Effective cyber risk mitigation requires a holistic mindset-shift

Every day, swathes of global bad actors attempt to attack your critical company infrastructure. It’s a daunting proposition. What’s more, it can be challenging to know where to start regarding security and risk mitigation. However, the solution often begins with going back to basics.

A report from the Center for Strategic and International Studies and McAfee estimates that the cost of cybercrime to the global economy increased more than 50% between 2018 and 2020, reaching over $1 trillion in losses. It reinforces the simple fact that security shouldn’t be an afterthought – it should be an expectation. Organizations looking to create a holistic digital ecosystem need to know how to conduct proper risk conversations within the company.

It starts with a cultural shift

Companies need to master a delicate balance between mitigating risk and enabling new business. Organizations tend to jump headfirst into building a new business – faster, smarter and cheaper – but often forget about baking in security into how they do business. It’s vital that an organization’s security approach is embedded into the cultural and organizational shift. If IT and OT are not being looked at holistically, then there’s a gap. Companies need to transform the organizational ecosystem and culture while ensuring they enlist the support of best-in-breed partners.

For an enterprise that’s moving at a fast pace, it’s easy enough to build security in, but if we look at it differently and go back to the basics – what about training? Have we got the right people thinking in a secure manner? Have we got the right technology streams? Are we baking security into the design? IoT systems for critical national infrastructure require continuous maintenance. Why don’t we build maintenance and security into the same pot?

Unless we really think about building security into how we operate – and challenge vendors to do the same – nothing will change.

Prioritize risks that matter most

Think of a company’s cyber posture like a credit score. By using available data, teams can identify actions to change a company’s risk posture materially. You can’t do everything at once, but teams can determine what can be done in the short, medium and long term to shore up vulnerabilities.

Using the feedback from telemetry, from the information on your cloud, from digital solutions, and on applications also allows teams to converge a view of their organization. From there, they can prioritize changes that can make an impact quickly.

Vulnerability management is absolutely key to prioritization. Understand the vulnerabilities that you have, but don’t chase all of them all simultaneously. Focus on the ones that are actively exploitable today; otherwise, teams can get caught chasing shadows. If it’s not being exploited today, it doesn’t mean it won’t be, but focus on the things that are active threats now to prioritize the immediate risk.

Focus on people

When considering security, it’s important to get your entire organization working and thinking differently, with security forming a critical part of your organization’s culture. Tech teams tend to be hyper-focused on availability and capacity but less focused on doing things in a secured and controlled manner. That’s why there needs to be a focus on the ‘people’ element, as well as policies, processes and technology.

Teams need to learn from mistakes and use the knowledge and data to reprioritize while being aligned to delivering business outcomes – rather than delivering for IT sake. Often, security teams talk about speeds, feeds and widgets, but the business doesn’t necessarily understand tech lingo. Corporate teams want to know about EBIT, the brand and risk elements and, therefore, change the conversation to incorporate metrics and facts that help the organization make decisions and understand how the security and cyber posture enables the business.

It’s vital to ensure your teams are appropriately skilled, which means training is critical. Too often, employees are only trained in reactiveness. However, it’s time to start threat hunting actively – and that begins with training IT and business colleagues.

Unless organizations really think about building security into how they operate, IT security networks won’t evolve. Too often, teams try to manage security tasks in-house or choose a partner that positions security as an ‘extra.’ This kind of legacy mindset needs to be challenged. More than ever, failsafe security needs to be an expectation, not an optional add-on.

Tim Grieveson is Chief Information Security Officer (CISO) at AVEVA.

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.