Keeping your business out of the hands of cyber-attackers is not what most company leaders signed up for. And when you have to juggle both your core work and the job of cybersecurity, something has to give. Here’s why spending more on product after product is not the answer
Businesses are now investing heavily in cyber technologies. However, skilled resources are limited which means far too many firms fail to acquire the right solutions and the right knowledge. Yes, you can buy twenty cybersecurity solutions, but you can’t afford to hire an expert for every eventuality and for every security product.
The aviation industry has a reassuring safety record due to the effort that’s gone into keeping their systems, their operations and their planes secure against failure. And all of that can’t be the responsibility of a single pilot or even a small team.
When we take a flight, we’re sitting above thousands of litres of combustible fuel. But few of us worry that we’ll soon be at 30,000 feet with two massive engines below our seats. Instead, we’re thinking: “Can I stretch my legs? Should I have the chicken or beef? Which movie shall I watch?”
The reason we don’t worry that someone forgot to put the fuel cap back on is because we trust someone else has thought of that. The result is that we have around a one in 287 million chance of being killed in an air accident – compared to a one in 19 million chance of being struck and killed by lightning.
Strangely, though, when it comes to cybersecurity in practically any type of business, there’s a dangerous gulf between recognising that the right technology is key and recognising that it won’t work without expertise.
Spending wisely is better than spending more
Three years ago, a financial organisation paid few million USD for a security product by a leading cybersecurity vendor. The system was installed but over the next 18 months the company received little value from it. What they did get was a lot of noise and a lot of frustration. This, unfortunately, is not uncommon in the world of software. Indeed, without a decent implementation plan the project was bound to have challenges.
The company’s CISO came to us and said: “This is a white elephant, but we can’t get rid of it”. Because ultimately, yes, they needed to have cyber threat protection – not just to safeguard the business and its clients, but also to comply with FCA regulations.
We’d heard the story before. At Performanta, we’ve worked with many companies who have seen little benefit from their investment in cybersecurity products. Too many organisations throw money at cybersecurity solutions while focusing mainly on the technology and not enough on the people, skills and processes that are required to return value from their investment. Without looking into all of these elements there is no certainty of safety at the end of the process. This is why we talk about the need to be Aware, Secure, Safe.
For the financial client, we looked at what they’d bought, and what they were looking to achieve. We analysed their technology and examined their policies and business engagement. It was fail, fail, fail. The product was not stable. The policies were too wide, too cluttered and missing some critical aspects.
When it came to engagement, some departments were simply blasé, while others were actually abusing the system to monitor activities against company policy.
Our experience and our vantage point from outside the business meant we were able to fix the issues one by one. We reworked the policies to add rather than detract from value; we got departments involved and on board; and we gave the company room to breathe by handling the monitoring and management of the systems, albeit with full visibility.
Now they could get back to their real job of developing the business, helping customers and improving profits, safe in the knowledge that they’d reduced their risk and could be confident that their cybersecurity was at last giving them cyber safety.
I mentioned visibility above. It’s a central part of monitoring the evolving risk and being able to respond swiftly and appropriately. There are two challenges, however. One is the difficulty in getting a clear, timely and integrated view of all the security touchpoints and systems in a complex company. The other is that any written report is going to be quickly out-of-date.
To help solve this we have built our own internal tooling product which utilises our hard-won experience of integrating reporting from disparate systems. This has since grown into Encore (www.encore.io), a fully-fledged cyber monitoring platform. Encore has helped us overcome these challenges and it additionally provides real-time intelligence to make our response lightning fast. The platform integrates a company’s whole security portfolio into one simple interface and creates automated security reports.
When Performanta is managing only a part of an organisation’s security environment, it loops us into the whole picture for a vastly improved ability to respond – without the blindspots. For clients, it means instant visibility, insights into regulatory and audit compliance and the added value that all those technology investments have been lacking.
Ultimately, though, even the best systems and the clearest reports aren’t going to give an organisation strong, resilient, and responsive cyber safety – it still takes people with expertise.
Airlines don’t give their pilots the job of flying the jets and designing the seatbelts. We’re trying to change the mindset across the industries we work with that cybersecurity shouldn’t be an add-on to other roles.
Everyone's talking about missing resources in cybersecurity. I say the gap is in skilled resources. Organisations need to find the professionals who have been through cyber challenges and built up both knowledge and experience – those people are the diamonds who’ll deliver the awareness, security and safety that lets you get back to the real work.