The Future of Cybersecurity Program Management
Digital Transformation – Friend or Foe?
Digital transformation and the adoption of advanced technology sit at the core of business innovation. In today's world of rapidly changing product requirements and increasing customer demand, a company's ability to maintain a competitive advantage is driven by its ability to innovate. However, as new technologies are introduced for security professionals and more data is collected for analysis, identifying and addressing cyber risks also becomes more complex.
According to IBM's 2021 Data Breach Report, data breach costs are the highest they've been in the report's 17-year history. The average total cost reached $4.24 million in 2021, a 10% increase from the reported $3.86 million in 2020. Key influencers noted in the report are lack of innovation (i.e., security artificial intelligence and automation), migration to the cloud, and the remote workforce. Also of note, healthcare remains the industry with the highest average security breach cost for the eleventh consecutive year.
Consider a mid-sized visiting nurse association with just under 1,000 employees. The cost of a breach for an organization of this type is amplified based on industry, remote workforce, and an assumed lack of security program maturity and innovation. The impact of a breach is not only limited to financial loss, however. A recent article by The AME Group suggests that a security breach can also lead to brand and reputational damage and loss of intellectual property. In the healthcare industry, security breaches can also lead to loss of life. In September 2020, a German hospital reported the first ransomware-related death after a woman in need of emergency treatment was turned away after the attack crippled the hospital's entire network.[6]
A practical approach to cybersecurity program management is a critical component of corporate sustainability, specifically adhering to regulatory compliance requirements and protecting patient data and life. It is essential to take a holistic approach to protect the organization's critical assets, considering people, processes, and technology, rather than focusing on technology alone.
People – A Three-Pronged Approach
Users are associated with a significant portion of organizations' risk. The Verizon 2021 Data Breach Investigations Report identifies users (or insiders) as the root cause of roughly 22% of data breaches – a 47% spike in insider threat-related incidents since 2018.2 The report also highlighted healthcare and finance as the two industries most impacted by employees' misuse of access privileges and lost/stolen assets.
Since insider threat can take the form of both malicious and negligent (or unintentional) activity, security teams should follow a combination of prevention (security awareness training, following the principle of least privilege, identity and access management tools, etc.), detection (monitoring for anomalous behavior), and response (data loss prevention tools, account lockout policies) based approach to reduce the risks associated with insider threat.
Process – Begin with the End in Mind
Security teams and business leaders should work together to establish a framework for monitoring, measuring, and improving the overall effectiveness of the organization's cybersecurity program. BitSight describes cybersecurity frameworks as a means for security leaders to communicate in a common language leveraging a common set of standards to assess the security posture of their organizations and partner organizations. There are three types of cybersecurity frameworks: (1) control frameworks, which guide selecting and monitoring technical controls (i.e., the CIS Controls), (2) program framework, which assist organizations with overall cybersecurity program management (i.e., the NIST Cybersecurity Framework), and (3) risk frameworks, which specifically apply to managing organizational cyber risk.[5]
When developing a cybersecurity framework, arguably the most important elements to consider are the company's desired security program outcomes. These outcomes should heavily influence decisions regarding the approach to monitoring and measuring the program's effectiveness. Common methods include (1) compliance-based – adhering to a defined set of regulatory requirements (i.e., HIPAA), (2) maturity-based – continuously building and improving security capabilities to achieve a desired level of maturity, and (3) risk-based – focusing on the reduction of risk over time. The following chart provides a comparison of the three approaches:
The comparison highlights the importance of beginning with the end in mind. For example, an organization is not necessarily reducing the most critical risk in their environment simply by maturing their program capabilities. Similarly, implementing solutions to mitigate critical cyber risks will not automatically lead to maintaining compliance requirements. All three approaches play a significant role in developing an effective cybersecurity program. However, security leaders must ensure their teams are aligned on prioritized initiatives, metrics, and processes.
Technology – Less is More
Securing the enterprise becomes increasingly difficult as companies continue to improve their innovation capabilities by introducing new processes and technologies to the business. A vicious cycle exists in the cybersecurity industry: a new threat leads to a new tool in the security toolkit. While technology, in general, can definitely help solve cybersecurity challenges, too much technology can have the opposite effect. Dr. Mike Lloyd, CTO of RedSeal (a cloud security solution provider), published an article identifying tool sprawl as "the cybersecurity challenge of 2021".
A TechRadar article by Stan Wisseman defines tool sprawl as the result of organizations repeatedly leveraging one-off specialized solutions to address evolving security concerns. According to the Enterprise Strategy Group (ESG), companies deploy an average of 25 to 49 security tools across as many as ten vendors. Ironically, 451 Research reported that 40% of companies could only respond to roughly 75% of their alerts, which leads to ineffective cybersecurity programs ("decreased productivity, inefficient workflows, and higher overall cost").[9]
Selecting the appropriate tools for securing the enterprise can be challenging. Businesses can follow these four steps to prevent tool sprawl and drive operational efficiency: (1) evaluate existing tools to assess utilization and RIO, (2) fully leverage existing tools before implementing new tools, (3) maximize the value of security tools through integration and consolidation, and (4) leverage a shared service model that offers security services.
The cybersecurity threat landscape is ever-evolving. As organizations continue to increase their innovation capabilities, whether upgrading medical technologies or implementing new systems for managing patient records, their attack surfaces will continue to grow. Ultimately, security leaders should regularly assess the effectiveness of their cybersecurity programs based on the needs of the business and how those needs are positively or negatively impacted by the people, processes, and technologies that identify, access and protect critical assets.
References:
1. Cisternalli, E. (2020). 7 cybersecurity frameworks that help reduce cyber risk. BitSight. https://www.bitsight.com/blog/7-cybersecurity-frameworks-to-reduce-cyber-risk
2. Georgiadou, A., Mouzakitis, S., & Askounis, D. (2021). Detecting insider threat via a cyber-security culture framework. Journal of Computer Information Systems, 1–11. https://doi.org/10.1080/08874417.2021.1903367
3. Lloyd, M. (2020). Tool sprawl – the cybersecurity challenge of 2021. Information Security Solutions Review. https://solutionsreview.com/security-information-event-management/tool-sprawl-the-cybersecurity-challenge-of-2021-by-mike-lloyd-of-redseal/
4. IBM Security. (2021). Cost of a data breach report 2021. IBM Corporation. https://www.ibm.com/downloads/cas/OJDVQGRY
5. Prey Project. (n.d.). Cybersecurity frameworks 101 – the complete guide. The Missing Report. https://preyproject.com/blog/en/cybersecurity-frameworks-101/
6. Ralston, W. (2020). The untold story of a cyberattack, a hospital, and a dying woman. Wired. https://www.wired.co.uk/article/ransomware-hospital-death-germany
7. The AME Group. (n.d.). Data security breach: 5 consequences for your business. https://www.theamegroup.com/security-breach/
8. Verizon. (2021). 2021 data breach investigations report. Verizon. https://enterprise.verizon.com/resources/reports/2021/2021-data-breach-investigations-report.pdf
9. Wisseman, S. (2020). Why getting security tool sprawl under control is essential. TechRadar. https://www.techradar.com/news/why-getting-security-tool-sprawl-under-control-is-essential