Enterprise security is no longer an occasional discussion for modern companies. The news cycle is full of cases of breaches, security incidents, and the resulting impact to customer confidence and company valuation. A constantly changing risk and workforce location outlook makes the situation even more dire as threat actors continue to hone their skills around infiltration and data theft. In this article, we’ll explore the present state of enterprise security, the attributes of its optimal future state, and what you can do to get there.
The Current State of Enterprise Security
Today, a combination of complex environments, unpredictable threats, and incredibly high stakes for businesses means that corporate cybersecurity teams are under intense pressure and scrutiny to operate flawlessly 24x7x365. Picture the changes in the workplace environment over the last several years. Applications and workloads exist less and less within the datacenter. M&A activity drives sudden change as well as the fracturing of application, security and operational teams and workspaces. Users, especially in the wake of the COVID-19 pandemic, are accessing companies’ most sensitive data from insecure locations using devices that don’t always meet security standards. This broadening of the attack surface stretches even the most diligent security team, diluting their ability to effectively respond to pressing security incidents.
Threats are evolving so fast and at random that most cybersecurity teams can’t keep up. They’re forced to react, focusing on preventing past attacks from reoccurring and/or meeting static compliance standards instead of proactively managing their technology infrastructure and security posture. This defensive mindset causes operational inefficiency (wheel spinning) and sub-optimal security readiness. To make matters worse, threat actors are continuously honing their ability to crack the shell of security present around most organizations. They understand the weaknesses inherent in perimeter-based security models and how organizations’ lack of focus on user education makes them easy targets. This relentless drive toward self-improvement on their part ensures that security teams are constantly playing catch-up. And instead of learning how they will be attacked, they focus on legacy attack patterns while they should be keeping their eyes on evolving tactics, techniques, and procedures (TTPs).
Skills and Talent Scarcity
Robust demand for experienced and highly-skilled cybersecurity professionals makes it difficult and extremely expensive to recruit, hire, and retain top talent. Businesses that cannot afford to invest in the best or who cannot move quickly are more vulnerable to attacks and recover more slowly when targeted. Even if organizations wanted to focus on the future, training the workforce requires time, effort, and a staff with available work cycles to absorb the training. A recent ISSA study indicates that 60% of organizations are affected by this shortage, leading to either overworked staff or unsustainable project backlogs. The impact is significant, as teams are expected to do more with less for tasks that demand focus and clarity.
What’s at Stake: Negative Outcomes
As security concerns evolve and attackers’ methods become more sophisticated, organizations are left with no choice but to treat enterprise security as their number one priority. If these challenges go unresolved or a company doesn’t act with a true sense of urgency, a troubling combination of financial, reputational, and operational ramifications will follow.
It’s no secret that any cybersecurity event—no matter the severity—has the potential for disastrous financial implications, most notably:
- The disruption of a company’s ability to conduct business transactions
- The cost of expertise and tools to mitigate and recover from a cybersecurity event
- The cost of legal actions by customers, investors, or vendors impacted by the breach and/or regulatory non-compliance penalties by government agencies
Even if an incident has not occurred yet, companies face challenges with maintaining insurance policies due to the threat of security incident and lack of maturity. Increases in attacks as well as financial and reputational costs have driven up both the cost and complexity of cyberinsurance policies. Many companies have found their costs rising exponentially, with some unable to renew policies due to insufficient preventive or detective controls.
Just one security breach can lead to mistrust in the marketplace by prospects, customers, investors, media, and regulators for not being good stewards of customer data and corporate operations. In many cases, lasting reputational damage is done even when an organization is able to quickly resolve the issues.
Among the most severe implications is losing command-and-control of day-to-day business operations/communications and the ability to serve customers. In short, cyberattacks can render the business helpless by stripping the ability to ‘do’ anything internally and/or externally.
What happens, then, when you combine overworked staff with increased regulation and compliance burdens, advanced threat actors, and an expanding threat surface? We can best understand the consequences by looking at what has already occurred, according to Forbes:
- 90% of all healthcare organizations reported at least one breach in the last three years
- The US FTC reported almost 1.5 million cases of identity theft in 2020
- Cybercrime cost us, collectively, almost $3M per minute
- Nearly 80% of senior IT leaders believe their organizations are not properly protected against cyberattacks
The Future State of Enterprise Security
Ultimately, a sound enterprise security program should be able to define and execute a strategy that will sufficiently address challenges and leave the organization better prepared for the future. But what does the desired future state look like? Speaking broadly, an effective enterprise security strategy should be—above all else—proactive, growth-focused, and confident.
