Top 5 Reasons Why the Enterprise is Getting Cybersecurity Wrong
The recent Russian hacking operation has once again laid bare the fallacy that the enterprise and government are doing cybersecurity right. Many people are wondering: how are these large entities getting it wrong?
Obviously, large organizations are the biggest targets for a cyber attack, containing the most sensitive information, and they will constantly be tested. However, these agencies also have access to the strongest resources. Which begs the question: why are cybersecurity breaches of this scope continuing to occur? Are enterprises too confident in their protocols and technology, or are they too laissez-faire in their deterrence of evolving threats? These cyber teams need to be right 100 percent of the time, and the bad guys just have to get it right once, right? Well, there’s more to the story…
It is now estimated that up to 250 federal agencies and businesses have been infiltrated or impacted, including the Treasury, State, Commerce, and Energy Departments.
Russia’s SVR intelligence service is now widely believed to be the responsible actor in this cybersecurity breach. This same agency was also to blame for the federal cyber attacks in 2014 and 2015 during the Obama administration. Unfortunately, cybersecurity officials are still not able to pinpoint exactly what the SVR’s goal was with this attack. At this time, there is a lack of knowledge about what information and data were accessed and/or stolen.
The start of this SolarWinds breach has been traced back to as early as October 2019. Last week, CrowdStrike, another security company, revealed they were also a hacking target — however, they have stated that their systems were not penetrated. The breach was discovered by the security company, FireEye, late last year.
However severe, this breach is not a total surprise to some. Several former SolarWinds employees have come out since the attack and said that best security practices have been cut and reduced in an effort to lower expenses and increase profit margins (SolarWinds’ profit margins in 2019 were $453 million, compared to $152 million in 2010). Most of the company’s engineering has been outsourced to Eastern European countries like Poland and the Czech Republic (this is a much more common practice than people know).
How is enterprise cybersecurity getting it wrong?
If I had to pin enterprise cybersecurity failure’s on one issue, it’s lack of visibility and/or context. However, there are other, less-obvious reasons that most enterprises get cyber wrong.
1. Peter principle
What is the Peter Principle? The Peter Principle is a concept where someone is promoted to a level where are they no longer competent.
What does this look like in enterprise cybersecurity? Promoting cyber leaders that are not capable or not yet ready to lead enterprise cybersecurity solutions.
This typically occurs with someone who might have had some IT experience or cloud security knowledge, and then they are thrust into this role with little training or actual cybersecurity experience. While IT experience is valuable, does that make someone the best candidate to ensure all of an organization’s sensitive data is secured, they’re protected from data breaches and data leaks, and all other security threats will stay at bay? Probably not.
It is essential that cybersecurity professionals that are being promoted or hired for higher level roles come with experience and knowledge. You probably wouldn’t let just anyone handle your company data, so why let just anyone be in charge of your enterprise cybersecurity program?
2. Vendor noise
One of the biggest problems in cybersecurity is that vendors are all promising to “block all attacks” or be the silver bullet that finally brings order to chaos, it’s almost always a lot of marketing BS. Not all security tools can block all cyber threats, protect sensitive customer data, and ensure not cyber breaches occur. There is a reason there are so many companies.
3. Not enough resources
This is a chronic problem across companies of all sizes. The team is too small and the budget is almost non-existent. Resources are not being put into necessary security measures until after a data breach or cyber attack occurs.
4. Working in silos
This is the “it’s IT’s problem” perspective, where the cybersecurity department is passing the buck, or the organization acts as a set of independent entities versus one cohesive team with a clear mandate across all units.
5. Misunderstanding of what a real cybersecurity program entails
This is a culmination of the previous four points. There is no easy solution here…cybersecurity is complex and multi-dimensional and requires a robust security strategy.
Envisioning an effective enterprise cybersecurity
So what steps do organizations of all sizes need to take in order to reimagine cybersecurity, with strength and sound practices? First, admit a flawed philosophy — followed up with new hard-and-fast guidelines to better combat internal malpractice.
1. A CISO with understanding and experience
Your CISO needs to understand tech, engineering, and business — and have proven experience with operationalizing security programs (not just conducting regular security audits or giving commands without results). Your CISO needs to be prepared to create a strong, holistic security posture, not just implement a few best practices.
2. Security vendor review
You should do a deep security vendor review to determine what actual outcomes you’ve gained from using your current cybersecurity vendors, both from a services and product perspective. Along with this, determine if you’re using the vendor’s product correctly, sometimes misconfigurations can result in you not receiving the desired outcomes.
Along with a vendor review, it is wise to consider any third-party risk you also may be taking on by using specific vendors. Consider questions such as does this vendor have access to my organization’s data? Do they themselves have strong security controls? If you yourself expect cybersecurity best practices within your organization, expect those with your third party vendors.
3. Invest in cyber
Investing in cybersecurity as a percentage of revenue is crucial for any organization aiming to thrive over the next 5-10 years. With the increasing complexity of cyber threats, no organization can afford to neglect this vital strategy – consider cyber an essential part of your business operations.
Determining which cybersecurity tools to purchase and how much to spend can be challenging. Start by utilizing a security budget template to streamline the process. This approach helps you evaluate your current security posture, identify gaps, and prioritize investments that will enhance your overall cybersecurity efforts. Remember, proactive measures and investment in cybersecurity is not just an expense; it’s a critical component of your organization’s resilience and long-term success.
4. Collaborate between teams
Breaking down the silos between different departments is essential for effective enterprise cybersecurity. This term refers to cybersecurity practices that encompass the entire organization, requiring a unified approach across all departments. To achieve this, cybersecurity must be embedded into the organization’s culture. Appointing a few resources at a 1:5000 ratio is insufficient. Everyone within the organization must be accountable for adhering to proper enterprise security strategies and controls. Departments should have Key Performance Indicators (KPIs) based on security incidents and loss to ensure accountability.
In addition to fostering collaboration, implementing a robust security awareness training program is crucial. Often, enterprise cybersecurity is only as strong as the weakest password. Comprehensive training helps ensure that all employees understand their role in maintaining cybersecurity and are equipped to recognize and respond to potential threats.
5. Compliance does not equal security
Passing an audit does not equate to effective enterprise cybersecurity. While regulatory compliance is essential, relying on impressive presentations with superficial data cannot assure true security. Building a robust cybersecurity program requires a comprehensive approach, including real-time monitoring and active management of controls. When asking your CISO about the program, they should provide real-time information about the state of your controls and overall visibility into the cybersecurity landscape.
To ensure a secure environment, enterprises must go beyond mere compliance and actively engage in continuous monitoring, risk assessment, and incident response. This holistic approach ensures that cybersecurity measures are not only documented but also effectively implemented and maintained.
Ready to take the next step?
If you’re looking for more guidance on how to move your cybersecurity program forward, CDG can help. We are shifting the cybersecurity consulting paradigm to address the needs of mid-market, cloud-native or cloud-reliant companies who are experiencing rapid growth.
Founded in 2016 by global security expert Lou Rabon, our nimble team draws on decades of experience and diverse technical expertise to deliver a full spectrum of information security advisory and implementation services on a fixed-cost basis. Our right-sized, results-driven approach will help you meet your immediate needs, but also ready you to navigate what’s ahead. Get in touch, and see what results are possible for your organization.