Last week, I talked about risk management. https://www.cyberselfdefense.com/covid-19-has-created-cybersecurity-issues-for-my-company-help/
This morning, Business Insider presented an article that was of immense value to most companies. https://www.businessinsider.com/microsoft-poll-zero-trust-cybersecurity-pandemic-2020-8
During this pandemic, we are seeing more people online. This presents some real concerns for IT and security staff in EVERY organization. If it does not cause concerns, there is likely something wrong with the program. The question, is how do I build a world class cybersecurity program, while keeping costs low? The answer was discussed in the article I presented last week. Any good cybersecurity or executive will tell you that risk management is critical to the success of the business.
In this article, Jeff Elder, presents the idea that all companies are talking about “Zero Trust”, a concept that alludes to the fact that nobody is trusted. While I agree with the concept, I think that the technology is still just a concept. The reality is that people MUST be trusted. We can and should limit their access, we can and should force multifactor authentication, we can and should validate their security controls when accessing the network, and we should employ all of the other security tools, processes, training, controls, etc. The reality though, is that for me to say that I do not trust a high-ranking person like a CEO and have tools to enforce this model/concept is not complete. The first time I allow the CEO access to any system, application, document, etc., I am trusting him/her! I used to present the idea when publicly speaking that I can place a computer into a room with infinitely thick walls, ceilings, and floors, post armed security around it, ensure that the computer is not connected to ANY external source and has no wireless signals; as soon as a person enters the room (trusted or not) we have the potential for a security breach.
So, what does this all mean? It means that we have to find a way in which we can balance the needs of the business through the enablement of the business, keep costs manageable, and build quality security. The ONLY way this is possible is through a formal risk management process.
The Microsoft poll in this article presents the idea that “…while more than half of the business leaders (58%) reported budget increases for security and 65% for compliance, 81% also reported feeling pressure to lower overall security costs.” I believe that these pressures come from security teams making educated guesses, following the advice of salespeople who sell “a magic button” that stops security breaches, and who fail to properly assess and manage risk. If you are spending the right amount of money on your program, your risk assessment should help you to show your executives that your program is fine-tuned and operating efficiently.