Whether nation-states or criminal organizations, adversaries are spending heavily on cyberspace capabilities to conduct attacks. As the frequency and severity of cyberattacks continue to increase, the cost of cybercrime could hit $10.5 trillion by 2025. Organizations are investing in cybersecurity – yet adversaries continue to break through defenses and the average cost of a breach has risen to a record $4.24 million.
Unfortunately, even if companies could outspend adversaries, the threat impact will likely look the same. Trends in existing program effectiveness coupled with already overworked cyberdefenders have made it clear that organizations must alter their approach. While this may seem like a daunting challenge, there are three questions organizations can ask themselves to evolve from reacting only after a breach occurs to building a strategic and proactive defense program that interdicts the adversaries before they can obtain their objectives.
Who drives change in the organization to ensure cyberdefense effectiveness?
When looking at the modern cybersecurity landscape, it appears we are engaged in a form of low-intensity, asymmetric warfare. Security operations teams continue to experience enormous surges in operational tempo not unlike those faced by the military during periods of war. While companies spend more money and resources than ever towards defensive cyberoperations, the regrettable success of adversaries continues to result in trillions of dollars lost. This does not even count the potential opportunity cost of those lost dollars that could have been used to create positive business outcomes. Unfortunately, in today’s cyberspace battlefield, our adversaries' capabilities and training outpace many public and private sector organizations’ security effectiveness.
We cannot view defending against cybersecurity risks as the exclusive responsibility of the organization’s IT or cybersecurity department, as leaders may believe. C-suites need to join the conversation by creating data security principles that help strengthen the organization's resilience against threats.
C-suite and board members need not just to understand, but affirm that cybersecurity has become both an opportunity and liability. An opportunity to deploy capabilities that enhance an organization's ability to generate positive business outcomes; a severe liability in the advent of a successful cyberattack that disrupts continuity of business operations. Executives and boards of directors need to understand that we now live in a low-intensity cyberconflict and that cyberdefense operations are just a standard part of business continuity. It’s for this reason that questions about the effectiveness of current security programs and operations are paramount and part of their fiduciary responsibility.
Do the executive team and the board share a view of acceptable cybersecurity risk?
Adversaries are investing significantly in cyberspace operations to achieve their objectives. Year-over- year, we continue to see a substantial intensification in both the velocity and severity of attacks. As a result of today’s threat landscape, CISOs face pressure to explain their cyberdefense strategy to their boards. Unfortunately, many businesses do not have the appropriate organizational structure or focus to enable the leadership team to understand what it takes to coordinate an ongoing response to cyberthreats.
According to McKinsey & Company, cybersecurity employees are often at least two tiers down from the CEO. Informal communication, such as emails, between cybersecurity teams and the C-suite occurs less than half the time (44%). While most boards and executives acknowledge the serious threats that cyberattacks pose to their business, they are unsure of how to create a strategy that helps them understand and address the threats.
More than anything, security teams should have an answer to the fundamental question: Are we adequately organized and invested to defend what’s important to us? Since a typical CISO monitors dozens of security controls and must comply with even more standards and regulations, that’s not an easy issue to address. Headline-grabbing breaches are increasing in frequency and impact, and the looming threat of the next major attack pushes organizations to buy the next big “thing” in cybersecurity tools. Everyone looks for that silver bullet new tool that will miraculously solve their problems, but that will never happen. Instead, it has created tool sprawl and an explosion of tool complexity that makes communicating with the executive team and board extremely challenging.
CISOs need to evaluate their organization’s security controls better than the adversary evaluates them. Then, to effectively communicate with the entire executive team, CISOs must invest in solutions that regularly measure their security program's performance and deliver easily consumable metrics. By objectively evaluating the effectiveness of security controls and finding solutions for gaps and overlaps in the security control stack, the tools will offer invaluable knowledge to help outline risk to executives in clear, non-technical terms.
Does the organization have a clear plan for maximizing cybersecurity return on investment?
As the threat of an economic slowdown looms over businesses and organizations continue to face difficulties in recruiting, training, and retaining security talent, companies cannot afford to keep spending more money on tools and have their security teams chasing down and fixing every new vulnerability. Vulnerabilities are an unsolvable problem. We will always have misconfigurations and human error causing gaps. Instead, they must focus on ensuring their current defensive program, which protects all of those vulnerable systems against potential adversaries, is working.
Historically, thorough information on adversary strategies was limited to classified government settings. Companies could not attain actual security effectiveness as there was no uniform repository or effective tools for evaluating adversary activities in the private sector. Today, companies can use frameworks like MITRE ATT&CK to target established adversary characteristics to help guarantee that cybersecurity capabilities can appropriately defend the enterprise. With the intelligence offered by this framework of known adversary tactics, techniques and procedures, teams can migrate from an ad hoc approach that prioritizes a check-the-box compliance mindset to combating recognized, dangerous threats.
A look ahead
In today’s digital era, every organization has become progressively more reliant on the internet and network connectively to make money, save lives, and deliver public services. That’s why every company should consider itself a technology company – no IT environment is exempt. If all organizations are technology companies, that means they must prioritize cybersecurity as a strategic imperative to ensure they are connected, digitized, and defended.
We must shift our strategy, as governments and as capitalist markets, to reach and sustain this strategic advantage. By testing and validating security controls, processes, and people, CISOs will unlock the visibility needed to deliver data-driven insights on improving resilience in cyberspace. A comprehensive understanding that all of their cybersecurity investments are working makes it possible to answer questions that executives and board members are asking today with confidence.
Carl Wright, chief commercial officer, AttackIQ