Are you getting the feeling that cyber security is doing the same old stuff and hoping it will make things more secure?
There is a quote often attributed to Albert Einstein “Insanity is doing the same thing over and over and expecting different results”. Another saying is “no pain, no gain”. Cyber security may not be insane, and it certainly has an element of pain, but most cyber security programs do tend to apply the same solutions over and over again whilst hoping vainly for larger gains and better results. Updating and publishing security policies is necessary, but a new or updated policy doesn’t necessarily mean security has been improved or security risks reduced.
The motivation for new approaches nearly always occurs after a breach or incident occurs, that reveals a previously unknown vulnerability or risk.
Part of the issue is that cyber security is almost always relegated to being a part of IT. Granted, there is a large overlap of skills and resources between IT and cyber security, but being a cog in the IT wheel means that justification for cyber security improvements must meet IT requirements. How many times have cyber security professionals or CISOs been told by IT “hey, it isn’t broken, so why spend money fixing something that isn’t broken?”. Of course, these are the same IT people who pummel cyber security the most when an incident or breach occurs.
How many breaches occur because of a lack of identifying and managing risk? After a breach, risks seem obvious and action may be taken to mitigate those risks, but to get better results requires more than mitigation - it requires an investment in risk management. 3Factor’s whitepaper “Believable Cybersecurity” points out that there is no single version of security and that it is important to have a meaningful understanding of risk.
While cybersecurity does depend on IT tools and processes, an effective and believable cyber security program must have an internal framework for evaluating risk across the enterprise and a program in place to manage those risks. The pushback from IT is that risk management tools and assessments to identify and quantify risks take time and money with no immediate payback.
Cyber security must assess risks across the corporation and identify not only current risks that need mitigation, but also there must be the development of a “risk horizon” – what risks are on the horizon? When might they come into play? What can be done now to mitigate future risks?
3Factor Cyber Strategy & Risk Services can help you to understand your risk landscape using a risk-based framework and develop a risk horizon for your company.