#infosec16: keep your cybersecurity strategy simple to win
Infosecurity Europe 2016 highlighted a great variety of emerging cybersecurity threats. Keeping things simple can help CISOs a lot.
Last week I had a pleasure to meet a lot of great people, cybersecurity leaders and visionaries in London’s Olympia, where Infosecurity Europe 2016 took place.
While companies are buying Bitcoins in advance to pay ransom to cybercriminals, ransomware hackers blackmail U.S. Police departments, cybersecurity experts and vendors were calmly discussing current and emerging cybersecurity threats in comfortable lounges and halls. It was remarkable that the usual Advanced Persistent Threats (APT) saga was outshone by the Internet of Things (IoT), connected humans and similar topics.
It’s difficult to argue with Ars Technica that Infosecurity Europe surely confirms one thing: there is still a lot of cash in the cybersecurity industry. For the moment, vendors definitely have cash: in 2015, the total annual venture capital funding in cybersecurity increased by 76% to $3.34 billion. However, rivers of free alcohol almost on every second stand, expensive gifts and exciting contests may also indicate an alarming fact: getting new leads and customers becomes a tough job for the cybersecurity vendors. Already at the beginning of this year, WSJ said that investors are becoming more prudent and careful when investing new cash into cybersecurity startups, offering almost half the cash that was available in the past.
Several friends of mine, holding CISO roles in European companies, who attended the event, revealed that every year it becomes more challenging to make a right choice between the growing number vendors offering very few technology differentiators between their products and services (at least in their marketing materials). Often exaggerated, emerging cyber threats definitely don’t make the situation easier for cybersecurity decision makers.
Jan Schreuder, partner, cybersecurity leader from PwC Switzerland, comments: “CISOs are under increasing pressure from many different angles. Cyber attacks are becoming more sophisticated every day. Boards and senior management are asking more demanding questions about security, and there is a wave of new regulations and increased scrutiny from regulators. Security also needs to enable the rapid digitization of business, a fast changing IT environment, and the adoption of cloud and mobile computing. At the same time relentless cost pressure is driving increasing business model transformation, outsourcing, offshoring and automation - all of which bring new security challenges. In this environment it is important for CISOs to have a clear risk based strategy to prioritize their efforts, and to ensure that their security budgets are spent effectively and efficiently.”
In mathematics, every problem can be solved quicker if broken into several smaller parts. The cybersecurity milieu is not an exception - if you break it into clear consequent parts – your life can become much easier:
Identify your digital assets
If you don’t have a comprehensive view of your digital assets - you will never be able to protect them. Moreover, one single overlooked system or outdated web application can be used by cybercriminals to get your crown jewels. Therefore, information security should start with a comprehensive digital assets inventory, including software, hardware, users and data (including data in cloud and on mobile devices).
Conduct a holistic risk assessment
The second step is to identify, assess and prioritize all cyber risks applicable to your particular company and your business processes. Make sure that you involve as many stakeholders into the process of risk identification as possible: from internal and external experts to law enforcement agencies and even competitors – they can share some very helpful insights about the latest attacks in your industry. Keep in mind that no security standard or compliance, such as PCI DSS, can replace holistic risk assessment.
Make vendors compete in a result-oriented RFP
Once all the risks are properly identified and prioritized, it’s the right time to mitigate them. Gartner’s Magic Quadrant is great criteria to select vendors, however market leaders may all fail in your particular environment. This is why it’s extremely important to conduct an RFP that will enable vendors to demonstrate how they can solve your particular problems in your premises. What works for others – will not necessarily work for you, therefore don’t make a decision before you try a product. A practical and pragmatic approach to vendors can also simplify ROI calculation and cybersecurity budget justification.
Assure continuous monitoring
Black Hats are your main competitors in continuous monitoring: if you miss a recently disclosed zero-day – they won’t. Therefore, it’s vital for your business continuity and security to get instant notification about any changes, incidents or other anomalies in your network. Also make sure that for each type of problem you a have at least two contacts (internal or external) to address the issues in a timely manner.
Finally, don't forget to register for Infosecurity Europe 2017 and keep your cybersecurity simple: divide and conquer.