Cybersecurity should not be viewed as a goal in itself but rather as something directly connected to business needs. Too many security organisations are missing the mark, said Dave Maasland, CEO ESET Netherlands.
Information Security and Cyber Security conferences are often flooded with relatively “new” developments such as Net-gen, IoT (Internet of Things), IoT direct denial of service (DDoS), Security Intelligence Platform, and so forth. “The fact that some of these terms have become ‘hype’ is not in itself a problem,” Maasland said, but it makes one wonder whether the security world may be looking at things in the wrong way and thereby missing the demands that need to be addressed.
Maasland, in collaboration with LeaseWeb’s IT security manager, Fred Streefland, offers five basic cybersecurity lessons for businesses.
Lesson 1: Start with the business (and its risks)
Security can be exceptionally complex but it is essentially nothing more than reducing or taking away risks, and making them visible so that the business can accept them and continue doing its work. To do this as effectively and efficiently as possible, security people should understand the business and have a broader perspective instead of seeing it solely from an IT perspective.
They first have to identify, map, and categorise the risks of the specific business. Second, they need to determine, together with the business itself, which risks need to be dealt with and in which order. When that is done, the person within the company in charge of security has to set up a security plan that describes how these changes are to be executed. It has to have clear goals and deadlines. Ideally, this should be done in a “smart” way, one step at a time, so as not to take on too many projects at once.
Lesson 2: Determine a security roadmap with a clear goal, step by step
Defining the security approach or roadmap is essential and should be discussed with the business on an ongoing basis to make adjustments where and when necessary. The projects that are defined in the roadmap should all contribute towards reducing risks and achieving the end goal.
It is important not to lose sight of the business goals because security measures should not restrict or obstruct the business. It’s not rocket science and should not be treated as such. The plan should be something that everyone, even without IT skills, can understand. Of course, IT plays a role, but only at the last moment when IT solutions are needed for the execution of the security projects.
Lesson 3: Cover the basics before implementing more advanced security solutions
Most organisations do not even have basic security measures in place, let alone advanced solutions. Security company presentations on these technologies often look stunning and offering interesting content but they are simply too advanced for most companies. Furthermore, experience shows that most hacks (about 90%) are still using the simplest methods and weaknesses: phishing emails, malware attachments, and so forth. And, of course, there is the weakest link of all: the human being.
Companies need to create basic security solutions for these simple risks first before turning their attention to more advanced technologies. Of course, these are important as well and should be implemented in the future, but only after the basics are fortified. Often at security congresses, there is a focus on sophisticated threats and advanced persistent threats (APTs) but companies such as TalkTalk and Ashley Madison might have still been protected from attack if even basic security was in place.
Lesson 4: Build the right partnerships; cooperation between IT Security professionals is essential
Malicious groups and individuals are using more varied and advanced attacks and tactics. Eventually, more advanced security solutions will become inseparable from our organisations’ broader security roadmaps. However, the foundation must be in place before the “house” can be built. To build this house, cooperation is needed between the architect, realtor, mason, plasterer and, of course, the homeowner.
This sense of building something together step by step is exactly what is needed in the security world. There is a need for intensive cooperation because there is no single owner or architect who is also the best in masonry, painting, or construction. No single security company has the best solution for each and every security risk, so working together is a must. Those who would cause the company harm are already doing this, so it is time security professionals do the same.
First, start with the owner (the business) and the foundation (the roadmap), and then forge relationships with the right contractors (security vendors). Only then can a strong, reliable, and safe house be built.
Lesson 5: Get everyone involved, it’s the only road to success
To make progress between security and the business, there has to be understanding and support from the business – and vice versa. Those responsible for security must be able to provide short and clear explanations in order to get participation from all the company’s different stakeholders. Otherwise, business (and the board) will never understand, and there won’t be the necessary buy-in and support to implement your plans (no matter how good they may be). As Einstein once said, “if you can’t explain it simply, you don’t understand it well enough!”