As we move into 2023, it’s a good time to ask: How are we doing on the security front? Are we at all close to reliably securing our organizations against cybercrime?
On the positive side, the security community is getting more organized and sophisticated about how to detect and combat threats. We also see a heightened security awareness in the business and private world, and a willingness to take action. Most boards I interact with, for instance, need no convincing that there is an issue — we’re well beyond that. Most companies are taking important steps to shore up their defenses, lower their risk and establish sound strategies.
At the same time, there seems to be no end to cybercrime stories about organizations that have been financially impacted by ransomware attacks, embarrassing intrusions that have compromised data or employees who’ve had their credentials stolen.
On the whole, I would say we’re definitely getting better, that we are indeed making progress on the cybersecurity front. Unfortunately, that doesn’t mean we’re there yet. In fact, we probably have quite a ways to go.
There’s no need to be discouraged, however. Those never-ending stories about attacks merely underscore the need to be more vigilant, and all of the steps toward better cybersecurity are definitely doable. Here are four impactful ways to start making faster inroads against cybercrime today:
- Learn how to manage complexity. Complexity is the primary security challenge I see most organizations facing. Until the cloud, security strategy was relatively simple: Everything within the organization’s perimeter was trusted and everything outside was distrusted. Now we recognize the dangers within as well, and perimeters that were once clearly delineated have become micro perimeters around all of the SaaS and cloud-based services we consume today. In addition, most environments still have many legacy apps that need protection. Managing complexity means making sure the controls around all of those environments are in place. It also means being diligent in ways we have never had to be diligent before.
- Build in security from the get-go. One thing that can help manage that complexity is thinking almost natively about security during development of all those great new services we benefit from — defining what part security needs to play, the importance of one application or service over another, who should and shouldn’t have access to the application, what kind of data should be there, and how the data should be stored and managed in compliance with all of the latest rules and regulations. This approach is not easy — it requires a lot more thinking and diligence up front — but it’s eminently doable. And it’s a relatively small overhead to bear when you look at all the benefit.
- Understand the cyber risk to your organization. As I’ve said, most companies really do understand the importance of cybersecurity. What they often do not understand is exactly how cyberattacks might impact their organization, the financial and other implications if something goes wrong. This challenge is actually more about managing risk than managing security. The answers are specific to each organization and require knowing the company’s overarching risk and where controls are needed, including in the supply chain.
- Focus your investments. Most organizations believe they need to spend more money to enhance security, but many don’t know exactly what they should spend it on. Really grappling with the complexity and understanding specific risks help get the biggest bang for each security buck. Interestingly, I’ve often found that organizing the company to understand where to focus investment is almost as big a challenge as actually making that investment. Again, it requires being really diligent about determining what’s at risk, who can access what and how we can create the monitoring to understand what’s really going on. That process doesn’t necessarily require an investment in itself, but it is critical to getting the best return on investment.