There seems to be a lot of misplaced fatalism in the cybersecurity arena. This fatalism is centered around two common perceptions that are – in my experience – simply not true.
First, a breach is inevitable over time. Second, the cost in time and money to prevent a breach is extraordinarily high. Neither needs to be true for you and your organization. Let’s take each in turn.
Must a Breach Be Inevitable?
When you look at the causes of security incidents, which are events that violate a company’s security or privacy policies and put data at risk, or breaches, which is when data is accessed by an unauthorized entity, it comes down to three primary reasons for the vast majority of problems. These are:
- Failure to install security patches,
- Internal provisioning and permission errors, and
- Human error.
Sure, when reading about data breaches you might see eight, 10, or 15 reasons listed, but you can put each of those reasons into one of these three buckets. Address these areas, and the probability of an incident or breach starts becoming very low.
In fact, I would propose that there is really only one bucket: human error. It is a human in charge of making sure patches are installed, a human who provisions access to employees and others, and a human that clicks on a phishing email or that cute picture on the web that triggers malware. If these actions are taken or eliminated, the chances of an incident or breach are vanishingly low.
I do not want to opine on the technical strategies used in the front lines of cybersecurity at the firewall and beyond. But I can safely say that a well-managed security process can lock down your internal assets and data to help minimize or eliminate the risk that an intruder can gain unauthorized access and successfully exploit your environment. Unfortunately, too many organizations are too heavily reliant on the Maginot Line of the firewall. And we know how that strategy worked for the French.
Cost to Secure: Extensive time and money vs. efficient tools
To be secure, an organization must make security part of its culture…make it as natural as locking your car doors. And for that to occur, the information security scheme and process has to be simple, understandable, and robust. InfoSec has to be less Linux and more Apple. Implementing an Information Security Management System (ISMS) is the first step in this process. As the demand for ISMS tools – and tools for its data privacy sister Personal Information Management Systems (PIMS) – has increased, tools have been developed and brought to market that are far more user friendly and cost effective than in the past. Today, every organization has the opportunity to operate securely – at an “industry best practices” level – at a reasonable cost.
What does this look like? The biggest resource cost is developing policies and controls and linking those processes and requirements to the assets of the company. There are now “out of the box” solutions that come preconfigured with a library of ISO-compliant policies and a questionnaire that allows for configuration based on the organization’s needs. Once assets are uploaded, the questionnaire is complete, and proper controls are in place, the organization has an ISO27001 (ISMS) or ISO27701 (PIMS) ready infrastructure. The company can manage the system, or it can be managed through an outsourced service, such as ISM as a Service, CISO as a Service, or DPO as a Service. As the organization grows, it can onboard the functions and responsibilities as it sees fit.
In today’s world, demonstrated robustness of information security and data privacy through ISO 27001 and 27701 certifications has become table stakes. And as various regulatory schemes – GDPR, CCPA, and others – proliferate, adoption of an understandable, holistic information security system becomes a competitive advantage.