Cybersecurity Risk Management Remains a Work in Progress


Posted on by Robert Ackerman

If you look at the big picture in cybersecurity risk management and governance as we approach the midpoint of 2021, it seems pretty bright. Companies weathered the worst of the COVID-19 pandemic with its skyrocketing security threats and largely did a good job improving the online security of tens of millions of new remote workers. And, too, they have slowly begun placing more people with relatively deep cyber expertise on their boards.

Some would say the proof is in the pudding—IT research firm Gartner last month announced that corporate cybersecurity would grow a robust 12 percent in this year of recovery, fueled by the need to continue defending remote workers from cyber threats and transferring more assets to the cloud. Most important, Gartner projects more spending on artificial intelligence and machine learning.

Yet, some questions remain. Are things as good as they seem, powered not only by deep pockets as the pandemic winds down and the economy strengthens but also by growing insights and perspectives on the cybersecurity front? No one doubts the economy is healing rapidly. But there are some doubts as to whether most companies, rather than a relatively small number, are truly spending more and whether these funds are well targeted.

In contrast to Gartner, McKinsey & Co. has published a survey that says 70 percent of security executives believe that security budgets will decline in 2021. As a result, they added, outlays for the likes of compliance, governance and risk tools will shrink.

The disconnect may be due in part to America’s mid-sized companies—companies with annual revenues between $100 million and $1 billion and in an aggregate representative of a third of the nation’s gross receipts. These took a shellacking last year, unprepared by the rapid large-scale shift to a remote work environment and compelling them to spend more this year. According to a survey by the U.S. Chamber of Commerce and RSM US LLP, an audit, tax and consulting firm focused on the middle market, 28 percent of middle-market leaders experienced a data breach last year, up from 18 percent in 2019. And despite increases in cyber spending, 64 percent of these respondents said they would be attacked this year, up 16 percent from attack expectations in both 2019 and 2020.

Monetary issues aside, how good in general is corporate cybersecurity risk management today? Relying more on AI and machine learning is clearly important, but should aggressive spending on security support of remote workers be a high priority when many workers are starting to return to the office?

Cybersecurity risk management is the process of identifying, assessing and controlling corporate cyberthreats. If, in fact, some threats are over-protected and others under-protected, somebody is falling down on the job.

This is not particularly obvious. Companies, in general, have been trying to improve their security posture with some success. Since the start of the COVID-19 pandemic, for instance, they have increasingly deployed customized security plans instead of generic plans. They have focused more on who is connecting to their infrastructure securely. In addition, more and more companies are recognizing that reliance on preventive security measures without simultaneously employing offensive measures to curb attacks is insufficient. Yet many other companies, unfortunately, have been slow to follow suit.

Part of the problem is that the approach to risk management and governance too often includes a hesitancy to grip cyber realities. “Companies will get breached,” says plain-spoken Robert Lee, the CEO of Dragos, an industrial cybersecurity company. This is tolerable, Lee says, because companies simply can’t stop all breaches. “But if they don’t have the data they need to respond to an attack and know how to respond, they will fare much worse.”

Companies also should become more forthcoming in the way they deal with cloud security and more aggressive in embracing newer and more comprehensive security measures.

In the case of cloud computing, it’s well-known that cloud security isn’t especially good. What gets less attention is that cloud service providers treat cloud security as a shared responsibility with their customers. And while cloud purveyors typically hold up their end of the bargain, many customers do not. According to a Gartner report, at least 95 percent of cloud security failures will be customers’ faults by 2022.

In the case of sluggish adoption of new technologies, consider the nascent and growing field of continuous controls monitoring (CCM). CCM provides a thorough snapshot of an enterprise’s cybersecurity posture in real time. Holes in the system, not uncommon, can be readily identified. By mistake, for example, a small number of system endpoints are often improperly implemented and hence vulnerable to attack. Identifying such nooks and crannies inside enterprise networks is invaluable.

Other examples of good risk management should also be adopted if this isn’t already the case. They include:

+ Enhancing the management of continually growing third-party risk, a certainty amid robust outsourcing. Current approaches to the problem, such as audits and penetration tests, are helpful but often provide only a fleeting snapshot of security risk. Organizations need automated tools to continuously monitor and measure third-party security performance.

+ The need to focus on proactive threat hunting, in addition to common defensive steps. This makes it easier to find a breach and improves your security posture over time.

+ Making sure cybersecurity leaders attach cybersecurity needs to business requirements. Otherwise, the risk of financial loss is not quantified, and a perfectly good security proposition may be rejected. A member of the security team, for instance, may not need to exhaustively explain the ins and outs of a proposed new encryption service. But he or she does need to explain its additional strengths in curbing financial risk.

+ Encouraging the security team to stay ahead of the curb. They should have the time to see what universities, incubators and cybersecurity startups—often the best sources for cybersecurity solutions—are up to.

When a crisis turns into a recovery, as is the case with the ebbing COVID-19 pandemic, leaders must toggle between managing for the present and the future. Future orientation is back, and modeling, predicting and planning are all-important. But investing with insight, perspective and boldness in cybersecurity, as in other business specialties, is downright essential.

Contributors
Robert Ackerman

Founder/Managing Director, AllegisCyber, AllegisCyber Capital

Risk Management & Governance

risk management governance risk & compliance

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs