What do Facebook, Marriott, Uber, Google, JPMorgan Chase, and British Airways have in common? Yes, they are Fortune 500 companies, but they have also all been hacked in the past five years! These hacks are not a direct function of a lack of investment in cybersecurity. For instance, JPMorgan spends nearly $600 million a year on cybersecurity alone. Clearly, they have the money to spend on cybersecurity and are doing whatever it takes; yet, black hat hackers have historically been able to sidestep their measures.
Businesses whether small, medium, or large often mistake a good cybersecurity strategy with an investment-heavy strategy. If that were the case, enrolling in a gym would directly imply good health. We know that isn’t true—one needs to use the facilities correctly, be regular, and follow up with good habits in general to ensure a healthy mind and body.
When a firm’s chief information security officer (CISO) is questioned by the Board members regarding how secure their organisation is, their answers are usually based on cybersecurity audits performed and the patches deployed for critical vulnerabilities, thereby, concluding that they “seem to be secure enough”. As a Board member, this answer does not suffice in the 21st century anymore, as now, they can be held personally liable if a breach occurs, according to the General Data Protection Regulation.
While businesses want to rapidly hop onto the trend of digital transformation, they often miss the ball when it comes to security. Zoom is a classic example of rapid transformation and success, but the reportage of vulnerabilities on the platform massacred its reputation. Even though the CEO publicly apologised and Zoom rapidly fixed those vulnerabilities, the question remains—do you, as a customer, fully trust the brand?
This brings me to the point: while technology around us advances, why do we still rely on point in time red-amber-green assessments, or why does a CISO still continue to depend on quarterly cybersecurity audits to tell the board how secure their company is?
Continuous monitoring is better than a point in time screenshot. Take the example of how weather prediction has evolved—from a time where we used to wait for the morning newspaper to plan the day, to now being able to get not only real-time weather updates but also predictions for the rest of the week. This has been made possible with continuous monitoring of wind patterns across the globe through satellite imagery, stitched together to make predictions and monitor changes to mitigate or prepare for disasters. The same analogy can be drawn for cybersecurity. Why should one of the most cutting edge fields of technology lag behind?
Recently, Dubai-based Mashreq Bank used real-time data analysis and AI/ML technology to foil multiple phishing and DDoS attacks. Their head of centre of excellence revamped the bank's view and strategies for IT security. This is what we need. Thousands of variables constantly threaten your enterprise, given that a hack happens once every 39 seconds. Constant monitoring, real-time analysis, reporting, action, and feedback has to become the standard operating procedure.
That said, there needs to be a method even in madness. Keeping a track of live-monitoring from tens of thousands of cybersecurity tools can generate unending data streams that can bury even the most sophisticated security teams. Siloed cybersecurity tools need to be unified to a single dashboard for consistency in this real-time measurement. Imagine, how efficient your risk management practices would be if you knew that your cyber risk posture stood at 3.14 out of 5 with prioritised actionable insights of what to fix, when, and how. This change in your cybersecurity score can be like a ‘tweet’ of information based on which your cybersecurity team can prioritise and deep-dive into the highlighted areas of concern to mitigate an impending disaster.
Consistency is the cornerstone of risk management which cuts across volumes of subjective ‘opinions’ and ‘influences’ and brings the Board, security team, other stakeholders, and customers to the same level of understanding through an objective risk metric.
One of my favourite quotes is by Sherlock Holmes: “It is a capital mistake to theorise before one has data. Insensibly, one begins to twist the facts to suit theories, instead of theories to suit facts.” As a CISO, unless there is an objective, real-time, enterprise-wide unified score, putting into context your business criticality and breach likelihood, you will never have a clear answer to the simple question your board asks you: how secure are we?
Views are personal. The author is vice president, Product Management and Customer Success, Americas, Lucideus.