There is one major cyber security pain point which is common across all industries and verticals. And it boils down to this: there are just too many vendors and solutions to choose from and there are just too many varied and constantly changing threats to deal with. In this environment, how do you cut through the noise and pick out the best combination of tools and solutions to fit your specific business needs?
The number one challenge for CISOs is the one of focus - when everyone is pitching to you, you need to be crystal clear about your intended security strategy. Only then, you’ll want a clear overview of available solutions in order to analyze your options and distinguish between what is useful and what isn’t for your business.
When tasked with setting up your company’s cyber security program, your first step is to assess what needs protecting. There are no silver bullets in cyber security, and the priorities will differ significantly from company to company.
Once you identified your “crown jewels,” the next step is to reach out to see what technologies and external consultancies are at your disposal. You’ll notice, that the problem isn’t that there aren’t any solutions that fit your particular needs, but rather that there are too many of them to choose from. For example, Gartner identifies 22 vendors as the most significant players in the EPP market, and Forrester looks at top 30 vendors that all provide externally sourced intelligence. If we include the smaller, niche-oriented vendors that didn’t make it to these top-of-the-industry lists, evaluating solutions that the market has to offer becomes a very costly and resource-draining task.
What happens next is that CIOSs are lost, some technologies may even cancel each other out while others interfere with each other (like an EDR and an AV running on the same endpoint).
The bottom line: cyber security is a very complex equation to solve, with hundreds of variables that include both the varied threats we face and the multitude of solutions to choose from.
The number one challenge for CISOs
If you are a CISO in 2018, first thing you need to do is to identify and prioritize the most pressing security concerns and threats to your organization based on the business needs and objectives. For example, for an online retailer or a gaming platform, a website or an application crash could easily spell a "game over." Therefore website security and availability will be the absolute number one priority, outweighing all other concerns. For a train operator, on the other hand, the website isn't a business-critical asset when compared to the routing and operations backend servers. Which, if hacked, could cause dozens to lose their lives in a train crash.
With new attacks and breaches reported daily it is easy to get side tracked by constantly putting out fires. A clear strategy is needed that is built on a solid foundation that weighs the risks the business faces as well as the controls already set in place.
At the same time, while cyber security needs often differ across industries and verticals, one thing is clear- you will need technology. You can no longer do it on your own, and most CISOs will rely on an outsourced vendor who can provide the technology or take on some of the day to day security related tasks.
Although new technology solutions are developed daily, you are nonetheless expected to be up to date with the latest technologies. Selecting the best possible cyber security mix for your company is a challenge indeed. One thing is clear - CISOs need to find and adopt the tools that best fit their business needs. If the business is built on a cloud infrastructure for example, it is best to prioritize the tools that are built for the cloud, as opposed to legacy security tools that might be well suited for a traditional enterprise that stores all of its business-critical applications on-premise.
How to prioritize
To face today’s cyber threats, a comprehensive approach to cyber security is required: looking at all your digital channels such as the social media, website, sub-domains, vendor risk and looking within your network and endpoints.
So if you need to cover everything, how do you find your focus? Here are some useful steps to consider:
1. Identify what you need to protect first - then map and discover all the assets associated with what needs to be protected. This is sometimes easier to accomplish by utilizing and external service provider to give you an objective overview. By making an inventory of all the aspects you need to protect in your organization, you can select the technology and vendor mix based on your exact needs.
2. Evaluate how to go about protecting it -
- To do this you need to understand the risks you are exposed to - each business is different, and it is crucial to understand these risks when putting together a cyber security program.
- Identify the most critical points you want to defend and build your strategy from there - obviously, you will ultimately want to protect everything. But first identifying the gaps in your defences (if you have them) will help you prioritize your next steps.
Depending on your evaluation of the previous steps, you will be able to tailor your strategy. It’s important to remember that while budget considerations may put a constraint on the scope of your security program, it is often a secondary concern. Today, acute awareness of the importance of cyber security in boardrooms and among the executives opens up budgets for security needs. In many cases, the deployment and implementation will be a bigger challenge than getting the budget. Make sure that both your program and your strategy take the implementation into account.4. Focus on Detection
For a skilled threat actor it only takes three days to succeed in a mission. With the average dwell time in 2017 averaging 99 days, it is clear that detection capabilities should be drastically improved. The current dwell time is 96 days too long for your business.
With digital channels, such as social media, becoming an ever more salient attack vector, detection tools that scan your your digital channels and then continue to hunt intruders within your network and on the endpoints are a must. Such tools can give CISOs an upper hand in their ability to detect attacks before they actually penetrate the business environments.
The Bottom Line: Tailor-fitted approach for each CISO
Each company faces business specific threats and each CISO has specific approaches to cyber security. It is clear that cookie-cut solutions are no longer relevant. To avoid wasting extensive resources on simply selecting a technology vendor, you need to look beyond the bare-bone technology and look for a vendor that can take on the role of a partner and who fully understands your needs and your business. It is no longer feasible for CISOs to do it alone.