For a commercial enterprise, how much cybersecurity investment needs to be determined from a risk assessment based on a number of tangible and intangible factors. How mature is our security program? How IT-enabled are our processes? What are the threats to our industry? What compliance requirements do we garner from our industry or our corporate operations?
Weaving your way through this kind of risk assessment can be a serious challenge! One item that continues to show up in Cybersecurity is the difficulty in properly assessing those risks. As humans, the risk we cannot see does not exist. If you saw random people walking through your office building, rifling through your desk, peaking at your files then everyone would be talking about the need for a more effective system at the front desk. If you saw 1000 people circling your business, checking for open windows and unlocked doors constantly 24/7, 365 then the risk of an intrusion would seem pretty high. Essentially that is happening every day in all of our office spaces, and we are completely unaware because those virtual file searches and testing of the doors and windows are digital and completely invisible.
How do we address that shortfall in our ability to see what is going on around our cyber world? One mechanism is to pick a lens through which we view our digital enterprise. There are a number of them out there, but one particularly far-reaching example is the National Institute of Standards (NIST) Cyber Security Framework (CSF). In addition, to having the advantage of being completely free, the NIST CSF is the lens that I think does the best job of displaying your cyber enterprise’s current state, especially when used as the framework for a security maturity evaluation.
In particular, I find that its inclusion of “Detection” as one of its five fundamental areas is very compelling. Most cybersecurity frameworks include detection in some fashion but none lay it out more fundamentally than NIST CSF. This speaks directly to your ability to “see” those digital stalkers and intruders and gaining that visibility is a key aspect of being able to evaluate and reduce your risk.
Detection is the most often overlooked part of the cyber equation. What IT professional wants to know that they have digital intruders wandering their network? None, so detection can often be an overlooked and under-appreciated aspect of your security enterprise. Famously it has been said that there are two types of companies. Those that have been hacked and those that don’t know they have been hacked. With thousands of attempts a day to breach your defenses some of those attempts are going to succeed. I often ask my favorite question of companies when it comes to cyber. How many cyber incidents have you had in the last year? If their answer is none, then you have a significant hidden risk.
A second good approach to help with your risk is engaging a second set of eyes from outside the organization to take a look and help you evaluate it using something like the NIST CSF as the framework. Conduct a gap assessment. What are we missing today that we should consider? Where are we objectively on a maturity spectrum compared to our chosen framework? Are there significant gaps that may be adding to our risk? This kind of gap assessment against a framework can arm executives with the information they need to better assess their current cyber risk and make plans to effectively mitigate that risk for their organization.