There is no shortage of data when it comes to the topic of cyber security, given how vast and relevant this topic has become in contemporary times. However, most technology leaders, from chief information officers (CIOs), chief technology officers (CTOs), IT managers or chief information security officers (CISOs), know that there is no one-size-fits-all solution given their diverse needs and vast scope for applying these technologies.
To help security programme stakeholders and influencers peel through the layers of this topic and understand newer and better ways to deal with cyber threats, Skybox Security, in association with RAH Infotech, organised a discussion on how to improve cyber security programme performance by taking a risk-based approach.
Plugging holes constantly
When it comes to modern cyber security, no single tactic can do it all, given that malicious actors continually develop newer ways to bring down the defences an organisation builds. Debjyoti Guha, Technical Director for Skybox Security, started the discussion by showing some interesting facts from a ThoughtLab survey in May 2022, titled: "Cybersecurity Solutions for a Riskier World", which covered C-suite decision-makers from 1 200 organisations across 16 countries.
The average annual cyber security spending in Asia Pacific was among the highest at 33%, while it was 25% for the US (including 8% for Canada). However, when sliced and diced country-wise, the same average for India stood at 4%, and pales in comparison to 17% in the US.
Guha stated that a digitally connected ecosystem creates a wider threat surface, exposing strategic infrastructure to more significant attacks. “Conventional compliance-based cyber security maturity models might be unable to discriminate what they need to protect and how. This overarching approach often results in protecting non-critical assets, leaving the more important ones open to threats, which is a waste of time, money and effort,” he noted.
This evolving threat landscape and interdependence on each other on an integrated platform has made C-suite leaders feel unprepared to deal with a new world of risk. Around 50% of CEOs, CIOs and COOs say their organisation’s growing use of partners and suppliers exposes them to a major cyber security risk.
According to an EY Global Information Security Survey, cyber security is involved right from the planning stage of a new business initiative in only 36% of surveyed organisations. Moreover, 59% of surveyed organisations stated that the relationship between cyber security and the lines of business is at best neutral, mistrustful or nonexistent.
Talking about the cyber security solutions that can combat these with a risk-based approach, it is critical to have a risk-based approach in place that covers IT and OT. This should be well-documented, regularly updated and tested so everyone can jumpstart it when needed.
This is where the prioritisation strategy kicks in. First, companies need to identify the cyber risks they are facing or likely to face and then rank their critical assets that need to be safeguarded in order of importance. Next, they also need to determine the cyber security solution that is most relevant in covering these risks in terms of coverage while offering a better return on investment.
Making the most of little
Moreover, companies need to deploy their precious security resources to mitigate cyber risks to levels acceptable to stakeholders across the entire ecosystem. That is the very basis of data-driven decision-making. Some participants mentioned that cyber security is a risk that will always remain, and while companies would like a proactive approach, they end up having a reactive one.
According to Ashish Bele, National Sales Director at RAH Infotech, this occurs largely because various systems operate in silos, which makes it challenging to contain breaches. And while there is talk about automation in cyber security, it is easier said than done.
Another participant concurred, noting how even automation requires some manual intervention, making the entire process an exercise in futility at times. Moreover, it can be difficult to pinpoint the exact source of a breach when all systems are automated, given that there are several moving parts.
During the freewheeling discussion, a CISO pointed out that the biggest hurdle in implementing a holistic cyber security policy is getting management buy-in. “When there is a problem, they start looking for a solution, instead of understanding that cyber security risk is the business issue,” he said.
Others agreed, noting the need to flip the narrative by convincing the top management about the merits of risk-based cyber security. This can be best done by quantifying probable risks and prioritising assets to get better protection and, in turn, a higher return on investment.
The key takeaway from the discussion was that a risk-based approach to cyber security is not just effective, it is also efficient. In addition, it helps companies become more resilient at an organisational level by empowering them to respond suitably to any cyber threat.
Skybox Security is a Display sponsor of the annual ITWeb Security Summit 2023 to be held at Sandton Convention Centre in Sandton, Johannesburg on 6 and 7 June 2023 and at Century City Conference Centre, Cape Town on 15 June 2023. In an increasingly connected, digital world, cyber security threats are constantly evolving and increasing in number and sophistication. Security professionals need to be up to speed with the latest technologies, techniques and skills for predicting and mitigating potentially crippling cyber attacks, the methods and tools in use by today's threat actors, and the latest legal and compliance demands. ITWeb Security Summit 2023, now in its 18th year, will again bring together leading international and local industry experts, analysts and end-users to unpack the latest threats facing African CISOs, CIOs, security specialists and risk officers, demystify emerging cyber security strategies in AI, blockchain, IOT, DevSecOps and more, and explain how to increase an organisation's cyber resiliency. Register today.
Share