How the times have changed. 15 years ago, cyber-security consisted of making sure you had an anti-virus program running on your machines. It didn’t matter if it was effective, but the presence was enough to assuage our cybersecurity requirement. Though phishing, ransomware, data breaches, and compliance existed, we never treated it as a primary concern. Today’s threat landscape is quite different. With a mixture of well-funded, sophisticated attackers leveraging AI and script-kiddies using simple techniques like ransomware, we have to ensure that our internal, IP, and client data are all secured in a regulated and dynamic environment. The result: more breaches and thefts, increasing ransom costs, and more operational lag. For some time, I have wanted to create a starting point to help us CTO’s navigate these turbulent waters, and here is what I have come up with:
Pick a Security Framework — Even if you don’t need to satisfy any compliance requirements, pick a framework that is modern and up to date. A few examples are HITRUST CSF, SOC 2, ISO 27001, and NIST CSF. By selecting a security framework, you can ensure you are looking at an overall security plan that covers the full breadth of threats that modern companies are exposed to. Often, we are too optimistic with regards to our weaknesses, so we settle for a sub-par security solution that only protects us from one or two possible vulnerabilities attackers will be looking to exploit. My preference would be either HITRUST or SOC 2 as both can be objectively measured against.
Budget for Security Expenditure — As the prevalence of cybercrime increases, updating and testing your technology assets is crucial. You never want to be caught sleeping, without the ability to quickly mobilize in the case of a breach or an attack. Having a coherent plan in place allows you to have an informed conversation with your management team regarding the benefits of security investment.
Create Policies and Procedures — I never wanted to believe our company could be the victim of cybercrime, especially if you have invested a healthy sum in security technology. Unfortunately, the largest security weaknesses in any enterprise are employees. Having policies and procedures for access controls, password management, endpoint protection, patch management, spam emails, and employee termination can go a long way to shoring up unwanted loose ends in your overall security environment.
Measure Against Industry-Standard Compliance — If you are required to be compliant to a specific security or regulatory framework, how do fare in comparison to guidelines? Try assess yourself objectively. Whether its HIPAA, PCI, GDPR, etc., I have seen too many companies and too many people be over optimistic on where they really stand. As technologists, not only are we doing a disservice by assuming risk and compliance away, but we are also putting our accreditation and, therefore, enterprise in jeopardy.
I hope this serves as a starting point to my fellow CTOs. Two things to keep in mind:
- Attackers are looking for any and all vulnerabilities they can use to earn a quick payday.
- You may not want to believe it, but you do have sensitive data.