Cyber risk is overlooked, ignored and under-appreciated.
Well, that’s exactly how most information security professionals must feel when trying to raise funds to fix security holes. The challenge we face isn’t the business failing to grasp cyber risk, it’s addressing the communications gap between technical staff and business owners.
In turn, business owners don’t like spending money on anything that doesn’t make them more money. Even insurance is a grudge purchase. I’m never fond of paying a high premium, but if there’s that niggling feeling that I could lose my livelihood and house if I fail to get the right insurance cover, then I kind of accept that.
Mitigating cyber risk is exactly the same. If companies don’t do it, then they could go out of business. But there’s definitely over-confidence in the space, and I often hear “well, it will never happen to us, we’ve just installedanti-virus on all of our laptops”.
So exactly how do you give the business that niggling feeling that encourages them to mitigate security risks ? The reactive approach definitely isn’t the right way, demanding cash after something has happened to plug a hole.
The sales-led approach isn’t the right way, where security suppliers force silver bullets down your throat and you end up buying something to help them meet their sales targets, regardless of how nice it makes your treasured server rack look.
It’s about taking a proactive stance, and dealing withcyber security before something happens; and being prepared to tell security suppliers where to stick their hardware if it doesn’t fit into your security programme.
I’ve never seen a business turn down a carefully prepared cyber security risk mitigation programme that fits the business. Fortunately, creating one is remarkably simple. Define scope. Carry out a security audit on said scope. Conduct a gap analysis, work out three costed options with pros and cons to address each gap, and present to the business.
But that still doesn’t mean the business will buy in. We’re missing that niggling feeling. Much as I dislike scare tactics, now would probably be a good time to think about them, with a short, sharp exercise that demonstrates to the business exactly what could go wrong in their cyber world.
Simulate a phishing email. It’s easy enough. Put an EICAR (European expert group for IT-security) malware test file on your CEO’s laptop. Take your CFO’s laptop away for an hour and simulate critical hardware theft. Leave a suspicious package in the mail room. Simulate a web server hack.
These exercises would take less than an hour of the board’s time and, while they won’t get the cheque book out, they willraise awareness over time. Throw in a few fire drills to keep their minds off cyber for a bit. Simulate a flood. The point being, over time, your business can become cyber-aware; and ultimately this loosens the purse strings and gets you that next hire and support for implementing change.
Tim Holman is CEO at 2-sec security consultancy.
