By Steve Schlarman, Director of Product Marketing/Portfolio Strategist, RSA
Large data breaches in the news serve as unfortunate reminders that today’s organizations, regardless of size, industry or geographical location, must be constantly vigilant. Moreover, they remind us that security risks and overall business risk are increasingly inseparable and must be addressed together.
The combination of data compromise and ransomware can deal a crushing blow to any organization; worse, it can also affect others, as in the recent case of a health care company with digital ties to large health plans and hospital systems. As companies progress in their digital transformation, leveraging technology more and more in the pursuit of competitive advantage and business growth, data breaches present a clear and present danger.
The collateral damage of breaches today goes well beyond the headlines. Breach containment is just the starting point for a long journey. After the initial shock of the incident, questions quickly arise around what’s next. Organizational processes may need to change. Technology architectures will be inspected and tools evaluated. The associated costs will almost certainly have a long tail. These incidents may endanger future investments, erode employee morale, halt progress toward strategic objectives and inflict reputational damage. The immediate reaction to a technical threat is often to look to more technology-driven prevention mechanisms. But this response must be tempered.
Security teams need to view technology more broadly to understand risk variables across the entire digital ecosystem–the networks, transactions, applications, identities and user behavior across cloud, hybrid or virtual environments. The same technologies needed to compete in business–cloud applications, virtual infrastructure, mobile devices–provide attackers with more vulnerabilities to exploit and more ways to evade detection. Additionally, attackers have more resources than ever for surveilling an organization’s infrastructure and launching attacks, while security teams struggle with talent shortages and an ever-expanding list of alerts. Security operations must evolve to bring a combination of technology approaches to bear on threat detection and response, including advanced security information and event management (SEIM), user and entity behavior analytics (UEBA), and risk-based authentication.
This comprehensive technical strategy must be balanced with efforts to further adjacent capabilities. A major challenge many organizations face with their current cyber risk management mechanisms is the flood of data coming from various sources as “defense in depth” strategies layer tool upon tool. For security teams drowning in data, information is plentiful. It is knowledge that is missing. One popular definition of knowledge is that it is information in action. Layers of technology alone cannot address increased cyber risk; rather, technology protections must align with security processes. Otherwise, security teams will struggle to prioritize issues, form a complete picture of cyber risk and make informed decisions about the controls needed to protect against today’s security threats.
In addition to enhancing technology controls, it is critical to address a broader set of competencies that recognize threats and prepare organizations for the inevitable breach.
Connect cybersecurity and business risks in the context of the broader risk management strategy. Security processes and data must connect with risk and compliance functions across the enterprise. The IT and security risk functions can then consider the relationship between business risk and IT risk in terms of business criticality. This makes it possible to establish ownership and accountability, and to connect IT and security risk to broader risk management programs.
Address IT and security risk management through multiple dimensions. To effectively manage IT and security risk, security programs must be organized in a way that addresses the full spectrum of IT security risks. The IT and security risk program must undertake risk management in multiple contexts—from policies, standards and compliance to threats, vulnerabilities and attacks.
Bridge business context and process enablement. Managing IT and security risk today involves much more than just data speeds and feeds. IT risk must be understood in business terms because technology issues could put the entire organization at serious risk. When IT and the business are aligned, the IT and security risk management program better facilitates all the actions required to keep the business secure.
Today’s organizations are part of an intricate tapestry of products and services, processes, technologies, third parties, employees, locations and more. This complex and changing ecosystem makes it increasingly difficult to clearly see risk and maintain resiliency in the face of disruption, whether the disruption comes in the form of a major natural event, a reputational crisis or a cyber attack. Organizations must rise to the challenge of establishing what is most critical to the business and ensure its resiliency, especially in light of ever-changing business strategies and priorities.
