Page 113 - Cyber Defense eMagazine October 2023
P. 113
strong cybersecurity teams. Small and mid-sized firms, however, often have far less sophisticated
cybersecurity protections. As a result, they can dramatically underestimate the level of risk they face.
This quickly became apparent in the written comments that poured into the SEC before the final rules
were adopted in July of this year. While many suggested changes to improve the proposals — providing
more time for companies to disclose a breach, for example — many opponents simply wrote off the
improved cybersecurity rules as onerous, expensive and unneeded.
This is just one example of the current thinking about cybersecurity. In the wealth-management sector —
and, frankly, across the business world — decisions about investment in cybersecurity expertise and
technology continue to be made by executives who don’t have a deep understanding of cybersecurity
issues. Worse yet, they don’t realize how little they know, and they’re unwilling to consult with experts
who could help guide good decision-making.
Manage, mitigate risk
It's important, as Kemba Walden told the BlackHat audience, that businesses and other enterprises of all
types reframe and simplify their thinking about cybersecurity. At its heart, cybersecurity is simply a matter
of managing and mitigating risk. Nothing more. Cybersecurity experts themselves can deal with all those
technical details that cause C-level executives to nod off during boardroom presentations. Security teams
don’t need to bog down meetings with cyber-speak. But every executive understands the importance for
managers to mitigate business risk, and that’s what cybersecurity leaders need to be talking about. Good
practice in risk management is based on a clear-eyed look at available information about risks and the
costs of mitigating them to an acceptable level.
In order to truly optimize an organization’s risk management, strategy and spending on cybersecurity
should always be derived from the organization’s risk profile. What is the risk? How much can the
organization put at risk? How is this profile changing? Answers to these questions then fuel the decisions
designed to mitigate the greatest risks.
The truth about firewalls
One of the most important lessons that cybersecurity professionals can share with top managers is this:
No system in the world is completely secure and safe from hacking. Investments in perimeter defense
can make life more difficult for hackers. Perhaps the costs of overcoming a good perimeter defense will
be great enough to discourage an intruder. Traditional perimeter defenses such as firewalls may be
enough to keep out low-skilled hackers.
But when the attack comes from a sophisticated threat — say, a team that’s supported by the financial
resources of a national government – perimeter defenses will melt like an ice-cream cone on a Summer
sidewalk.
That means that effective risk-management strategies will focus on detecting an intruder quickly and then
expelling them before significant damage can be done. We’re talking about minutes, not a day or two.
Cyber Defense eMagazine – October 2023 Edition 113
Copyright © 2023, Cyber Defense Magazine. All rights reserved worldwide.