threats and data breaches making the news every few days. But as cybersecurity solution vendors and risk management consulting firms can attest, far too many companies still lag behind on implementing safeguards. In part, this is due to the fragmented nature of products and services available in the market. However, even with options available to solve cybersecurity challenges, businesses may not know where to start.

So many options, so many gaps

Tulin Sevgin, Cyber Risk Management Specialist with InConsult, spoke about the difficulty of finding a comprehensive solution for her company’s clients. Like most risk management consultancies, InConsult wasn’t looking to become a technology firm. But it could hardly ignore the pressing need for cybersecurity as part of the total risk management picture. The race was on to find a vendor that could best serve its clients. Sevgin took this search seriously. “Instead of developing our own product from scratch, I went to the market to see what was out there, what our competitors were doing, and what I could do differently to give us an edge.”

She discovered that there were plenty of vendors in the space offering advanced solutions, but most were aiming at solving the same handful of problems. For example, “There are a lot of companies out there that do penetration testing. But there aren’t that many doing things like vulnerability management, cloud scanning, external APIs and website scanning, and then also scanning the internal environment to see where your weaknesses are.”

The search for one-stop cybersecurity shopping

Instead of finding three or four vendors who specialized in these different areas, her goal was get it all in one place. “After a lot of research, we found one company doing it quite well and teamed up with them.” The selected vendor provided security solutions across all the following areas:

• Third-party vendors
• Externally-facing websites and APIs
• Networks and applications
• Servers and clouds
• Personally Identifiable Information (PII) and sensitive business data

That’s quite a lineup. Of course, not every business needs to pay for every possible type of security. However, there could be an advantage to working with a vendor or consulting firm that understands the full scope of what’s available to help determine the right direction. It all begins with an accurate assessment.

Where to start in the process

Planning involves determining the potential risks, the possible fallout, the budget available to shore up security, and the risk tolerance of the organization. For example, a public utility responsible for critical infrastructure requires a high level of cybersecurity, whereas a local business has much more modest needs.

According to Tulin, companies don’t have to look far—or even pay anything—to get started. Free resources are readily available. “For best practice purposes, the NIST framework is good to look at. These are great guidelines, not the kind that you need to implement from beginning to end. You can choose what’s most effective to address your weaknesses in a way that fits your organization.”

The National Institute of Standards and Technology (NIST) espouses the well-known five-factor approach to cybersecurity:

1. Identify: Understand the business context, resources tied to critical functions, and potential scenarios.
2. Protect: Develop and implement safeguards to ensure delivery of critical services, limiting the impact of a potential incident.
3. Detect: Ensure the ability to identify cybersecurity events in a timely manner through activities such as continuous monitoring and anomaly detection.
4. Respond: Determine what will happen in the event of a detected cybersecurity incident, including appropriate technological, business activity, and PR responses
5. Recover: Put plans in place for resilience and restoration of any capabilities or services impaired by a cybersecurity incident.

NIST recommends mapping the security requirements uncovered by this assessment process with the available solutions on the market. Interestingly, the institute also recognizes the common difficulty of finding it all in one place. “The objective should be to make the best buying decision among multiple suppliers, given a carefully determined list of cybersecurity requirements. Often, this means some degree of trade-off, comparing multiple products or services with known gaps to the Target Profile.”

Shifting attitudes toward cyber risk management

In Sevgin’s experience, there are several misconceptions that hold businesses back from taking adequate steps toward a more secure cyber environment. Companies that have not yet been breached may feel invulnerable. “They say, ‘Why do we need it? We’re fine, we’ve never been breached.’ They see cybersecurity as something complex and technical, like the money spent on it is just going into a black hole. Or they just assume that IT has it all covered.”

But that complacent attitude is beginning to change, bringing awareness from senior management down to the operational level. “When these compliance obligations came in like GDPR, it pushed them to find out what’s going on with their cybersecurity. I think we’ll see a cultural shift in the next year or two causing the business to think about cybersecurity as part of their everyday job rather than just relying on IT to do it.”

An exercise in assessing risk

Tulin offered key advice for the first cybersecurity exercise companies should go through. It’s an approach that entails exploring the worst-case scenario by putting together a data-breach response plan. “How you deal with a breach is very important because getting it wrong leads to reputation damage internally and externally. Then, you’ve got the legal part of it.”

What does the process entail? “It’s easy to do and doesn’t require a lot of money. Once you start writing that plan (and you can get a template from a consulting company or government website), you see how it fits into your existing business continuity and crisis management plan. It really forces you to think about decisions that need to be made on the spot if there is a data breach. The next step is to do a tabletop exercise to put that plan to the test.”

The data-breach response plan determines how the incident is managed, the potential reputation damage, and regulatory compliance. Once businesses start writing a plan, they see how it fits with business continuity as a whole. They may also realize their current precarious risk status and recognize they probably don’t have a handle on all their data. “They start asking questions. ‘What data do we have? How much of it is critical or sensitive?’ That’s the time to do a data-mapping project to figure this out and lock it down.”

Lack of awareness and understanding are still the greatest obstacles to managing cyber security risk effectively. Sevgin closed with this advice for businesses that want to play it safe. “Stay open-minded and don’t be afraid to educate yourself and ask questions so you can understand.” That’s a small price to pay when the risk of doing nothing is so high.