With the right strategies and tools in place, security teams can proactively manage their security posture, detecting and mitigating threats before they impact the business. Taking a proactive stance to protect your organization requires a holistic approach to cybersecurity that values process as the true enabler of success. No matter how many or how few solutions are in place—or whether the program is fully or sparsely staffed—it all depends on process to move information from one place to the next and to alert the responsible parties of a cybersecurity event. Processes include planning for the following:
- Identification of all assets (physical and logical), their owners, stewards, and users
- Protection of these assets from physical and logical threats, both from inside and outside the organization
- Detection of these threats with appropriately scoped visibility processes
- Response ability, including third parties where appropriate
- Recovery capability, lending assurance to the organization that all is not lost in the event of an incident
With employees, applications, and data spread across all areas of the business, technology-driven collaboration across the enterprise is required to fuel growth—but it must be done so in a secure manner. Growth in the overall business involves incorporating organizational changes, leading to changes in overall risk posture. Departments—including IT—must focus on understanding and anticipating the security stress points created by growth. Maintaining a robust, proactive security posture enables IT teams to participate in and promote innovative growth within the business, allowing them to quickly and safely align to the needs of customers and the marketplace at large to deliver value and revenue.
Act with Confidence
Security teams must be equipped with the skills, expertise, and insight needed to work fearlessly in a challenging, non-stop threat landscape. A security program that focuses on these tasks is not just aligned to protect the company from cyberthreats but is poised to be an enabler of business agility and growth. Secure businesses have an edge when practicing innovation, as they build security into their efforts as they move forward. They’re less likely to be caught off guard when standing up a new service, as they have an understanding—both at the leadership and at the operational level—of the risks inherent in transformational efforts. The plan needs to be not only robust enough to handle all expected threats, but flexible enough to adapt to the changing threat environment. The program must adapt, and the workforce should be educated to respond to the threats the organization is expected to face.
Measuring Progress: Positive Outcomes
In pursuit of the desired future state, it can be difficult to know where to look for proof of progress. In most cases, we can pinpoint four key areas whose maturity should be a good indication of growth: detection, mitigation, recovery, and risk awareness.
IT teams should be able to effectively detect attacks in real time across the enterprise, capturing important details to not only disrupt the attack, but be used to bolster security against future attempts.
Ask yourself: Can you detect the threats that face your IT and data assets? Can you detect threats that affect the safety of those assets housed by your partners? Is your alerting program tuned to the things that are important to you, and just as importantly, is it tuned to ignore or deprioritize the things that don’t matter?
In the event of a successful breach, IT teams must be able to quickly address the situation and neutralize the threat, minimizing damage and limiting the scope.
Ask yourself: Do you have documented plans for stopping the spread of malware? Have you also documented what is important for the organization and who is responsible for mitigation? Have you practiced and documented the plan, and does your change management strategy feed into this plan so you’re responding in the right way, within a properly documented environment? Is automation in place to the extent possible, making sure your team is focused on the right tasks?
When damage can be effectively minimized, the business can recover faster financially and operationally, with little-to-no reputational damage. Even things as mundane as workspaces for occasional staff have derailed some recovery efforts, so be sure to plan for logistic and administrative support.
Ask yourself: Do you know what steps are required for recovery? Do you have a priority for apps and workloads that need to be recovered? Have your teams practiced their steps, and are your partners aware of their role in your recovery plan?
When a company has a firm grasp on risk and its resulting exposure, decisions are made with awareness, leading to more agility and competitive advantage. How then, does an organization know if its program is suited for its threat environment? For starters, it must look beyond penetration tests and compliance reports.
Ask yourself: Do you know how much risk your organization can tolerate? Do you know what business activities present risk and how much risk they pose? Are you aware of changes in the organization that change your risk posture? Do you have a method for tracking risks and assigning ownership to relevant portions of the organization?
Preparation for the inevitable begins with basic planning and organization. Get a baseline of your position, with an eye on the processes that enable your detection and response efforts. No matter how many solutions or partners you have in place, your processes will determine how well you respond and recover. After gathering information on your baseline, make an organizational decision on your threshold for risk and for response capability. This will allow you to perform prioritization of your remediation steps, focusing your efforts on the actions that will make a measurable difference in your security posture.
To learn how AHEAD’s security experts can help safeguard your organization, get in touch with us today.