How management decisions affect cybersecurity

What security processes does your organization have in place?

Cybersecurity is as much about processes as it is about technologies. In the first part of our series on why security remains a significant challenge for many organizations, we focused on the risks associated with outdated hardware and software, both of which are especially vulnerable to sophisticated threats. Suboptimal tech is usually not the only problem at breached companies, though.

More specifically, management decisions often produce the disorganized, unsustainable processes that result in costly breaches. A review of the relevant literature published in "WIRES Data Mining & Discovery" revealed that more than 40 percent of data leakage is caused by internal employees, with half of those events being accidental. IBM has gone further, estimating that human error is a contributing factor in virtually all security incidents.

From these numbers, we can gather that company-wide training, awareness and collaboration (or lack thereof) are instrumental to security posture. What can organizations improve, other than their IT solutions planning, for better overall defense?

It starts with management: How poor decision-making affects cybersecurity

Executives frequently struggle with cybersecurity strategy because they are unsure of its return on investment (ROI). It's a similar mindset to the one that sometimes convinces people to go without insurance, figuring its costs outweigh their actual risks of injury; in regard to cybersecurity in particular, management may err in thinking "We weren't breached this year, so there's no need for additional spending."

Similar mistakes in judgment might include:

  • Conceiving of effective security as something purely reactive, instead of as a mix of reactive and proactive processes supported by automated infrastructures as well as periodic human interventions.
  • Hoping that simple compliance with widely accepted frameworks such as the ones formulated by the National Institute of Standards and Technology (aka NIST) is enough; in reality, such "checkbox security" alone is necessary but not sufficient.
  • Focusing too much on systems instead of processes. No system is going to be impenetrable – what counts is reducing the number of vulnerabilities within it, which can only be done through proven repeatable risk management assessments.

Overconfidence is common and understandable among management personnel when it comes to cybersecurity. Attack types and probabilities are always shifting, making it difficult to know if, when and/or how a given organization will be breached. Accordingly, decision-makers may perceive little ROI in cybersecurity investment and run the risk of having only minimal or simplistic protections in place.

Technology is only one component in effective cybersecurity.Technology is only one component in effective cybersecurity.

The stakes are too high for this approach. The Ponemon Institute has pegged the cost of the average data breach at more than $3 million, while Verizon has estimated that one-tenth of breaches in 2016 went undetected for at least a year, meaning it's possible to think you're invincible even as your network is being surveilled.

Changing your mindset toward security, from the C-suite on down

Customized IT consulting is good way to break out of the mindsets that typically impair security-related decisions. By working with a trusted partner to assess, mitigate and manage the specific risks in your organization, you can develop corresponding processes you can continuously return to as your requirements evolve. Employee education and well-established protocols for acceptable workplace apps and data handling practices are just a few examples of what such processes might entail.

"Cybersecurity is better thought of as a journey than a destination."

Cybersecurity is better thought of as a journey than a destination. Threats that once seemed so pressing – e.g., homepage hijackers in Microsoft Internet Explorer, malware distributed via floppy disk or CD-ROM, etc. – have been replaced by newer ones such as denial-of-service attacks, strong encryption ransomware and malicious mobile apps. This is why continually updated infrastructure and sustainable processes to go with it are so important. Visit our Data and Infrastructure Management page or click the banner below to learn more.