Taking a Risk-Based Approach to Cybersecurity

By Brian Nichols, Baker Tilly

Evolution of cybersecurity

Investments in cybersecurity have increased rapidly over the last ten years. Originally, cybersecurity was viewed as a technology issue, and investments were made into building technology solutions for cybersecurity concerns. The solutions range from basic anti-virus protection to sophisticated malware detonation technologies. However, one thing has remained constant, data breaches continued to occur, and organizations continued to increase spending on cybersecurity.

Organizations today spend more on cybersecurity than ever before. However, many stakeholders are concerned that they are not seeing the return on their investment. Executives and boards challenge their cybersecurity leaders to show evidence that these investments are providing the protections against an ever-changing threat landscape.

Shifting views on cybersecurity

In order for today’s cybersecurity leaders to make lasting changes in their organization, they must change their view of basic cybersecurity principles and embrace these concepts:

  1. Cybersecurity is not a technology solution. Cybersecurity threats have become more sophisticated. Investing in the hundreds of cybersecurity technologies will not necessarily provide meaningful threat mitigation that organizations hope for.
  2. Cybersecurity is a people problem. With the rise of sophisticated phishing attacks, end users are targeted every day. Many organizations fall victim to malware or ransomware infections due to the lack of cybersecurity awareness of their end users.
  3. The marketplace for individuals with cybersecurity experience cannot keep up with demand. Organizations are stretching their own cybersecurity teams too thin trying to tackle an increased number of new initiatives every year.

Prioritizing cybersecurity investments based on risk

  1. Cybersecurity leaders must focus on understanding the risks to their organization before making investment decisions. This requires cybersecurity leaders to leave behind the ‘technology speak’ and step into the shoes of their less-technical business colleagues. Today’s leaders need to understand how the business operates and what the business considers their most critical assets. These assets could be information, applications, processes or any number of things that support the day-to-day operations of the organization.
  2. Once a cybersecurity leader understands what is most critical to the business, they then must assess the cybersecurity risks to that asset. These risks could be as simple as out-of-date software that is no longer support by the vendor, lax access controls to sensitive information or inconsistent security configuration processes for new systems. Defining a holistic list of cybersecurity risks based on critical business assets then allows the cybersecurity leader to prioritize investments based on the most critical risks to the business.
  3. After identifying what is most important to the business and prioritizing investments to protect against critical cybersecurity risks, a cybersecurity leader can now confidently support decisions to executives and the board with straight-forward language and in terms the business understands.

Read the full article here.