888-448-5451 [email protected]

Recognizing the Problem: Understanding the “Why”

The Importance of Realizing the Issue at Hand

I’ve always joked with my wife that when it comes to our son, he needs to understand “Why” and then expect multiple “What If” questions.

I’ve thought the same about business leaders managing Cyber Risk and Cybersecurity. The “Why” is very important, but the “Realization” that there is a need or problem, or anticipating what could cripple or shut down your business, is far more crucial, in my opinion.

In a recent post, I discussed “Why Security Matters” in several ways; check it out here. However, there are many more aspects to consider. Based on my extensive experience from conducting thousands of assessments over the past 22 years, it is crucial for executive teams to comprehend the impacts of ransomware and cyber breach events fully. Here is an outline of an impact for a client we spoke with five years ago.

Even with all the information and postmortems on cybersecurity breaches today, Business Leaders at all levels still struggle to understand the potential negative or positive impacts on revenue and growth if they embrace cyber risk and cybersecurity as part of their Business DNA. Many CEOs are delaying or pushing off cybersecurity improvements for whatever reasons in 2024, which makes no sense to me. This willingness to have a risk-it-all mentality when there are simple things you can do to make solid improvements and mitigate risk is astounding to me.

I speak frequently around the country. In 2019, I addressed over 500 CEOs and business leaders at several events and conferences nationwide. Most attendees have between 500 and 1000 employees, and their industries are finance, manufacturing, technology, construction, biotech, and retail.

The first question I always ask to help me understand my audience better is, “How many of you have conducted a comprehensive cybersecurity assessment in your businesses?” Let me see your hands.

The answer from a year of asking that question is that only 7 out of over 500 CEOs and business leaders’ hands went up.

We Must Do Better Than This

Let’s delve into recent real-world data and explore “Why This Should Matter To You.” Presenting Arctic Wolf’s latest research: a comprehensive survey of 1,000 security and IT professionals worldwide. This survey reveals their key priorities and objectives and provides a first-hand perspective on current challenges and future concerns. The results are essential reading for any cybersecurity professional.

In their survey, we learned:

  • Ransomware is still a top risk, with double and triple-extortion becoming the go-to for threat actors.
  • Business email compromise (BEC) continues to climb as a widely used tactic.
  • Post-breach disclosure rates soared 72% above 2023 levels.
  • 70% of organizations who have an incident response retainer have needed to use it in the past 12 months.

These results show a landscape where threat actors are rapidly taking advantage of cloud security gaps and misconfigurations, the increase of web applications and credentials for users, and organizations’ resistance to downtime to launch more complex attacks at a higher frequency than before. However, cybersecurity is evolving too, and taking a holistic approach, including not only preventing breaches but also staying prepared in case an incident occurs, is proving to be the way to enhance your organization’s cyber resilience.

Building a Cybersecurity Program: A Strategic Approach

What does it take to build the foundation of a Cybersecurity Program? Building a comprehensive cyber risk program without an existing security framework involves a strategic, phased approach. You would start by establishing the foundational elements of cybersecurity, then progressively implement more advanced controls and processes. Here’s a detailed, executable plan:

Phase 1: Establishing the Foundation

Cybersecurity Assessment:

Conduct an initial cybersecurity assessment to understand the current state, identifying critical assets, data flows, and potential vulnerabilities within the organization’s infrastructure and applications, especially those hosted on Amazon Cloud.

Cybersecurity Framework Adoption:

Choose a cybersecurity framework to guide the program. The NIST Cybersecurity Framework is widely respected and offers a comprehensive approach to managing cybersecurity risk.

Policy Development:

Develop key cybersecurity policies, including Acceptable Use Policy, Access Control Policy, Incident Response Policy, and Data Protection Policy. Ensure these policies align with industry best practices and regulatory requirements.

Cybersecurity Awareness Training:

Implement mandatory cybersecurity awareness training for all employees, emphasizing the importance of security in their daily activities.

Conclusion: Ask the “Why” Questions

Business leaders, it’s time to ask the “Why” questions regarding Cyber Risk and Cybersecurity. Understanding the importance of these issues is not just about compliance; it’s about safeguarding your business’s future. Delaying cybersecurity improvements can have severe consequences. Embrace the need for a robust cybersecurity strategy and make it an integral part of your business DNA. Your organization’s resilience depends on it.

If you have questions, please feel free to reach out. I’m here to help.

Schedule Your Call

Repost from LinkedIn – https://www.linkedin.com/pulse/recognizing-problem-understanding-why-mike-fitzpatrick-2edcf/