Looking back at 2019 and earlier, it's clear that businesses have struggled to build effective cybersecurity programs. Now that 2020 is here, the days when a couple of security engineers hidden away in a back room could get the job done are gone for many companies. Security threats are evolving at a rate well beyond the scale and capability of many of the most prepared and well-funded organizations. Security teams have been lucky, to some extent, at thwarting most of the attacks most of the time. Luck almost always runs out, and the bad guys are getting smarter and more resourceful. They know you have to be lucky every time, and they only have to be lucky once.
So, how do you go from a reactive state to a proactive, risk-informed security posture?
The answer is straightforward: Hire a security leader with a deep understanding of security risk assessment methodologies who is, at the same time, a skilled communicator who can foster relationships with all enterprise stakeholders. Then align with an industry-recognized cybersecurity framework.
You're probably saying, "We don't have the budget for a dedicated chief information security officer (CISO)." Don't worry: Not everyone does. There is ample opportunity to hire a virtual CISO or utilize vCISO services (something my company offers, but others do as well). Either way, whether you hire or rent-to-own a rock star CISO, successful security programs should always have a strong security leader with an executive presence who understands security risk while simultaneously promoting business objectives.
Just as Benjamin Franklin said, "An ounce of prevention is worth a pound of cure." It's more important than ever to invest in even the most basic security upfront. Don't wait until a data breach occurs to start the journey toward the level of security you need in order to sleep at night. Believe me: It will be a lot easier to explain to investors that you did your due diligence and invested due care upfront.
According to the 2019 “Hiscox Cyber Readiness Report,” "The mean figure for losses associated with all cyber incidents among firms reporting attacks has risen from $229,000 last year to $369,000 -- an increase of 61%." This sounds expensive; in reality, I've found that these numbers are more aligned with what it costs for small- and medium-sized businesses to deal with a breach. If you are middle-market or larger, it probably makes sense to hire a CISO. That said, for less than the low-end cost of a breach, you can generally hire a vCISO to help your organization understand the current state of security, develop a strategy and help make risk-based decisions to lower your exposure.
In 2020, commit to a New Year's resolution of achieving a higher level of cybersecurity readiness. This process should begin with a top-down commitment to drive organizational cybersecurity maturity and improvement.
Here are the top 10 security goals you should set for 2020.
1. Security should be a top business priority. End 2019 with a message from the CEO emphasizing the importance of cybersecurity.
2. Hire a security leader (either full-time or a virtual CISO) who can assess the current state of your business, communicate, partner and implement a business-enabling cybersecurity strategy.
3. Assess, assess and annually reassess security risk. Inventory software and hardware assets. Scan your external and internal attack surface. Perform a business impact analysis. Perform a pentest. Conduct persistent vulnerability assessments.
4. Implement a vendor risk-management program. Understand who your vendors are and what they do with your data.
5. Create a three-year strategy, and align it with your business operations. Security is a guardrail, not a roadblock.
6. Perform an inventory assessment of your security team's skills to identify possible resource gaps or team misalignments. Ask for funding, and reorganize if necessary.
7. Overcommunicate. Set quarter-over-quarter expectations. Communicate your baseline and goals to the board and executive teams -- and, most importantly, to the teams responsible for achieving your goals.
8. Be prepared for an eventual breach. Document and implement incident response plans, and test them.
9. Implement ongoing employee security awareness training. Establish a culture of "see something, say something."
10. Remember that no one is ever completely able to mitigate their risk; that's why I believe it's critical to purchase the right cyber insurance policy. That said, cyber risk insurance in itself is not a strategy.
Tackling this list sounds like a daunting challenge. It's not as tough as it sounds, though. The U.S. government and industry-designed NIST Cybersecurity Framework (CSF) takes most of the guesswork out of what is important and how you can implement protective measures. Another benefit to aligning with an industry-leading framework is that you can quickly pivot and comply with the multitude of U.S. and other government regulatory requirements (including HIPAA, GDPR, PCI DSS and others). I'm not a big advocate of compliance for the sake of compliance, and that's why I believe the CSF provides the basic security standards, guidelines and best practices you need to achieve a "compliant" best-in-class security program.
So, get ready for 2020 and beyond. Kick off the year right with a sound cybersecurity strategy and a company that's in full alignment.
