To Governance and Beyond: Cybersecurity as a Journey
How often have you heard someone say “Cybersecurity is complicated!”?
If you’re a practitioner in the cybersecurity industry you’ll have heard these words often, probably along with “…and it’s really boring too!”
Complex, not complicated
Let’s start with the first statement.
In truth, cybersecurity is a complex topic, but that doesn’t mean it has to be complicated. Any programme of change will appear to be complex and confusing if there isn’t a clear process or project in place. I often say it’s like trying to find your way across a busy city without a map – there are many (complex) routes you can take, but it’s not complicated. You just need to find your way from A to Z, which is always a lot easier if you have a map, a guide, and the right tools for the journey.
But our (virtual) cities are increasingly complex because they have been created that way. Over many years of change and innovation, our networks and systems have been upgraded and updated to keep up with the demands of business and customer needs. This has led to a situation where we have created gaps within our infrastructure (both virtual and physical). These then become windows of opportunity for cybercriminals or for data to slip through, unguarded and unprotected.
This complexity leaves us feeling lost and out of control, and unfortunately the issue of data breaches and incidents isn’t going away any time soon.
The size of the problem
As most practitioners and casual observers are aware, cybercrime and data breaches have continued to rise throughout the COVID-19 period. Recently, Verizon released its annual Data Breach Investigations Report 2021, stating there were 1,037 incidents that affected small companies of less than 1,000 employees. The pattern of attacks included System Intrusion, Miscellaneous Errors, and Basic Web Application Attacks. These represented 80% of the breaches.
Although these statistics are interesting, they seem pretty low considering how many organisations there are and how many devices we use. What we must keep in mind is that these are the reported breaches. They are the incidents that are significant enough that organisations are aware of and therefore compelled to notify their customers or the general public about. Often, these statistics are made up of organisations who are willing (or compelled) to notify a central governing body, such as the Information Commissioners Officer (ICO), or the Financial Conduct Authority (FCA).
Therefore, I believe the true number of incidents is, in all probability a lot higher.
But what about the organisations (large and small) who aren’t aware of the data breaches and incidents that are happening each and every day. According to IBM’s 2020 Data security report, it can take businesses up to nine months (280 days) to detect and contain a breach.
As the size of the business and organisation increases, this problem grows exponentially and leads to a lack of control.
So what can be done about this complex issue that has hidden depths and issues to resolve?
Governance and Control
To improve cybersecurity, many organisations are now turning to a more centralised Governance, Risk, and Compliance (GRC) approach. In part, this is driven by the recognition that cybersecurity is no longer seen as an IT issue, but a business risk.
A good GRC framework incorporates the majority of areas of the business and helps bring about structure and control over different areas of risk, not just IT and cybersecurity.
For example, a GRC framework can help you establish a programme that allows you to consider risks related to;
- Business Continuity & Disaster Recovery
- Customer Services
- Data Protection
- Facility Management
- Health & Safety Management
- Human Resource Management
- Information Security (a.k.a. cybersecurity)
- IT Management
- Quality Management
- Risk Management
- Supplier Management
The Governance Institute defines Corporate Governance as the;
“system of rules, practices and processes by which a company is directed and controlled.”
Employing a governance framework to your security programme will ensure you make the right decisions based on clear objectives and have a clear roadmap for the journey ahead. It allows you to make coordinated decisions on appropriate tools and technologies to deploy that will help manage and monitor threats and vulnerabilities in both your virtual and physical infrastructure.
Conclusion; To Governance and Beyond
At the start of this blog I said that a common complaint about cybersecurity is that it is boring. I believe there are several reasons for this (which may be a topic for a later blog), but the primary reason is that people do not see its relevance.
We can discuss the statistics and the chances of the breaches occurring all day long. But, if people (and organisations) don’t understand what it means to them and how it impacts them personally, then they will become disengaged. They will become bored of the same old messages on topics that they see as unimportant. Yet, as demonstrated by the disruptive aftermaths of some of the biggest breaches, such as those that occurred in the 2017 WannaCry attack, bringing many health care facilities, as well as manufacturing, and at least one shipping organisation to a standstill, the messages can have vital importance. These attacks are not ancient history, as more recent attacks have temporarily crippled similar business operations.
A good GRC framework brings everyone into the conversation and brings them on the journey. Ultimately it leads to a more resilient organisation, one that has the ability to anticipate, prepare for, respond, and adapt to incremental change and sudden disruptions. The purpose of GRC is to ensure that when faced with challenges, the organisation can survive and prosper.
The Governance Institute states that “good governance is important as it provides the infrastructure to improve the quality of the decisions made by those who manage businesses. Good quality, ethical decision-making builds sustainable businesses and enables them to create long-term value more effectively.”
I believe this is why successful organisations implement governance frameworks to oversee their cybersecurity and data protection processes. It provides a structure to improve decision making based on known threats and vulnerabilities. It leads to good quality and ethical decisions surrounding the use and management of data.
Without governance and controls in place, it’s not only like trying to navigate across the city without an A-to-Z; It’s like trying to cross the ocean without a compass.
Tripwire’s full suite of security products can help your organisation to prevent, detect, and respond to cybersecurity events. Whether it’s configuration management, file integrity monitoring, managed security from the cloud, or event log management, let Tripwire be your partner in reaching and surpassing your security goals.
About the Author: Gary Hibberd is the ‘The Professor of Communicating Cyber’ at Cyberfort and is a Cybersecurity and Data Protection specialist with 35 years in IT. He is a published author, regular blogger, and international speaker on everything from the Dark Web to Cybercrime and Cyber Psychology.
You can follow Gary on Twitter here: @AgenciGary
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
