Overlooked Fundamentals That Lead to Cyber-Disasters
Two hundred and thirty-eight (238) years ago, Thomas Reid wrote in an essay: “The chain is only as strong as its weakest link, for if that fails the chain fails together with the object that it has been holding up.”
However, that thought seems to be lost whenever we open an e-mail or read articles from security experts. They love to give us the top three, five or ten cybersecurity actions to make our company safe. It draws us to slick solutions that promise the end of stress.
Reality Check: No Short Cuts
The reality is that cybersecurity consists of 100+ potential vulnerabilities—weak links—not a few slick sound bites.
While NIST’s Cybersecurity Framework 2.0 covers 107 topics, it doesn’t come close to addressing the real scope of cybersecurity in 2024.
That’s why organizations miss the big picture and why cyber-disasters such as MGM, Dallas, etc., happen every day. It's the lack of an approach covering the entire organization that causes most ransomware, data breaches and disruptions around the world.
HOLISTIC CYBERSECURITY is a strategy to discover every vulnerability, strengthening and protecting across the entire organization and beyond. It must be managed and driven by the executive team.
Why Holistic Cybersecurity?
It’s about the big picture and the inescapable detail. Weak links are located across the organization and beyond—not just inside your IT domain. This is why Holistic Cybersecurity is the only approach that examines every potential vulnerability in your defensive chain ... and it’s not that hard.
The “Who” of Holistic Cybersecurity
This is about ensuring that every functional responsibility is handled—and owned. The article can only be a top-level view (see cybyr.com/holistic).
Your organization may not exactly match these categories—it’s the overall scope that matters.
EXECUTIVE TEAM
Let’s begin with the most important part of the article. It’s logically impossible to effect security that spans the organization unless it’s managed as an executive imperative.
Given new and upcoming legislation, this approach also becomes a competitive and legal necessity. The rest flows from this initial choice—without which it will fail, and the organization will remain at risk.
SECURITY ACCOUNTABILITY
Ideally part of the executive team, the person accountable for the organization’s security should be separately budgeted and not report to IT since it’s critical that their responsibility spans the entire organization. Key duties are creation of both security policy and an ongoing implementation plan together with ongoing measurement, reporting and oversight of all aspects of the organization’s security.
HUMAN RESOURCES
The role of staff and contractor evaluation, implementing insider threat and social engineering strategies is critical. Overseeing employees’ privilege levels and constant training with viable anti-phishing software is also essential. Care must be taken to verify the security of external recruiting companies to ensure access to sensitive data is managed and verified.
DISTRIBUTED WORKFORCE
Another HR-related function is the management of staff at home, remote offices, working with IT to manage/ban the use of non-corporate devices, etc.
SALES AND MARKETING
Monitoring of CRM sales tools (salesforce.com, etc.) is required to ensure databases use micro-segmentation, are encrypted, and disallow the use of unverified plug-ins or APIs. Similarly with website CMSs, ensuring they use firewalls and do not use unverified plug-ins (WordPress has 50,000!) that can cause much disruption.
CUSTOMER SERVICE
Customer service is especially vulnerable to social engineering abuse and must use systems that protect customer information.
PRODUCT AND SERVICE DEVELOPMENT
Whatever the product or service, it must be developed with security in mind. Where any service or product employs third party content, it must be verified. Special care must be taken to protect intellectual property from corruption or theft (see cybyr.com/delegate).
MANUFACTURING AND OPERATIONS
Not everyone will have these areas but for those in critical infrastructure, decisions on security for network infrastructure, IoT separation and integrity are critical (see cybyr.com/critical).
LEGAL GOVERNANCE
The proper written positioning of cybersecurity policy and strategies provide competitive positioning. They provide legal defense should breaches occur and reduce cyber insurance costs. Also important is verification and governance of third-party supply chain contracts.
FINANCE AND ADMINISTRATION
Physical security is often handled here, and many functions involve third parties that must be vetted. Another key role is in the cost-evaluation of which assets require protection. Outside CPA and tax service companies must also be verified.
INFORMATION AND TECHNOLOGY
Finally, IT provides skills, resources, and technical oversight for the above. Where services and software are outsourced, properly delegating is critical.
The “What” of Holistic Cybersecurity
The following gives you a taste of some actions related to implementing an effective program to reduce risks to your organization (see cybyr.com/holistic).
Key is to understand what assets you have, how they should be protected from disaster and recovery and what it would cost if they were destroyed or ransomed. Only then can you form and cost out a security plan to remove weak links over time. It will also shape data and network strategy. Use of multi-cloud assets adds new levels of complexity to security to be addressed.
Verifying the security of all your suppliers is a critical step to safety and to avoid threats before they happen. Lack of verification quickly becomes abdication of responsibility.
Deploying solutions that embed the principles of Zero Trust is the only way to protect your data and services in 2024 and beyond. Applying the Zero Trust mantra of verifying everything is the mindset that complements Holistic Cybersecurity.
Security and automation go hand in hand. Automate everything possible, especially the continual verification of device and software updates, access privileges, etc. Unless you continually monitor, you are effectively only protecting the past. Take special care with vulnerable IoT devices, ensure all assets are only accessible to authenticated, authorized users. Be ready should problems occur, keep measuring and reporting your progress. Keep cyber-aware at cybyr.com/breaking.
Summary
My intent has been to convey why Holistic Cybersecurity makes a huge difference—but we just scratched the surface! I make no apology for not boiling it down to a few quick bullet points. Contact me for help with step-by-step implementation to keep reducing your organizations’ cybersecurity risks. Visit cybyr.com for the latest on cybersecurity.
