Balancing cyber risks and rewards
Pete Shoard, Head of Cloud Product Development, Orange Cyberdefense According to TalkTalk’s CEO, Dido Harding, “in the digital world, all criminals have access to the equivalent of a Kalashnikov and an atom bomb”. The Kalashnikov seems somewhat redundant, but the point is well-made: criminals are well ahead of security professionals in today’s cyber arms race. Confusion, recrimination and the soft ‘thump’ of heads rolling off mahogany boardroom tables seem to be the inevitable consequence of a breach today.
However, while being compromised is certainly a question of when not if, senior executives needn’t find their jobs at risk after the worst happens. Risky business The danger of being compromised should be regarded as the price organisations pay for the huge business opportunities in the online world. Like all business risks, cyber risks can be assessed, prepared for and mitigated to an acceptable level – but only with full visibility and control over your security posture. For organisations that depend on a patchwork of security devices, created by many years of investing in new boxes to ‘solve’ the cyber challenge, this is easier said than done.
The average enterprise now has over 40 disparate security systems, resulting in millions of uncorrelated logs and alerts that most security teams can’t even find the time to review, let alone interpret. Far from solving security, this tidal wave of data actually makes it harder to see the threats that matter and defend organisations successfully.
Meanwhile, the best cybercriminals are experts at exploiting the dark gaps between these myopic technology silos to infiltrate networks. Taking firm control over cyber risks demands a new approach: Threat Intelligence. By understanding where vulnerabilities exist and the critical assets to protect, as well as the current threat landscape, the C-suite can take appropriate steps to defend against the disruption, lost revenues and regulatory fines of a compromise.
To put it another way, if the biggest threat to a nation state is from the air because it’s an island, there’s no point investing in a huge fence; you should be building anti-aircraft guns instead. Threat Intelligence allows CEOs to focus their limited time, money and resources on the most important areas. As a business, you need to understand what you have that attackers might want to steal, what it’s worth, how its loss would affect your revenues and which attack paths criminals are most likely to follow. Invaluable intel As Dido Harding told the Common’s Select Committee on Cybersecurity, “don’t delegate security – it’s a board issue and a business issue”. With access to actionable, real-time Threat Intelligence, businesses of all sizes can make more informed decisions and selectively prioritise security risks.
The most dangerous and relevant threats can be pro-actively defused and scarce resources focused where they’re needed most. This granular visibility and control also allows the C-suite to tailor the right level of Cyber Insurance, further reducing the danger of a catastrophic compromise. By understanding their internal vulnerabilities and external threats – alongside other factors like geographic location, industry sector and technology types – the C-suite is far better positioned to gauge where the next breach will come from, what the fallout will be and which level of cover is appropriate. Of course, creating actionable Threat Intelligence isn’t easy; it demands access to expert people, robust processes and cutting-edge Big Data technologies.
No business should attempt to buy-in and self-manage a Threat Intelligence solution. Instead, invest in a provider that offers an extensive cloud-based service that’s managed on your behalf, and which you can consume on a pay as you grow basis. Recent events have shown us that there’s nowhere for the C-suite to hide when it comes to cyber culpability. These risks must be faced head-on and tackled at a business level, not a technical one. That said, with actionable security insights tailored to their individual businesses, perhaps CEOs can finally take their heads of the chopping board and focus more on the rewards of the online world, rather than the risks.