Cyber Risk – where to begin for small & mid-size firms

Visiongain estimates that the 2015 worldwide spend on cybersecurity solutions at $75.4B. Gartnerestimates project that spend to exceed $100B in 2018. Despite the continuing investment there is no evidence that a precipitous drop in the number of cyber incidents, nor the economic losses per incident, will accompany that spend. There will be exceptions, specifically large corporations, notably those in financial services. Expect to see improvement, based on the sheer size of their investments, and ability to deploy highly sophisticated cybersecurity infrastructure. Cyber risk for a financial services firm is not simply an operational risk; their existence is dependent upon maintaining the information security tenets of confidentiality, integrity, andaccessibility, and the emerging requirements of information attributes of custody, privacy, sensitivity, and acceptable use.

The challenge is more acute for industries that are relatively new at deploying information technology in an environment where their intellectual property and value are increasingly in a digital form. Unlike the financial services industry, where cybersecurity is a required core-competency, it is less intuitive to newcomers to digital transformation, and especially small and medium size firms. Determining what constitutes an adequate information security strategy is elusive. Compounding this challenge are the following dynamics.

Cybersecurity Market Immaturity: A review of the recent RSA Conference, an annual gathering of ~ 30,000 cybersecurity professionals convened in San Francisco shows all the signs of an early technology market. Approximately four hundred exhibitors featured products and/or services in ~ one hundred different categories of information security. Even for cybersecurity practitioners, this is a mind-numbing universe of solutions, which address a wide array of challenges. Small and medium-size enterprises without the resources of a ‘deep bench’ of information security professionals are challenged to comprehend this collection of technology. Prioritization, of which assets to protect, which threats to address, and what technology to be applied are overwhelming to many outside the core cybersecurity professionals. This industry is also characterized by active merger and acquisition activity. Many of the exhibitors at the RSA Conference will survive only as part of an acquisition or merger, not due to deficiency in the technology, but for reasons that may have to do with an inability to fund growth of sales or marketing.

Rate of Technological Change: compounding the complexity of information security solutions being an ‘early market’, are advances in the computing environment that could be described as no less than ‘revolutionary’. VMware’s CEO Pat Gelsinger demonstrated some of this capability on stage at RSA.Microarchitectures present opportunities on how workloads are deployed, utilizing virtualization and containers. Software-defined network architectures have security risks, but also offer opportunities to further secure information assets. The concept of embedding software-based security within application workloads that can be dynamically established and torn-down challenges the very notion of an identifiable perimeter that must be defended. Traditional hardware-based network security will be further challenged. Consider inline intrusion protection analysis, which will become less practical with the migration from 10GbE to 100GbE networks. There is an order-of-magnitude reduction in the time window between frames, not much time to conduct packet analysis. Here is an example where one technology undermines the utility of another. Also consider the proliferation of the sheer number of endpoints, through which new exposures and threats will evolve. In an ‘IoT’ future, many of these endpoints will possess media-rich content streaming capability, (audio, video), and in the case of industrial applications require real-time and high-integrity services; all areas where vulnerabilities and exposures may occur.

Organizational Factors: The gap between demand and supply of cybersecurity professionals is well known, as discussed in this recent Forbes article. My belief is that organizational role definitions exacerbate this shortage, by treating information security as a ‘bolt-on’ responsibility to traditional IT functions (e.g. network administration, etc.). There may be validity to this in some cases, but this dynamic causes a severe shortage of viable candidates. From an organizational structure (particularly in smaller enterprises that perceive scale economies) cybersecurity operations are traditionally part of the information technology organization. This creates the problem of ‘role scope’ previously mentioned, but also creates an environment where budget / investment decisions for information security are arbitrated against IT infrastructure spend. This is sub-optimum risk management. IT organizations are thrust into the realm of risk management, making investment decisions with which they may be wholly unfamiliar. Indeed there are similarities within the two functions (e.g., Business Continuity and Disaster Recovery), but risk and compliance exposures override that combination. The financial, reputational, and regulatory risks through exposure of Personally Identifiable Information (PII), Personal Health records (governed by HIPPA), or payment information can cripple an enterprise.

Conclusion: There are no silver bullets, but there are steps responsible executives can take to find order in this complexity, and implement a baseline of effective cybersecurity policies. The fundamental objectives should be an understanding of cyber risk exposure and managing that risk accordingly, specific to your enterprise. Some good news, the most commonly used cyber threat vectors are well understood, and many of those can be mitigated through controls that are relatively straightforward. There are frameworks and other tools that illustrate the elements of a cybersecurity program, such as the NIST Cyber framework. Also, useful are an overview of controls from the Center For Internet Security. The use of these tools and frameworks implemented by knowledgeable cybersecurity professionals can form the basis of a comprehensive information security management program.

Competitive dis-advantage due to scale of companies and/or new participants in the digital economy cannot be erased. However, clearly identifying the risks specific in your environment, and managing them accordingly are an effective risk management strategy.

Don Guiou

About Don

Former C-Level Exec of NASDAQ company InfoSec Certifications: CISSP, CISO (Carnegie Mellon CIO Institute) / Founding member of several 'startups' / Georgetown University, Masters, Technology Management / InfoSec Certifications: CISSP, CISO (Carnegie Mellon CIO Institute)
This entry was posted in Cyber Risk, Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s