As the threat landscape becomes increasingly complex, it is critical to take a priority-based approach to cybersecurity. Budgets to finance cybersecurity investments and operations are always limited in both private- and public-sector organizations. Nonetheless, firms need to protect both their own private concerns (growth, profitability, competitiveness) and exercise fiduciary responsibility towards safeguarding customers, investors, employees, public stakeholders, and governments from cybersecurity attack.
Since trying to 'protect everything protects nothing,' companies need to set and follow priorities regarding what assets to protect, what threats to defend against, and where to spend and invest in cybersecurity countermeasures.
The first hurdle to overcome in protecting an organization’s crown jewels is to bridge the gap between business leader and cybersecurity expert perceptions of what organizations need to protect. A study by the Economist Intelligence Unit reveals significant differences in how business and cybersecurity leaders perceive the cybersecurity agenda.
|Business Leader Priorities||Business Leader Priorities|
|Our reputation with customers||25||16|
|Private intra-company communications||14||6|
|Strategic plans and communications||12||7|
|Applications and services||8||14|
|Product specifications and pricing||6||1|
|Liquid financial assets that could be stolen||1||1|
Organizations face multiple and constantly mutating threats to crown jewel assets. While the following list may seem like old news to many readers, it’s important to recall just how many things can go seriously wrong on the cybersecurity front:
Not all threats are created equal. Threat defense priority setting combines assessing the potential economic damage posed by a threat against the cost of effectively combatting it. Even then, the cost of completely eliminating a threat might prove much more expensive than reducing it to what the organization believes to be a tolerable level. For example, an organization might be okay with two or three spam messages a day reaching employees if eliminating 100% of spam costs twice as much as reducing it by 99.9%. Here, it would be much less expensive to send employees regular emails reminding them to ignore any spam that might appear in their inbox.
While I don’t want to appear to “blame the victim” for poor security outcomes, it’s important to recognize that more cybersecurity risk factors originate within organizations than from external causes.
Internal vulnerabilities that weaken organizations irrespective of the external threat environment include:
It doesn’t help that external factors can also generate additional vulnerability risk factors:
As the old saying goes, organizations need to be aware of the risk factors they can and need to change, the ones they must defend against the best they can, and the wisdom to know the difference.
Cybersecurity attackers vary widely in their levels of expertise and objectives. The following table summarizes the major species of threat actors, motivations, and objectives:
|Unsophisticated Attackers and Script Kiddies||SelfGratification||Amusement, Experimentation, Nuisance, Mischief|
|Sophisticated Attackers and Hackers||Access Valuable Information||Money, Embrrassment, "Hacktivism"|
|Malicious Insiders||Financial Gain and Revenge||Operational Disruption, Stock Price Manipulation, Extortion|
|Criminals, Organized and Freelance||Financial Gain||Cash, Credit Card, Identity Frauds, Ransomware, Insider Info|
|State-Sponsored Attacks; Cyberterrorists||Espioage and Cyberwarfare||Political and Technology Espionage, Sabotage, Public Infrastructure Attack, Military Objectives|
In general, unsophisticated attackers, hackers, and insiders will deploy well-known threats and attack methods that should be relatively easy to intercept and defeat. As actor class moves up to encompass more sophistical criminal, terrorist, and state-sponsored attackers, the more likely they will deploy zero-day and previously unknown threats.
One thing to consider in crown jewel priority-setting is that, even if your organization does not hold information valued by a sophisticated criminal or state-sponsored attacker, they could target you as a springboard into other organizations they would like to penetrate. Such was the case of the heating and ventilation contractor whose computers were used as a vector to breach debit card transaction customer data held by a major home improvement store chain.
As mentioned above, it’s extremely important for an organization’s business decision-makers and cybersecurity experts to achieve alignment and mutual understanding regarding cybersecurity roles, responsibilities, and priorities. Establishing and maintaining a successful partnership begins with clear understanding of who’s responsible for what both on the business and security sides of the relationship.
Here, business leaders will take responsibility for:
In return, cybersecurity leaders need to:
Most important of all, business and cybersecurity leaders need each other to effectively carry out their responsibilities. Business leaders simply cannot set priorities, goals, and budgets without information and advice from their cybersecurity experts. Cybersecurity leaders need business executive understanding and buy-in to be effective in their roles. Although business and cybersecurity leaders respect each other’s distinctive roles, neither performs their work in a silo.
Finally, taking a priority-driven, crown-jewels approach to cybersecurity strongly argues for a security fabric-based security operations and investment program. The only constant in business and cybersecurity is change. Business goals, processes, priorities, market conditions, organizational structures, and stakeholder communities change at an accelerating pace. The velocity of threat “innovation” speaks for itself. In the meantime, the world is undergoing a fourth industrial revolution as digital technologies transform every aspect of economic, political, and social relationships.
As the world changes, cybersecurity programs and processes must change with it. But in many ways, how fast a cybersecurity program changes are not as important as the ability to execute change with as little friction as possible. The kind of change that involves a constant cycle of reinvestment, rapid depreciation, and forklift replacement of cybersecurity hardware is becoming increasingly unsustainable. It is far better to execute change from a technology base that has developmental headroom sufficient to cope with expected future performance demands and able to add new features and capabilities in software.