View original article on Forbes here
Author: Aaron Pritz, CEO, Co-Founder – Reveal Risk
In Plato’s classic works Timaeus and Critias, the “fictional” island of Atlantis was born. The story inspired countless additional books and films where the Atlanteans had superior society and technology, and they often included the provocation of Athens. Atlantis ultimately sank into the sea — never to be found again. Some believed the Greek gods lost trust in Atlantis and brought earthquakes and floods that caused it to sink.
Today’s cybersecurity and privacy are much like Atlantis.
Like Atlantis, information security and privacy departments in many companies are still isolated islands. The technology investments and advances in cybersecurity may have been sizable, but not always deployed at scale or effective in addressing an organization’s true risks. Additionally, capabilities may be poorly understood by those who are not on the island. As a result, many business chiefs remain skeptical — unsure that the challenges of privacy and cybersecurity are real for their business, or that it’s an information technology (IT) problem that IT will solve.
Ultimately, many companies that have suffered breaches realize they have sunken trust (customer, employee, shareholder), along with their islands of security and privacy. As Salesforce’s CEO, Marc Benioff, stated at the World Economic Forum’s In Technology We Trust session, “If anything trumps trust, we are in trouble. You have to choose what is really important to you. We are in a new world, and trust better be No. 1.”
But how can we avoid the sinking of trust?
The “ocean” is growing. Attacks on information and businesses are expanding to new waters. For the average person, the annoying phishing email is no longer the obvious Nigerian Prince’s financial assistance request (from a sender who is in desperate need of a language and spelling class).
These attacks now come via social media, text messages and advertisements for amazing deals. They may appear to be from CEOs requesting W-2 statements or wired funds. “Church pastors” scam parishioners out of thousands of dollars when the fake pastor encourages a pledge via bank deposits. Ransomware has compromised offices, hospitals, labs and manufacturing sites for days, weeks and months.
It is vital that companies spend time analyzing potential threats. New threats will arise, but having a core threat analysis that can evolve with reality is critical.
Business-Driven Risk Management
Many companies have yet to discover their real business risk across functions, departments and lines of business. They haven’t taken the time to ask themselves what matters most to their business. They also haven’t thought about what adversaries will target, how likely they are to go after it and what the impact to the business might be if they succeed.
Often, this results in attempts to “boil the ocean” or apply defenses equally everywhere, resulting in a marginal impact on a broad scale. Without understanding this landscape, connecting to defenses and plans to increase the ability to defend is impossible.
Companies should take steps to learn what matters to them and to their potential threat actors, and then use that knowledge to thoughtfully design defenses.
Security Architecture And Orchestration
Based on what I have seen, many companies have invested significantly in technology without seeing the full benefit. They are in a reactive “tech-fix-heavy” position for their security program. They have acquired numerous hopeful “silver bullet” cyber tools that they believe to reduce their risk relative to their peers.
The old mentality of “the professional with the most tools wins” persists. This results in an architectural landscape that resembles an overgrown forest of kelp and dead coral.
To be clear: There are some really great cybersecurity tools in the market — along with a boatload of garbage and fish-by-night marketers trying to surf the wave of new money in cyber. Unfortunately, many tools don’t play well together and add duplicative capabilities (if the team even has time to turn them on).
This entangled mess has made the security architect role the new rising rock star of security when properly empowered and sponsored by leadership. These technical leaders must drive the process and operational scale, and establish a strong connection to business-driven risk management and threat intelligence, in addition to managing the increasing technical complexity of the environment.
Holistic Cybersecurity And Privacy Leadership
The demise of Atlantis varies by the story. In our version, despite significant technology and power, it tried to conquer too much without focus and sank right along with trust.
A recent industry meme I saw depicts four company leaders’ sleeping positions — the CEO, chief operating officer (COO), chief financial officer (CFO) and chief information security officer (CISO). The first three leaders are shown in various physical positions, and the CISO’s bed is empty — insinuating that they are not sleeping.
I believe the collective security industry needs the wake-up call Ed Baldwin discussed in his LinkedIn article “Busy Is The New Stupid.” He states that “being busy makes us hurried, creates short-sightedness, expands blind spots, increases careless mistakes and results in missed opportunities that we can’t get back.”
Leadership must leverage insights from threats, business risks and persistent architecture thinking to avoid sinking themselves, their companies and trust.
Putting It All Together
Whether you are living in an Atlantean utopia or sunken dystopia, it is critically important to carve out time to rationalize and prioritize what your business really needs from information security and privacy programs. What are the threats to your business? What are the things you really care about? How do you get the best value out of your technology portfolio? It is possible to do more with less if you employ these concepts.
I predict that in the next decade, “trust” will become a basic right for businesses to operate with. For now, it may be an untapped competitive advantage for companies that can demonstrate an ability to manage risk and protect information. As companies get there, they will raise “trust” to the level of importance it must be.
At Reveal Risk, we evaluate, design and deliver strong processes and results in cyber, privacy, risk that work efficiently, are fit-for-purpose, and are sustained. If you find that you want assistance in building your company’s cyber security strategy, governance, and plan towards desired state maturity, please don’t hesitate to connect with us at firstname.lastname@example.org.
About the Author
Aaron Pritz is senior IT/Security/Privacy/Risk leader with over 20 years of experience including at a large pharmaceutical company in the Midwest. Aaron co-founded Reveal Risk in 2018 after seeing significant corporate leadership and “execution of strategy-to-operations” capability gaps in the cyber security and privacy consulting industry. Aaron is a creative thinking strategist that brings strategies to life through engaging approaches and teamwork. He is an active industry influencer and speaker on the topics of business-driven risk management, insider theft, and cyber security in healthcare, and is no stranger to helping companies progress both before and after incidents/breaches (ideally the former!).