There’s an interesting trend that I have personally noticed over the past few years: organizations are starting to take cybersecurity more seriously. With the multitude of high-profile data breaches, organizations are starting to realize that cybersecurity is a significant risk to the business. This allows CISOs and other similar titles with leadership responsibilities to have a larger budget for people, process improvements, and supporting technologies.
Maximizing Your Cybersecurity Investments
Obviously, organizations can direct their budget to many different initiatives with the hope of improving their overall digital security posture. But not all investments are the same. Even the most well-intentioned investments could fail to tangibly improve an enterprise-wide security posture if they are directed to the wrong initiative. With that said, the key for organizations moving forward is to invest smartly rather than spending on the latest potential silver bullet. There are no silver bullets in security. Rather, it starts with a strong focus on the basics of cybersecurity such as knowing what assets are on your network, ensuring they are configured securely and confirming that vulnerability risk is mitigated and remediated. Once this foundation is in place and operating efficiently, organizations can move to more advanced threat detection and hunting capabilities.
The Stumbling Blocks – Current and Future
Establishing a solid security foundation doesn’t come without its obstacles. Just like any sport or activity, having a solid understanding of the fundamentals is what leads to success. More often than not, however, staff and students are taught how to break into things or detect things before they are taught how to keep up-to-date with an asset inventory while ensuring vulnerability risk is mitigated and configurations of those systems remain secure. Organizations should be able to partner with both industry experts and their vendor partners to ensure their staff are kept up-to-date on the nuances of managing risk. Sometimes, the best solution isn’t remediating all the risk. Rather, it is about what will provide the greatest ROI while being able to absorb the effect of not mitigating certain risks. There is also the issue that the security basics aren’t easy just because they are simple. For example, ensuring that an organization has an up-to-date asset and application inventory can be a daunting task as businesses evolve. New applications are constantly being developed and updated while the infrastructure is expanding. This means the devices that could pose a security risk to the organization are increasing in number and variety. As such, the security team needs to ensure that there is a process in place that allows the business to stay nimble while ensuring new risks are mitigated and kept under control.
Building a Qualified Security Team
Of course, a security team cannot simply ensure they are mitigating risks and keeping them under control if they don’t have skilled, competent team members. Organizations need to focus on building a qualified security team. Many organizations already know this. It’s no surprise, therefore, that the hunt for good talent has led to a very competitive marketplace for industry experts that are good at what they do. The great thing about cybersecurity is that one does not need to necessarily have a background in information security to have a great career in cybersecurity. Some of the best folks I have worked with had either completely unrelated degrees or have no university degree at all. The point is that one’s background does not limit success in cybersecurity. It simply takes a general understanding of the key concepts, some outside-the-box thinking, and a drive for success. With that, one can have a career in cybersecurity that is technical in nature or completely non-technical. Understanding the risk cybersecurity poses along with how that fits into the overall risks for the business can help non-technical folks have long, prosperous careers in the cybersecurity field.
Evaluating Your Organization’s Cybersecurity Posture for the Future
So, where does all of the above leave us? We all know that a significant data breach tied to a poor incident response can lead to a poor valuation of companies—even if this valuation isn’t permanent. Every organization will have incidents. The main question is how they will respond to them. Investors have shown that containing an incident in correlation with a proper response does not necessarily hurt a company’s valuation. The trickier part is in evaluating when an organization is doing well. A valuation won’t necessarily go up because organizations are doing a good job at cybersecurity. Rather, a proper response will keep that valuation from going down when a breach does occur. One of the ways that organizations can ensure their valuation doesn’t go down is by investing in solutions that make it easy for organizations to implement foundational security controls. These tools should make it easy for organizations to manage their secure configurations, vulnerabilities and assets, all while maximizing the time and resources of your existing security team. For more information, click here.
