The Trouble with Cybersecurity Awareness Month…
October was Cybersecurity Awareness Month, so, not surprisingly, we see a lot of media coverage about cybersecurity and hear about our clients’ cybersecurity teams focusing on the implementation of best practices.
But as October moves to November, the emphasis on awareness gets pushed aside. Just when a company thinks it is making good progress on building and maintaining their security systems, a new threat arises, or an incident happens within the company that makes it clear that security awareness isn’t as good as leaders think it is. It’s easy to take security awareness for granted when it’s your job, but most employees don’t know as much as they need to, to do their part in keeping the organization safe.
To keep cybersecurity awareness at the forefront beyond October, it’s important to remember that Rome wasn’t built in a day. It takes a lot of work to keep a business secure. Security leaders need to communicate to staff repeatedly about basic cybersecurity hygiene principles. But they also need to ensure that their executive decision makers understand the tools and systems that support good cybersecurity, so that they can back effective strategic and budget decisions.
Here are some important topics that got a lot of airtime this last Cybersecurity Awareness Month, but that also need to be top of mind throughout the year and understood by the wider business leadership.
Table of contents
Zero trust is one of the most popular terms in cybersecurity right now. In the U.S., the White House Executive Order, Improving the Nation’s Cybersecurity, emphasizes the need for government agencies and contractors to apply zero trust principles. Microsoft security suite aligns. Gartner has a Market Guide on Zero Trust Network Access. However, too many organizations don’t understand exactly what zero trust is or how to deploy it. More control over devices is needed—who is using the devices, what applications and software can be added to the devices, and what permissions are granted. If you are still in the ‘Zero Trust is just marketing spin’ camp, it’s worth reading some more – look for actionable insight that enables you to separate signal from noise.
Budget Cuts and the Loss of Cybersecurity Talent
According to (ISC)2’s Cyber Workforce Study 2023, “47% of cybersecurity professionals have dealt with cutbacks to their teams in the form of layoffs, budget cuts and hiring or promotion freezes. 22% have experienced layoffs, and 31% expect additional cutbacks in the next year.” For too many organizations, security isn’t seen as a priority, especially if they have never been through a cyber incident. Economic worries have led to slashed security budgets. Despite the need for skilled security professionals, a number of people are losing their jobs, including CISOs. As companies look for ways to cut costs, they unfortunately are opening themselves up to higher risk. Distributing the security function across a wider range of roles helps mitigate the impact of the talent gap – it becomes a priority that is owned by the many, not by a few. And stronger as a result.
Read Addressing the Security Leadership Talent Gap for an actionable roadmap.
Penetration testing—or pentesting—is necessary to meet compliance regulations or a particular risk scenario, but it is an often-misunderstood cybersecurity process. There is a misconception that a clean pen test means that an organization is safe, not realizing that a breach can still occur. Effective pentesting considers areas like development and design, the root cause of many internal vulnerabilities. A problem emerges when companies do pen testing to “check a box” for an audit or to improve their security profile, but don’t then follow up to fix the problem in a timely fashion.
Most organizations think of pentesting as an annual checkup – but in reality, it should be a regular activity in IT and network security management as environments, technology solutions, and products are constantly changing. Combine with red teaming to strengthen your security posture further.
Designing Security for Legacy Systems
Most enterprises have some legacy systems that are very difficult to update and secure. But these legacy systems are also vital to business operations, and in some cases are performing a task that isn’t replicated by newer software. Developing security around legacy systems highlights the gaps between the business side of the organization and the security teams. There is a lack of understanding around business operations and the need to keep these legacy systems up and running.
The security team is responsible for conveying the risk and the potential likelihood of breach occurrence to the business. It often comes down to money—IT/security often see the benefits of new technologies and tools and want to incorporate them, while the business may see the existing solution working just fine or good enough—why spend money to replace it? Support for legacy systems requires ongoing conversations between business and IT/security teams to determine how to best design a security system that will protect legacy devices and software without disrupting business operations.
Cybersecurity Risk as a Business Disruption
Discussions around risk shouldn’t stop at legacy systems. Conversations should cover overall risk to the business if they don’t have strong cyber defenses. Again, talking about cyber risk with business leaders is best framed through monetary issues. Every business has a cost interest associated with it, that if that function is breached, held ransom, or suffers any service disruption, how much money could the company lose.
When the MGM casinos were hit with a ransomware attack that took games offline and inoperable, the business learned firsthand what happens if risks aren’t addressed—and it became a perfect example for cybersecurity professionals to share with business leaders on what can happen if security isn’t prioritized or if they are unwilling to talk about where vulnerabilities lie, risks around human behaviors and errors, and overall security hygiene.
Building a Common Language around Cybersecurity
One reason why it is so difficult to have the necessary conversations around cybersecurity and risk is that there is not universal consensus on language or what terms mean. This is especially a problem when legal counsel needs to handle the aftermath of a cyber incident.
Legal and members of the C-suite might utilize industry terminology, but not fully understand the meaning of those terms and what they cover. Understanding of the technical nuances vary. If a case ends up in court, for example, what the lawyers are trying to explain might not match what actually happened technically.
Adding to the confusion, is the fact that legislation is being written around security or data privacy by people who don’t necessarily understand the technologies. There’s a need for common language across all entities with common definitions. There’s no silver bullet here, though government entities such as NIST or CISA as well as enterprises such as Microsoft and Gartner end up driving the consensus – simply because of their market reach.
Concluding Thoughts: Cybersecurity Awareness
The common thread through all these cybersecurity issues is that – in many organizations – no one wants to take appropriate action until they have to. And this, in the world of cybersecurity, typically means until a cyber incident occurs.
Cybersecurity professionals are tasked with educating business leaders and employees who are unfamiliar with what a threat landscape is or why they need to care about phishing attacks.
Those that work in industry know that security hygiene is the foundation in which we build on. Cyber awareness is really about getting the fundamentals in place within an organization. Following a cybersecurity framework offers a foundation, and once the organization has awareness of what they should have in place, they can build from there. It’s helpful to partner with a cybersecurity vendor who can guide the organization through their security journey and build a framework and program that matches your unique needs.
This is based on a podcast from The Cloud Architects on Cybersecurity Awareness Month. Please find the original post with links for audio and video here: https://lnkd.in/gTsFcxTd