There are numerous enterprise cybersecurity lessons from the last year, but none are more important than the need for a proactive, fully transparent approach to navigating today’s threat landscape.
A great example of an effective cybersecurity strategy are the measures taken leading up to the 2020 U.S. election when federal, state, and local government officials worked with voting machine manufacturers and states to ensure important infrastructure remained secure. Voting machine companies and several states launched initiatives such as vulnerability disclosure programs (VDPs) that offer a secure channel for researchers to report security issues and vulnerabilities to continuously monitor and provide the public with tangible evidence of a strengthened security posture.
Enterprises must recognize that transparency and consumer confidence are fundamental features of the future of the internet and build their cybersecurity programs with this in mind.
Turning avoidance into acceptance
Breaches are going to happen, and vulnerabilities are going to exist that enable a breach. It’s the job of security teams to minimize and delay the impact as much as possible in service of the user and their employer. Companies have to accept that people make mistakes, that the cybercriminals who want to break into their networks are skilled and diverse, and at some point, a breach will likely happen. Accepting this reality allows teams to focus on recovery and how to minimize the consequences for customers.
Without acceptance of the more uncomfortable aspects of the nature of cybersecurity, a culture of avoidance – or worse, whitewashing – can thrive and block any progress towards viewing cybersecurity into a differentiator, and using that drive to pragmatically reduce risk.
Transition to a proactive approach
Security teams often have difficulty positioning its value as a positive versus an “avoided negative.” During the 2020 election, we saw the importance of establishing trust and that and how organizations can lose that trust following a cybersecurity incident if vendors don’t talk about what went wrong and how they will fix it in a way that customers and the public can understand.
Organizations can no longer operate via “ostrich risk management” — when companies bury their head in the sand and operate on the assumption that if they ignore the things that can go wrong, they will just go away. This often means recognizing that internal security teams need a partner to remain successful and looking to external security researchers to aid in identifying unknown security vulnerabilities and the risks they create.
Being open when vulnerable areas are identified and learning to anticipate security teams can fail will better protect companies and their customers. Vulnerabilities are inherent to digital transformation, and community-led projects such as disclose.io show organizations how they can be transparent about these issues while also showing the public how they are engaging in cybersecurity best practices.
Get comfortable with information sharing
We have to think of cybersecurity as a team sport, especially when it comes to information sharing following a breach. If customers and the public see companies sharing information between themselves and the government, they view that collaboration as a leading indicator of maturity and trustworthiness, and that’s crucial to thriving as a business.
The Biden administration has expanded on the work started by the Cybersecurity and Infrastructure Security Agency (CISA) and Department of Homeland Security (DHS) by exploring new methods for strengthening the reporting relationship between the public and private sector to support earlier threat detection and remediation. Two of the recent major attacks, SolarWinds and Microsoft Exchange, were first discovered by FireEye Mandiant and Microsoft, both of which are private companies. Companies should begin establishing protocols with this in mind to stay ahead of the conversation.
Transform cybersecurity into a market differentiator
Right now, CSOs and CISOs are trying to find a more compelling story to tell the CFO when they’re asking for budget than, “Oh, what if this bad thing happens?” Top management needs to understand that the major breaches we have seen over the last few months have caught the attention of the media, the government, and the broader population. This ushers in a new era of expectations for accountability, and it’s important to align with the executive team.
By shifting the way they look at cybersecurity and adopting the line of thinking outlined in the recommendations above, organizations can find better ways to tie their efforts back to customer retention and growth.
Casey Ellis, founder, CTO and Chairman, Bugcrowd
