Cybersecurity professionals know that security cannot be a bolt on process or technology. Likewise, I also believe that that the thought of including the security team rarely goes far enough. To be effective, security should be ingrained and it should be pervasive. With a this commitment, there is at least one primary question that every organization should be asking in regards to Cybersecurity. That question is simply “Why?”
Not only should this question be asked organizationally, it should also be asked by individuals that are assuming security related roles within an organization. Some would think that the answer is simple or obvious. In many cases it is, but the complete answer WILL differ from organization to organization and differ based on the type of organization. What is important is that the organization itself agree upon the answer to this question.
Relevant answers to the Why question might be any or all of the following:
Governance—Specific regulatory requirements that the organization is required to meet. When these exist, they are often considered a top priority and a baseline requirement to transact business.
Cost/Expense—This could be direct and/or indirect. A direct example would be the typical scenario that occurs with ransomeware. An indirect cost could be a result of business or transactional systems being offline (DOS/DDoS) or it could be a consequence of some other issue created by the lack of adequate cybersecurity (i.e. failure to comply with a regulatory requirement may impact the ability to do business). If this is one of the identified factors and near the top of the priority list, an organization may be looking more intently at the cost vs benefits of the components of their cybersecurity program.
Business Ethics—The organization stakeholders want to do what they believe is proper in regards to handling the data they are responsible for.
Reputation Risk—Negative publicity due to improper handling of data can be detrimental to the business by decreasing consumer confidence.
Business Enabler—Certain cybersecurity posture or capabilities may provide the business a unique value proposition (possibly against their competition).
Preempting/Preparing for Litigation—Incidents can and will happen. In some cases the reaction lands an organization in court. Minimizing the likelihood of incidents decreases the likelihood of litigation. Preparation also shows due diligence and can be beneficial when cases do go to trial.
There could be many other reasons, and the priorities will vary from business to business. It is important to list and prioritize these drivers to ensure the organization is in agreement on the drivers behind their security program. It is with this common understanding that an adoptable and relevant security program can be developed and implemented.
Disclaimer: This article includes the independent thoughts, opinions, commentary or technical detail of Paul Stewart. This
may or may does not reflect the position of past, present or future employers.