Don't just invest in technology, make sure you have the right processes and communication in place
The risk of information leaking out of a company, through carelessness or callousness, has become front page news and one of the issues that auditors and enterprise risk managers worry about the most.
As a result, the amount firms spend on information security has risen again this year,according to PGT data. But, like many other examples of increased corporate spending, tracking the returns on all that investment is much more tricky. A lot of companies are sinking money into advanced detection technology and creating new roles to track down whole new groups of hackers and sometimes even spies.
The evidence so far suggests that cybersecurity investments which focus principally on “more tools,” no matter how sophisticated, aren’t going to have the impact promised to the board, CIO, chief risk officer, or business leaders.
Irrespective of whether your firm’s security budget is growing or not, information risk teams should ask five questions of each other to ensure that “cyber security” investments aren't simply a way to pass your revenue on to technology vendors.
1. Are we investing enough in security controls hygiene? Data from Verizon’s 2015 Data Breach Investigations Report indicates that 99.9% of successful breaches of companies’ defences in 2014 (or “exploits” to use the technical term) came via a vulnerability in the firm’s security that was over a year old.
Verizon’s data might not be perfect but it is hard to deny that security controls hygiene is both important and challenging. Leading cyber security programs have metrics and incentives to encourage non information security teams to take the right action and be accountable for keeping all employees of their role in maintaining security.
2. Are investments in threat detection simply generating more data, or improving managers’ decision-making? Despite the investments that many organizations have already made in detection tools, 229 days is the median amount of time an attacker stays in the network before being detected.
Leading information security teams are actually taking a step back and trying to understand and use the business context behind data flows to reduce the amount of “false alarms” when teams mistakenly think they have discovered an attacker (this case study has more detail).
3. Are investments in end-user awareness actually changing employee behaviour? One out of every two breaches can be traced back to employees’ insecure behaviour.
Leading information risk awareness programs don’t stop at merely mitigating this risk, but encourage employees to act as “early warning” sensors and reporters for suspected security issues.
4. Are we investing enough in third-party assurance? Although 41% of organizations have sustained a data breach caused by a third party, most firms assess third parties and vendors only once, at the start of a relationship.
Leading cyber security programs are taking steps to integrate third-parties more thoroughly into ongoing information protection efforts and go beyond due diligence to establish true-risk based processes.
5. Are we investing in preparations for crisis response? Effective crisis response can mean the difference between minimal reputational damage from a breach, and a breach that leads to executive and board-level firings.
For better or worse, media coverage of breaches has a tendency to blame the victim – so leading companies create and test response plans that coordinate all internal/external parties to minimize the blow to their reputation and brand.