Were you unable to attend Transform 2022? Check out all the summits in our on-demand library now! Look here.
The problem is not that there are problems. The problem is expecting otherwise and thinking that having problems is a problem.
Theodore Isaac Rubin, American psychiatrist
We have a cybersecurity problem, but it’s not the one we think we have. The problem lies in how we think about cyber security issues. Too many of us are stuck in a reactive loop, looking for silver bullet solutions, when we need to change how we look at cybersecurity issues instead.
For CISOs in companies around the world, across all industries, the struggle is real. There is an incident, and the organization reacts. Too often, the answer will be to buy a new software product that is ultimately destined to fail, and start the reactive cycle all over again.
The problem with this approach is that it precludes the ability to be proactive rather than reactive, and given the increasing stakes, we really need a holistic approach. In the United States, the average cost of a data breach now exceeds $4 million, and that may not include downstream costs, such as higher cyber insurance rates and the hit to earnings the company may experience due to reputational damage.
We need a new approach, and experiences from a generation ago can point us in the right direction. At the time, cybersecurity experts were creating disaster recovery and business continuity plans, calculating downtime and its disruptive effects to justify investment in a holistic approach. We can do it again, but it will require less focus on tools and more clarity of purpose.
MetaBeat will bring together thought leaders to provide guidance on how metaverse technology will transform the way all industries communicate and do business on October 4th in San Francisco, CA.
Clear as mud: Market complexity and different cyber security needs
One obstacle to clarity is the increasing volume and sophistication of threats and the corresponding proliferation of tools to counter those threats. Rapid growth of cybersecurity solutions was already a trend before the pandemic, but work-from-home protocols significantly expanded the attack surface, leading to a renewed focus on security and even more new players in the solutions market.
The availability of new tools is not the problem – many of the cybersecurity solutions on the market today are excellent and much needed. But expanding an already crowded marketplace, along with proliferating threats and evolving attack surfaces, makes it even more challenging for CISOs to know which path to take.
Further complicating matters is the fact that every organization has unique cybersecurity needs. They have different assets to protect, and the ideal schema varies significantly across organizations according to size, infrastructure (cloud vs. on-premise, etc.), workforce distribution, region, and other factors. Gaining clarity requires a shift in mindset.
Gain clarity by focusing on results instead of tools
CISOs stuck in a reactive loop can begin to break out of that pattern by focusing on results instead of tools. The quote from Theodore Isaac Rubin at the top of this article is instructive here; the problem cannot be solved by replacing a failed tool, but depending on the circumstances it may be necessary.
The problem is the attitude towards the bigger problem, i.e. the delusion that we can solve our cyber security problems by finding the right product. The problem is being surprised when it doesn’t work, repeatedly.
Instead, it’s time to focus on the desired outcome—one that is unique to each organization depending on the threat landscape—and seek solutions across people, processes, and technologies to reach that desired state. It cannot be about software and platforms. If the pandemic years have taught us anything, it is that people and processes must also be part of the solution.
The business case for a new approach
A focus on results and a plan that encompasses people, processes and technologies is a modern strategy that borrows a page from the disaster recovery and business continuity plans of the past in that it is comprehensive. It accounts for the revenue hit associated with cyber security exposure and justifies investment in a new approach to avoid those costs – it’s part of the business case.
Another argument for change is that it is necessary to address the speed at which threat vectors are growing and asset protection must evolve today. At too many companies, the current cybersecurity posture is analogous to the way operating systems used to be updated on a regular basis, versus the live updates we depend on now. Everything is faster now, so waiting for a new release is not acceptable.
A new approach will require broader input to formulate an adequate response because the threats are more diffuse than ever. CISOs need internal input from employees and managers in the business units. They need information from the FBI and cybersecurity thought leaders. Many will require a partnership to guide the organization through this journey and enable the company to focus on its core business.
Finding the right cyber security solution
Identifying the right cybersecurity solution starts with defining critical business assets and a desired outcome. For CISOs who decide to partner with an expert to help them succeed on this journey, it’s a good idea to find a team that isn’t trying to sell a particular tool. It is also important to consult with experts who understand that solving the cyber security problem will involve people, processes and technologies.
People will always be the front line of defence, so building a security-oriented culture and matching processes will be critical. A partner who understands the crucial role people play is therefore essential. It’s also a good idea to require proof points from potential partners, such as access to a customer who has worked with the team through a breach.
Our cybersecurity problem is not what we think it is. The real problem is a failure to accept that there are no magic bullets and that only a holistic approach that addresses the true scope of the threat – and all facets of the attack surface – is equal to the challenge. CISOs who accept this can break free from the reactive loop and proactively reduce organizational risk.
Peter Trinh is an SME in cybersecurity at TBI Inc.
Data Decision Makers
Welcome to the VentureBeat community!
DataDecisionMakers is where experts, including the technical people involved in data work, can share data-related insights and innovation.
If you want to read about cutting-edge ideas and up-to-date information, best practices and the future of data and data technology, join us at DataDecisionMakers.
You may even consider contributing an article of your own!
Read more from DataDecisionMakers