Jason is the Principal Cyber Risk Advisor at Dragos & a certified SANS instructor for critical infrastructure protection.
In 2017, I wrote about the top three cybersecurity tasks for any board. Aimed at executives, the article was intended to provide high-level guidance to prioritize cyber risk, based on financial impacts and evaluating security controls. Over the years, I have noticed that while discussions around cyber risks across boards have increased, there are still several gaps in maturity to manage these risks. Increasingly, executives are asking what the best investments for a security program are.
A Guiding Motto
It is important to understand the challenges that organizations face in managing cyber risk. There is no silver bullet to cybersecurity; it requires constant nurturing. And, similar to safety or legal risk management, it is difficult to measure return on investment. When combined with a cacophony of vendors, industry standards and limited resources, it is no wonder prioritizing security investments is so difficult. To help organizations, there is a simple guiding motto:
“Prevention is ideal, but detection is a must.”
But detection without response is of little value.
Automatically, this helps prioritize investment around visibility into critical networks, analyzing traffic and devices for abnormalities, and understanding how to respond.
Unfortunately, many organizations search for the myth of impenetrability, focused on the ideal prevention from cybersecurity attacks. Investing in systems hardening and preventive controls is important. But detection ultimately helps identify security incidents, which can lead to a potentially quicker recovery and minimized financial impacts due to a cyberattack.
Why Training Is Critical
That does not mean that everyone should immediately purchase a security event and information management (SIEM) platform. Technology in and of itself cannot manage cyber risk. There is no “set it and forget it” application or off-the-shelf solution I know of that manages the range of security problems that organizations face. Without a trained team of security professionals, tools like SIEMs will only go so far. Dollar for dollar, investing in training and awareness for your employees can have the most positive impact for minimizing cyber risk and the potential consequences associated with cyberattacks. At the end of the day, an educated and trained workforce can be a Swiss Army knife for growing and maturing your cybersecurity protections — and employees can adapt better than any technology platform to new threats. For example, in between routine security tasks, a trained security professional should:
• Inventory assets and systems that need increased protection.
• Create baselines of “known good” for each system to help identify abnormalities.
• Sustain and grow current cybersecurity efforts, including installing new security appliances and programs.
• Write security governance documents, policies and procedures, including incident response.
• Create operating plans based on new threats and technologies, with proposed budgets.
That is not to say that a singular employee could do all these tasks. At this point, it should be apparent that we are talking about investing in a team to manage security. A team can adapt to the needs of your business. But, most importantly, trained security professionals can understand how to apply industry standards and where to deploy new technologies. I believe training these professionals, including investing in certifications, is the best initial investment any organization can make in cybersecurity.
Incident Response For A Rainy Day
No matter what controls are in place or how well trained and invested your team is, every organization will one day have to manage a cybersecurity incident. As detection capabilities increase, it is common for organizations to, well, detect things — especially in older systems, including industrial control systems. It is unsurprising, then, that a key investment should lie in improving incident response capabilities. Originally, this may be an incident response retainer specific to your environment — it could be a simple phone number for someone to call when something goes awry. And, over time, this could mature into stand-alone incident response teams that can triage and respond to events internally, with escalation criteria and trend analysis. The specific capabilities and teams should grow based on cyber risk.
One of the great things about building incident response capabilities is the ancillary skills a security organization develops as a result. In order to effectively respond to a cybersecurity incident, a team needs to understand the system, threats and operational impacts associated with an event. This can then, in turn, help further develop cyber risk management capabilities for boards and executives by feeding additional information into the process. It’s a win-win in terms of maturing the overall resilience of an organization and education around cyber risk.
Investing in cybersecurity is a difficult task. In a 2018 report from Gartner (via Integrity360), security only accounted for 6% of spend in information technology on average, when it should likely be closer to 15% of the overall budget for some companies. That said, surveys and averages can often be misleading because they do not consider the overall revenue of the organization or system impacts due to a cyberattack. And this does not take into consideration factors associated with industrial firms, such as critical infrastructure, which usually sit outside of corporate IT governance. Industrial control systems or operational technology (OT) need to have specific cybersecurity protections, which have their own specific risks. That said, both IT and OT can leverage the same motto and priorities outlined above. For each program, investment should follow these three areas:
1. Detection: Understanding cyber risk and responding to incidents requires visibility into critical networks (IT and OT), as well as understanding normal operations to examine abnormalities and actively identify threats — potentially minimizing the impacts due to a cyberattack.
2. Workforce: A trained and flexible workforce can be a jack-of-all-trades investment for an IT and OT cybersecurity program, providing analysis and helping to grow and sustain the entire program.
3. Response: Knowing what to do during a cyberattack can be the difference in system downtime and overall impact, even if it’s just knowing what number to call.
When combined with the top three cybersecurity tasks for boards, these investment areas can provide a winning strategy for improving cybersecurity and business resilience for any organization.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?