(these questions were slightly changed from the presentation at RSA Conference in Asia – https://www.rsaconference.com/apj/agenda/how-to-tell-the-right-cyber-story-to-executives-and-board-members Ian Yip CEO of Avertro – he brings up some good questions.
Let us delve a bit deeper into this question.
Why should we care about Cyber Risk? — How do you measure Cyber?
What are the key assets? What is being done today to protect these assets?
What are the Cyber risks? How will these risks be mitigated?
What are the Cyber capabilities? Are we spending the right amount?
What are the goals and outcomes that are needed? Are we there? Or how to get there?
What are the problems or gaps? When will we solve this?
Why is Cybersecurity so difficult to get a handle on It?
Unfortunately it seems that there are so many pieces that makes it complicated as well as evaluating the risks to make the risks concrete is hard.
The executive in charge is lacking in time, and is dependent on others to ensure the security. The problem with this is of course that the executive needs to perform a little work themselves by ensuring security is handled with testing and auditing. The test and audit needs to connect to the executive so the executive knows firsthand that this task is taken care of.
For example – let’s say you have mostly a remote workforce during the pandemic, how is that different than being in the office? example: home computers can affect the office network if not done right.
There is also a fundamental Cybersecurity misunderstanding. Any weak point can be used to open the door to a larger breach and a few weeks later the ransomware drops.
The Managers or owners in charge of IT security do not understand how quickly everything can go bad. The fact that the larger you get, the more you have to defend the more likely attackers are already in your network, biding their time to decide how best to take advantage of the situation.
On the other hand if you are a small shop there may not be much to defend, so why should you pay attention? Is it important to know that with a few wrong moves your business on computers would be gone? can you reassemble your life on the computer if needed? Quickly?
There is a point to where one should close the door after walking through. Even if the process of closing the door takes a long time and is complex.
It should be simple to review and solve Cybersecurity. But it is not, so it is NOT as easy as walking through a door and closing the door.
What if after you walk through a doorway one HAD to shut a heavy door, lock with encrypted methods (use a password) and then solve a problem. After the problem is solved then the door is shut and locked properly.
After doing this process for a while maybe you get tired of it, and no longer want to do it, but if you replace the heavy encrypted door there is a good chance you get breached.
Analogies are not always clear enough. Cybersecurity will never be solved, since technology changes, gets upgraded and will need to be patched.
So we have to manage the security angle to our need for tech.
In the following article at DarkReading it is apparent that when hardware vulnerabilities occur then it is especially difficult to recover and update and fix the problems.
Remember the following quote:”Once a bad actor or malicious insider gains credentials to access a system, it’s easy for that system to be compromised. These breaches are occurring all the time; every major company has had a breach caused or started by an insider, including Facebook, Twitter, and Google. Last September, DoorDash confirmed a data breach through a third-party vendor that exposed the information of nearly 5 million customers, delivery workers, and merchants. The following month, account information on 7.5 million Adobe Creative Cloud users was exposed due to an unprotected online database.”
- Why should we care about Cyber Risk? — How do you measure Cyber?
- What are the key assets? What is being done today to protect these assets?
- What are the Cyber risks? How will these risks be mitigated?
- What are the Cyber capabilities? Are we spending the right amount?
- What are the goals and outcomes that are needed? Are we there? Or how to get there?
- What are the problems or gaps? When will we solve this?
How should you answer all of the above questions?
The image gives us a start to all of this difficult work, only difficult because it needs to be defined. And some topics are more subjective than others.
This is just the beginning of a long conversation to ensure PCI compliance is taken care of for example. In PCI compliance one of the many things is to create risk assessments.
Contact Us to discuss