Right now, more than ever and in all walks of life, we should be minimising risk.
In terms of the coronavirus, minimising risk means following the government’s advice on social distancing, washing your hands and not stockpiling toilet roll and pasta so those who genuinely need it can get it.
In terms of your enterprise, you have a front-row seat at Risk: The Musical, and if you’re not careful, it will be all about your business.
As quickly as you can spin up defences to ward off the bad guys, the threat actors are finding new ways to trick your employees into letting them get their grubby mitts on your data, intellectual property or your money.
But what is the answer?
For those of a certain age, Gordon Gekko told us to ‘buy, buy, buy’ but is the answer throwing money at the problem, buying more tech, more tools and hiring more people to manage it all?
For many businesses, the answer is a resounding yes, in fact industry reports put the average number of security tools in an enterprise at a colossal 75.
But has this led to fewer instances of breaches, cyber attacks and business compromise? All you need to do is peruse the tech press to know that that answer is a resounding no.
In a recent report by Cyber Resilience Think Tank sponsored by Mimecast, experts advised how to break through cybersecurity complexity, how to simplify your tech stack and reduce the risks you face every day.
‘The lower the complexity of the system, the attack surface is more visible, meaning that I know what it is and I can plan and address it.’
Taylor Lehmann, CISO, athenahealth
It’s The Perfect Time For A Digital Spring Clean
Once you can recognise the issues around complexity in your security environment (and we can help you with that), it’s time to start decluttering. Think of it as a digital spring clean. There are a number of ways to do it and the focussed advice below has been culled from cybersecurity experts. As we said, we can help you to streamline the digital fortress without adding any chinks to the armour.
Know What You Have, Use It, Connect It
Chances are, if you’re running (and, presumably, paying for) 75 security tools, many of them are going to be redundant. Do you even know what they all do? Do some do exactly the same as others?
Sam Small, CEO at ZeroFOX suggests that what you have might surprise you in terms of what it’s capable of doing. ‘Instead of standing up a whole new point solution, a little bit of data transformation and a little bit of architecture can go a long way.’
In addition, choosing platforms with powerful and extensive API capabilities is crucial, says Peter Tran, VP and Head of Global Cyber Defence & Security Strategy at Worldpay.
‘I care about platforms so from a vendor perspective, I weed out a lot. You can pitch all the nice little toys you want but I just want to be able to ingest it, aggregate it and de-dupe it and give to my analyst in an automated fashion. That gives us the ability to make data-driven decisions faster.’
Don’t Bite Off More Than You Can Chew
‘Do you dare throw the old stuff out?’ says Harman CISO Maurice Stebila.
He suggests that instead of tossing it all overboard, you keep the tools that reduce dwell time and put less people behind it. It’s about accountability; ‘push the responsibility to each business unit within your organisation.’
Tran says that businesses should apply the law of marginal gains. In a nutshell, it states that a number of small improvements added together results in a significant overall improvement. Instead of trying to improve one area by 10%, improve 10 areas by 1%.
Even if the changes you make barely register, over time they will add up to a more secure and, crucially, less complex environment.
‘You have to make use of what you have now to make sure it is aligned properly to where you want your visibility…It doesn’t happen overnight.’
You can’t possibly buy every tool on the market so worry about operational efficiency over spend.
Consider Your Resources
Before you start laying out for new services that promise you the world, make sure that if you are determined to buy, that it’s both right for your environment and you have the expertise in place to manage it.
Marc French, CISO and MD of Product Security Group suggests that ‘As a rule of thumb, if you have implemented and are managing more than two tools per IT/security professional on your team, it may be time to reconsider your approach. You have to consider your force multipliers in this count (that includes your MSSPs, champions, proxies and vendors). Then, consider if you’ve truly implemented these IT security tools in question to their fullest capability. If you haven’t done that, you’ve likely created a bigger cyber risk as a result with a false sense of security.’
Think of your security stack the way keen gardeners consider their weeding and feeding. You determine what yields you’re getting from the investment and if you’re not getting what you want you must try a different approach. Did you buy into the marketing gloss without delving deeper into what it is that you genuinely need?
‘If you’re not measuring for a result, you’re measuring for the wrong thing.’
Malcolm Harkins, Chief Security & Trust Officer, Cymatic
The Three R’s
Realign…your resources if they aren’t providing the proper visibility into your environment
Reinvest… in services that have performed to the standards you’ve set
Retire…services completely if they are no longer working or relevant
Simplicity Is The ‘New’ Name Of The Game
The bottom line is that maintaining simplicity is the best way to keep your enterprise safe from adversaries.
By trying to have everything you are opening your business up to an inordinate amount of risk, beyond even what today’s attackers are trying on a day-to-day basis.
1. When you’re considering cybersecurity solutions, consider those that will lead to less complexity, less bandwidth and skills needed to manage and lower total cost to your business.
2. Ensure that the tools you’ve already bought are being used to their greatest capabilities and capacities and integrate them with your existing systems. You can even consider outsourcing some functions if needed.
3. Going down this road will free up your people to focus on the big picture items and systems work, and allow your skilled workers to shine. They’ll be happier as a result.
Contact us today on firstname.lastname@example.org or call 020 7078 0789 and we’ll talk cloud and email security, communications platforms, cutting-edge IT solutions or the instrument you wish you could play – the guitar like Brian May or the drums like Roger Taylor?