Cybersecurity risk management should be a concern for organizations of all sizes. New threats and data breaches make the news every few days. But as vendors and cybersecurity risk management consulting firms can attest, far too many companies still lag behind when it comes to implementing safeguards. In part, this is due to the fragmented nature of the available products and services on the market. Even with options available to solve cybersecurity challenges, however, businesses may not know where to start.
So many options, so many gaps
Tulin Sevgin, cyber risk management specialist with InConsult, has found it difficult to come up with comprehensive protection for her company’s clients. Like most risk management consultancies, InConsult wasn’t looking to become a technology firm. But it could hardly ignore the pressing need for cybersecurity risk management as part of the total picture. The race was on to find a vendor that could best serve its clients. Sevgin took this search seriously.
“Instead of developing our own product from scratch, I went to the market to see what was out there, what our competitors were doing, and what I could do differently to give us an edge,” Sevgin said.
She discovered that there were plenty of vendors in the space, but most were aiming at solving the same handful of problems.
“There are a lot of companies out there that do penetration testing,” Sevgin said. “But there aren’t that many doing things like vulnerability management, cloud scanning, external APIs and website scanning, and then also scanning the internal environment to see where your weaknesses are.”
Cybersecurity risk management choices
Instead of finding three or four vendors who specialized in these different areas, her goal was to get it all in one place. And eventually, they found a company that did it all and teamed up with them.
The selected vendor provided security across all the following areas:
- Third-party vendors
- Externally-facing websites and APIs
- Networks and applications
- Servers and clouds
- Personally Identifiable Information (PII) and sensitive business data
That’s quite a lineup. Of course, not every business needs to pay for every possible type of security. However, there could be an advantage to working with a vendor or consulting firm that understands the full scope of what’s available to help determine the right direction. It all begins with an accurate assessment.
Where to start
Start with a plan. Determine the potential risks, the possible fallout, the budget available to shore up security, and the risk tolerance of the organization. For example, a public utility responsible for critical infrastructure requires a high level of cybersecurity, whereas a local business has much more modest needs.
According to Sevgin, companies don’t have to look far—or even pay anything—to get started. Free resources are readily available.
“For best practice purposes, the NIST framework is good to look at,” Sevgin said. “These are great guidelines, not the kind that you need to implement from beginning to end. You can choose what’s most effective to address your weaknesses in a way that fits your organization.”
The National Institute of Standards and Technology (NIST) espouses the well-known five-factor approach to cybersecurity:
- Identify: Understand the business context, resources tied to critical functions, and potential scenarios.
- Protect: Develop and implement safeguards to ensure delivery of critical services, limiting the impact of a potential incident.
- Detect: Ensure the ability to identify cybersecurity events in a timely manner through activities such as continuous monitoring and anomaly detection.
- Respond: Determine what will happen in the event of a detected cybersecurity incident, including appropriate technological, business activity, and PR responses
- Recover: Put plans in place for resilience and restoration of any capabilities or services impaired by a cybersecurity incident.
NIST recommends mapping the security requirements uncovered by this assessment process with answers already on the market. Interestingly, the institute also recognizes the common difficulty of finding it all in one place. “The objective should be to make the best buying decision among multiple suppliers, given a carefully determined list of cybersecurity requirements. Often, this means some degree of trade-off, comparing multiple products or services with known gaps to the Target Profile.”
Shift attitudes toward cyber risk management
In Sevgin’s experience, there are several misconceptions that hold businesses back from taking adequate steps toward a more secure cyber environment. Companies that have not yet been breached may feel invulnerable.
“They say, ‘Why do we need it? We’re fine, we’ve never been breached,’” Sevgin said. “They see cybersecurity risk management as something complex and technical, like the money spent on it is just going into a black hole. Or they just assume that IT has it all covered.”
But that complacent attitude is beginning to change. Folks from senior management down to the operational level are starting to appreciate cybersecurity.
“When these compliance obligations came in like GDPR, it pushed them to find out what’s going on with their cybersecurity,” Sevgin said. “I think we’ll see a cultural shift in the next year or two causing the business to think about cybersecurity as part of their everyday job rather than just relying on IT to do it.”
An exercise in assessing risk
Sevgin offered key advice for the first cybersecurity exercise companies should go through. It’s an approach that entails exploring the worst-case scenario by putting together a data breach response plan.
“How you deal with a breach is very important because getting it wrong leads to reputation damage internally and externally,” Sevgin said.
So what does the process entail?
“It’s easy to do and doesn’t require a lot of money. Once you start writing that plan — and you can get a template from a consulting company or government website — you see how it fits into your existing business continuity and crisis management plan. It really forces you to think about decisions that need to be made on the spot if there is a data breach. The next step is to do a tabletop exercise to put that plan to the test.”
The data breach response plan determines how you manage the incident, the potential reputation damage, and regulatory compliance. Once businesses start writing a plan, they see how it fits with business continuity as a whole. They may also realize their current precarious risk status and recognize they probably don’t have a handle on all their data.
“They start asking questions,” Sevgin said. “‘What data do we have? How much of it is critical or sensitive?’ That’s the time to do a data mapping project to figure this out and lock it down.”
The greatest obstacles to cybersecurity risk management is still a lack of awareness.
“Stay open-minded and don’t be afraid to educate yourself and ask questions so you can understand,” Sevgin said.
That’s a small price to pay when the risk of doing nothing is so high.