October marks the 11th Annual National Cyber Security Awareness Month sponsored by the Department of Homeland Security (DHS). Designed to engage, educate and bring awareness to the important issue of – and as DHS so eloquently puts it, “no country, industry, community, or individual is immune to” – cyber risks. The launch of Cyber Security Awareness Month led me to reflect on the cyber market and how it has completely, and significantly, changed over the last decade-plus.
As a company, Knowledge Consulting Group (KCG) is approaching our fifteenth year as a cyber services provider and we have seen firsthand the changing dynamics. In conjunction with Cyber Security Awareness Month, we wanted to share how cyber has evolved, looking at the market from different perspectives over the next four weeks. Here are two major changes that have impacted the market from my point of view:
Elevation of the Cyber Responsibility
From an executive-level perspective, the greatest shift in cybersecurity relates to the focus and the responsibility – moving from strictly an “IT issue” to one of a business function. Look no further than the Target breach and the subsequent resignations of the company’s CEO and CIO to see how cybersecurity has escalated to the C-suite. This was unprecedented 15 years ago, when the primary cybersecurity role of IT was information assurance. So why has the philosophy changed?
The clear answer is the financial impact that a breach can have on an organization. Cybersecurity programs have transitioned from a “nice to have” to a full-blown differentiator for an organization. It is being recognized as a key investment needed to protect not only information and assets, but reputation and shareholder value. And it has to be a clear priority all the way up to the top of the org chart.
In some respects, the government market has been ahead of the commercial space in identifying the need and role for the C-level in cybersecurity. The Federal Information Security Management Act of 2002 (FISMA) pushed forward the concept of the Chief Information Security Officer (CISO), a new executive focused 100 percent on security. FISMA defined the role of the CISO, and the government elevated its attention to cybersecurity, why did the commercial market not follow?
Simply because they didn’t have to. There was no overarching guidance or regulation that drove compliance. Sure, individual market segments adopted their own governance models –PCI for credit card transactions, HIPAA for healthcare, ISO for international IT standards – but there were no consistent standards set in place market-wide to direct executive-level buy-in. Instead, organizations based their security programs on how risk adverse they were. That approach has clearly changed, and will only continue to be a focus at the highest levels of an organization.
Full Lifecycle Cybersecurity
The second major trend we have seen unfold is the movement away from a compliance-based approach to cybersecurity to a more full lifecycle implementation model. IT departments used to view security as a means of checking boxes – is our anti-virus software current...check; did we run our weekly patch program...check; did we adhere to whatever regulations govern our industry (HIPAA, FISMA, PCI, ISO, etc.)...check. As the threat landscape evolved, attacks became more prevalent and the bottom line started to become effected – the Ponemon Institute estimates cyber attacks cost an average of $1 million to resolve – as a result, organizations began taking a holistic view.
Organizations were now forced to consider risk and security together, taking a more strategic look into their enterprise. This included instituting moreformal approaches for assessing, planning, building and executing effective cybersecurity programs. It is now about building, maturing and enhancing cybersecurity programs, focusing on the full lifecycle – risk management, governance, security operations and, of course, compliance.This holistic approach means that organizations are now looking at each of these components individually, as well as part of an overall strategy, including:
- Risk Management: Identifying weaknesses and key risk indicators while aligning with business objectives is critical. Organizations need to implement plans that address cyber risks, security assessment and authorization, continuous monitoring, third-party risk management, business continuity and contingency planning to help mitigate risk.
- Governance: Organizations must clearly define a governance structure, layers of authority and well-defined and communicated policies and procedures. A holistic understanding of key people, processes and technologies is needed to develop a program that aligns to the organization’s culture.
- Security Operations: Organizations must understand and mitigate the vulnerabilities that adversaries may exploit, including reducing the risk and damage profile of an attack. They must develop, implement and maintain methodologies, technologies and processes to defend against and respond to a constantly changing threat environment.
- Compliance: Organizations must also define and implement processes, policies and technologies that comply with regulations, assist with audit preparation and meet industry standards.
The cyber world has a dramatically new look during this year’s Cyber Security Awareness Month than it did when DHS kick started the initiative 11 years ago. We hope that this article series will provide a look back at that change from varying viewpoints as we move ahead with what is sure to be another evolutionary time in cybersecurity.