We live in a culture that is far more focused on procuring new goods than on improving existing investments. People are more inclined to buy a new shirt online than to take a good one to the tailor.
My field of cybersecurity is no different. According to the IT analysis firm Gartner, spending on IT security and risk management increased by 6.4 percent in 2020, and the growth rate is expected to double by the end of this year to 12.4 percent. Why? With cyberattacks on the rise, the assumption is that there must be a need for more technology. In some cases, that’s true. The SolarWinds intrusion of December 2020 revealed holes in U.S. government agencies and private organizations’ cybersecurity posture. But even with more technology, leaders lack granular performance data to make informed decisions about the overall state of their security program.
It’s time for executives to take a step back and recall the practices that underpin successful security planning. Just as in the days of old, to defend yourself today you need to assume the adversary will break past the city gates to steal the crown jewels, you need to analyze your defense capabilities and invest or divest where required, and then test your security controls constantly (your people, your processes, and your technologies) to ensure readiness.
A CEO’s new mantra should be: More isn’t better. Better is better. And the way to get to better is through continuous testing,
How can CEOs confidently assess their cybersecurity risk?
Consider this analogy. Imagine you build a naval strike group and then leave it in port for a year assuming it will be ready to defeat the enemy when required. What would happen? It would rust and the adversary would sink your destroyers in the blink of an eye.
The same is true for your cybersecurity. If you don’t exercise your security controls constantly against the threats that matter most, your security controls will fail. Unlike a ship at sea that sinks when defeated, however, your security controls will fail silently. There’s no “you sunk my battleship” alarm that goes off when your cybersecurity capabilities fail. Instead, you read about it in the press when your data has been leaked, altered, or destroyed.
How have teams approached this security control failure problem in the past? Through ineffective and periodic manual testing. Annual or semi-annual penetration tests of your network defenses are costly, resource-intensive, and the data is bound by a single moment in time.
What’s the path out of this problem? For those that watch the industry, both Forrester and Gartner predict that automation will be a key trend for 2022 and beyond. By automating your security control validation in a continuous process, you can find and close gaps before the adversary tests your defenses in real life. That helps you identify where and how your security controls may be faltering.
Continuous testing also reveals readiness issues beyond technology, what some call the “human performance factors” of cybersecurity management. Continuous testing reveals when a security control fails to detect and prevent simulated intrusions. In one instance following a regular test, a customer of ours learned that a security team member had left her job, and because the person had left, a third-party security contract remained unsigned. The organization’s security readiness was degraded, yes, but the bigger question was: why did the team member leave in the first place? Only through an investigation–tipped by continuous testing–did our customer learn that security salaries were too low, and the company faced an attrition problem on the security team. Their next call was to the head of human resources.
This is one of the many real, strategic benefits of automated security testing. By emulating the adversary with specificity and realism, you can better identify your team’s challenges and develop appropriate solutions. Sometimes the problem is about personnel. Sometimes it’s about technology: in the case of SolarWinds, if U.S. government agencies had run an adversary emulation in advance of the attack, focusing on the time-honored tradition of lateral movement, they would have known they needed a zero trust architecture to stop intruders from marching through their data centers.
How Can a CEO Take Control of Risk?
So how should CEOs prepare for risk? Let’s consider another analogy. Wearable devices like a FitBit or an Apple Watch help you understand your blood oxygen level and resting heart rate, vital indicators of your overall health. Using these devices helps save lives by measuring performance and nudging people to the doctor in advance of an incident. The best way to take control of risk—in health or cybersecurity—is through a proactive, data-driven strategy. Do you want to wait for a heart attack to make changes? Of course not. So why wait for a breach to know if your defenses work?
In cybersecurity, we call this a “threat-informed defense” strategy. When you operate with a threat-informed defense, you focus first on your performance against known threat — like the cybercrime group FIN6, or, in the case of SolarWinds, the Russian intelligence service — and the tactics and techniques they use to target your sector.
After a decade of investment in cybersecurity, business leaders need a way to measure their cybersecurity readiness. With an automated security control validation platform underpinned by the MITRE ATT&CK® framework, risk and security teams, compliance and auditing teams, board members, and executives can gain a clear picture of their performance.
That’s how you use data to get control of risk — and make the most of your investments.
Written by Brett Galloway.
Track Latest News Live on CEOWORLD magazine
and get news updates from the United States and around the world.
The views expressed are those of the author and are not necessarily those of the CEOWORLD magazine.
Follow CEOWORLD magazine
on Twitter and
Facebook. For media queries, please contact: