Proactive cyber security strategies

Building a proactive security strategy? Scott Goodwin at DigitalXRAID advises that you start with the C-Suite

 

According to IBM, today’s organisations take over 200 days to identify a breach of their system, and over 70 days to contain the threat once identified.

 

This is a symptom of a wider problem: security leaders are forced into a cycle of reacting to security incidents, stretched by increasingly complex IT infrastructure and a relentless threat landscape. Instead, these teams need to actively develop strategies for risk prevention and seek a more proactive approach. 

 

We often hear about the risks of low awareness to a business’ security posture, but end-users are too often the focus. In the coming year, CISOs must also dedicate their education efforts towards the boardroom and communicate why cyber-security is such a business risk.

 

Only with C-Suite investment and buy-in can CISOs take a more proactive outlook and prepare their organisations for possible attacks. 

 

Seeking boardroom engagement

Business leaders have the power to help CISOs and their security teams get onto the front foot by fostering well-rounded cyber-security education programs and developing clear risk-mitigation strategies, but they need to understand both how, and why. 

 

The National Institute of Standards and Technology (NIST) shone a spotlight on the role of the boardroom this year when it added a new pillar to its cyber-security framework. By adding a ‘Govern’ pillar alongside Identify, Protect, Detect, Respond, and Recover, NIST created a permission structure for countless CISOs to bring their boardroom into the cyber-security conversation. 

 

Specifically, business leaders should play a key role in developing strategic action plans that are tailored to their organisations, put risk-prevention and continuity of protocols at the forefront, and ensure continued communication between the boardroom and security teams.

 

Done right, this move alleviates the pressure facing CISOs and recognises the organisation-wide importance of cyber-security, but cyber-security executives will need to spend real time working with their boards to make it happen.

 

Preparation is key

To effectively combat cyber-threats, CISOs need to look beyond tools and solutions and also focus on building defences through people and processes, with the boardroom at its centre. Following frameworks such as NIST or ISO 27001 builds a strong basis for safeguarding networks and sensitive data against attacks, and recovering quickly and securely when an incident strikes. 

 

Incident response is often overlooked by business leaders, who would rather focus on shoring up their defences against bad actors to begin with. But businesses and their boardroom need to be aware that cyber-security incidents cannot be 100% prevented. The best plan of action is to have a frank, full risk assessment at the board level before preparing regularly tested attack playbooks. 

 

Each organisation is different; is the business in a particularly sensitive industry, financial services or healthcare? Is it part of CNI and therefore a likely target for nation state hackers? Would bad actors be most likely to cause disruption, or do you have sensitive information that would be valuable on the dark web? If the latter is true, whether that be intellectual property, employee or customer data, or something else, where is it stored, and how well is that server monitored?

 

These are, of course, questions that CISOs can often answer, but these conversations can bring board level executives into the fold and help them to understand the real-term business risks they face.  

 

Once established, CISOs can incorporate these same executives and key stakeholders in an attack playbook, with clearly assigned ownership and lines of escalation. A well-structured playbook allows organisations to assess the most likely cyber-incident and prepare in advance. Organisations can utilise the NIST incident handling scenarios, which were built based on common attack vectors, as a framework for developing their own incident response strategies. 

 

But creating a playbook is not enough. To truly prepare all stakeholders for the eventuality of a breach, these must be regularly tested and rehearsed. Incident response is a challenge for the best-prepared organisations, so it is far better to find the gaps in a playbook whilst still in a simulated environment. their response to cyber-attacks, ensuring that all employees are actively engaged in their training. 

 

Educate from the top

An incredible 88% of breaches can be traced back to human error, making organisation-wide security awareness a vital part of a proactive strategy. Each employee has their own priorities and KPIs, but every employee is responsible for keeping an organisation secure, and every device could open the door to a cyber-attack.

 

Investing in cyber-security training is a proactive strategy to cultivate a culture of cyber-security awareness. When employees are empowered to make informed decisions about their online behaviour, they become an asset in the company’s cyber-security defence.

 

By fostering this understanding with the boardroom, CISOs can secure genuine executive investment in these efforts. Training should cover a wide range of topics, including phishing, malware, social engineering, password security, and data protection best practices. Most importantly, training sessions and simulations should be regular and reinforced within daily processes. 

 

Only when initiated from the top can these programs achieve a security-centric culture that doesn’t shame employees for clicking a phishing link but encourages all employees to know the necessary lines of escalation and continually learn from their environments. 

 

Use resources wisely

One of the biggest challenges that CISOs face comes from a lack of resources. As the cost of data breaches continues to soar, reaching an all-time high of $4.45M in 2023, organisations often invest more into their cyber-security budgets in the wake of an attack. But this is, clearly, too late. CISOs need to communicate the financial risk of a breach to their boardroom and evaluate the value of outsourcing in achieving a stronger, managed security posture. 

 

Investing in outsourced cyber-security services empowers businesses to seek 24/7 security monitoring and threat detection without detracting from security personnel’s ability to work on other priorities. Outsourcing offers businesses access to the most up-to-date security methods and threat intelligence, informed by a broader perspective and experience with current and emerging threats than in-house staff can provide. 

 

A Security Operations Centre, or SOC, is able to collect and analyse threat intelligence on a far larger scale, helping to identify and respond to potential attacks before they materialise. With the exception of large, global enterprises, many internal security teams simply do not have the time or personnel to accomplish this on their own. 

 

Building a proactive security strategy requires a lot of investment, but this does not need to be financial, and it shouldn’t be limited to the largest organisations. Taking time to engage the board in the proactive security process, allocating time and spend better through external expertise, and leveraging frameworks and security certifications to build a strong foundation can be transformative to a business’ security strategy.

 

A CISO’s success in achieving this is a business success: in today’s landscape, getting on top of security risks and finding the time to innovate and grow gives a competitive edge and fosters greater trust from customers, partners and investors alike. 

 

---

 

Scott Goodwin is CTO at DigitalXRAID

 

Main image courtesy of iStockPhoto.com