Today’s cyber environment is complex and challenging for corporate management faced with daily battles against a seemingly endless list of ever-evolving threats. Even large cybersecurity firms and government branches (local, state, and federal) have been or will be victimized. One only needs to read daily headlines for a reminder of the ongoing cyber threat environment. A critically important consideration for small and medium-sized businesses (SMBs) is how to address these risks to safeguard customer data and/or critical business operations. A return on investment analysis, alone, can build a strong case for making cyber protection a corporate priority. However, how organizations approach this challenge varies widely. It is imperative that cyber spending be balanced with other business risks to ensure that organizations are effective stewards of corporate resources. Arriving at that “just enough” point regarding cyber protection can seem elusive. This is the principal focus of this article.
Some organizations facing the challenge of implementing appropriate levels of cyber protection elect a model of keeping all their data and systems in-house. Others make use of virtualized environments with software and infrastructure provided by external service providers. A third and, perhaps, more popular option is a hybrid model with both internal and 3rd party managed segments. Each of these models come with their own advantages and disadvantages. A challenge for many SMBs is how to make this cyber and information technology decision to best meet their specific organization’s goals. Many of these SMBs lack the needed insight to conduct an effective analysis for making these critical business decisions. This analysis of options, assessing costs, and assessing overall business risks and impacts against a dynamic cyber threat environment is the main challenge for many organization CEOs and C-Suites. It is invaluable to solicit the advice of a third party, a trusted agent, to provide an initial assessment and to develop a list of critical recommendations for your company‘s leadership to consider for implementation.
An Objective Look
Having a trusted third party perform a “sanity check” or “baseline“ of your organization’s cyber landscape will provide a much-needed starting point for your decision calculus. However, the challenge is finding a “trusted and impartial” third party assessor/advisor; an advisor WITHOUT a vested interest in follow-on work. Receiving feedback from a cyber tool vendor generally ends with a recommendation to purchase a “solve-all-ills” application or tool suite. Avoiding the above-mentioned conflict of interest is an important reason to keep your third-party assessment away from any possible pressure for follow-on business or tool purchase. Avoiding the use of the same group for both assessment and follow-on work avoids this conflict. Having an impartial party separate from implementation also provides the option for an annual revisit to provide the board a clear perspective on the return on investment or scorecard for your cyber expenditures.
Is Your Home Team Up for the Challenge?
On Premises or Contracted Cyber Security
Today’s dynamic cyber threat environment requires an all-hands on deck approach. Building advanced cyber capabilities that are capable and effective in protecting/defending your enterprise and operations is required. Regardless of your enterprise’s size, businesses do require a deliberate and well thought out protection strategy. Opting to contract out for these security services so that your company can focus more effectively on its core mission is sometimes the answer. However, this decision must be made after a complete assessment of what systems and information constitute the organization’s most critical assets. Once an organization understands exactly what assets it needs to protect, it can make a clearer decision on how to best implement an effective risk-based protection strategy.
Where to Start:
These steps outline a recommended path for developing and implementing an effective cyber strategy:
- Corporate Board Support – Clearly outline the assessment process to the corporate board. It is critical that all cyber efforts are fully supported by this board. Without the support of corporate leadership, even a well-developed strategy will be challenged. Corporate board/leadership support is the most important element of any corporate cyber strategy.
- 3rd Party Assessment – Identify an IMPARTIAL 3rd party to provide an unvarnished assessment of your organization’s cyber posture, including threat environment, costs, critical assets, and identified gaps.
- Building the Enterprise Cyber Strategy – Integrating the impartial 3rd party assessment into your organization’s enterprise cyber strategy is critically important. Your cyber strategy should include sections that address gaps arising from these analyses in addition to the areas outlined below. Depending on your organization’s priorities and risk tolerance, the scope of these areas will vary.
- Classification of data/assets
- Configuration and Asset Management
- Patch Management
- Business Impact Analysis
- Business Continuity Plan
- Incident Response Plan
- Disaster Recovery Plan
- Employee Education Plan
- Policy/Governance Plan
- Controls – Technical and Non-Technical
- Success Factors/Program metrics
- Threat Assessment
- Threat Tracking
- Implementation Plan
Assessing Organizational Risk:
The organizational cyber strategy that you developed will outline key elements required for your company to manage its risks adequately. Risks need to be understood completely by your organizational leadership. These will span operational, legal, and reputational risks. The risks must be incorporated into your organization’s risk register so that the cyber risks can be managed and integrated into the corporate risk management program. Your implementation plan should include costing of mitigations and sustainment operations. Equipped with a comprehensive picture of your organization’s cyber program requirements, you can assess whether or not in-house resources are adequate or if they can be matured to meet the current need. Many of the mitigations outlined above require mature information technology (IT) management practices. It will be beneficial to coordinate with the organization’s IT support lead to ensure that your recommendations are complete and implemented. At this point in your assessment, you have reached the decision crossroads.
The Decision Crossroads:
As the percentage of revenue spending for cybersecurity and privacy protections increases, the in-house vs. the contracted-out decision becomes critical to continued business survival. There is a tipping point or a crossroad in most organizations when continuing with in-house resources can not effectively manage the growing threats and compliance requirements. If your organization has already invested in mature, high performing IT support and cybersecurity functions, the decision to further mature in-house support/services may be straight forward. However, like many organizations, the cost of building an internal capability may exceed the cost of contracting IT and security functions to a Managed Service Provider (MSP) and Managed Security Service Provider (MSSP). Having your organizational costs captured will make this corporate decision more informed. However, this decision crossroad is not purely one that is captured in a return on investment analysis. Despite the resource advantages of contracting out for services, several organizations still keep most of their services in-house. These decisions are more culturally based. At your crossroad, you must ensure you factored organizational culture into your analysis and recommendations.
Final Thoughts:
Most importantly, you can outsource responsibility – not accountability. Regardless of your organization’s decision for in-house or contracted services, the responsibility for managing risk belongs to your organization’s leadership and cannot be transferred. Managing cybersecurity today requires ongoing and mature IT and security functions. If your organization is not totally confident in its ability to keep its proverbial head above the cyber waters, perhaps a cost-effective alternative is to consider a lifeline provided by a mature MSP and MSSP.
About Secuvant:
Located in Salt Lake City, Utah, Secuvant is a global leader in integrated cyber threat analytics and risk advisory services, built on a value system of client focus, integrity, accountability, execution, and teamwork. Secuvant’s mission is to provide clients with a Clear Path Forward in their pursuit of establishing an acceptable security risk posture. Secuvant’s success is built upon strict adherence to its values, a functioning world-class advisory board, the unique combination of cybersecurity expertise and industry / vertical specialization, and a team of experts that repeatedly deliver best-in-class managed and advisory cybersecurity and risk services. Secuvant understands Cyber Risk is Business Risk™ and uses methodologies and metrics to minimize business risk. Services include, but are not limited to, Security Gap and Risk Assessments, Risk Program Management, Executive and Board Cyber Advisory, Penetration Testing, Security Monitoring, Managed Detection and Response and Incident Response services. To learn more, visit www.secuvant.com.