Written by: Alain Marcuse, Information Security Leadership Faculty
Imagine you are responsible for cybersecurity at your company. Your mission is to support the business, but you’re among the 90% of security leaders who believe they are falling short in addressing cyber risk, according to the 2021 Security Priorities study by Foundry. You are well aware that threats continue to evolve faster than your budget and/or resources; according to the same study, 54% of CISOs expect no increase at all in their budget next year.
Against this backdrop, cybersecurity threats are certainly not standing still. According to PwC’s 2022 Global Digital Trust Insights report, more than 50% of organizations expect a surge in reportable incidents, over the 2021 rate. In short, the threat landscape continues to grow more rapidly than the resources available to you.
But the challenge is not only a “simple” matter of balancing resources against threats. Cybersecurity is an increasingly regulated field, governed by sectoral laws such as HIPAA or industry standards such as PCI DSS, state laws such as in Massachusetts or New York, and even extra-territorial laws such as the European Union’s GDPR. Insurance companies are increasingly imposing their own requirements as well, in order to better manage underwriting risk.
In short, you need to make sure security doesn’t interfere with the business, or slow it down; but your primary responsibility is to maintain the organization’s security, in a context where the threats keep increasing, regulations keep multiplying, but the budget made available to you remains flat.
You are expected to maintain “reasonable security”, but how do you define that, let alone achieve it? What’s deemed reasonable can well be in the eye of the beholder, and also changes over time. Technology evolution also requires updating the concept of what’s reasonable; what made sense in 2012 does not necessarily make sense in 2022. Consider something as simple as password length. PCI DSS 3.2.1, a standard released in 2018 and which still governs security requirements at merchants that use credit cards, requires passwords to be 7 characters long. In 2022, it is estimated that such weak passwords can be cracked within 7 seconds. Is this “reasonable?” If a breach happens, how will you answer “how could you let this happen?”
The key to resolving this challenge is to regularly take the time to take stock of the threat landscape, and the security program’s ability to confront it, by means of a formal risk assessment – whether conducted internally or by an external party. While most security teams are often stretched simply keeping up with day-to-day challenges, it is important to take the time to look at the broad picture and ensure security strategy and tactics are still aligned to the threats, regulations, and business requirements at hand. A risk assessment will also help with prioritizing what initiatives will be undertaken and why, and what risks will be deemed acceptable, making the program more defensible when discussing it with other executives, the Board, or regulators.
While regular risk assessments provide a frame of reference to enable an answer to the “reasonableness” question, it is important to remember that the reality is that all security programs will fail, in one way or another, sooner or later. Cybersecurity is a form of asymmetric warfare where the enemy is typically better equipped and less constrained than the defenders. As a result, two key elements must be prioritized: defense in depth, and incident response.
If you have received a breach notification from a company you work with, you will undoubtedly have noticed that the breach was always the result of a “sophisticated” attack, possibly leveraging a “zero-day” vulnerability. By definition, a “zero-day” vulnerability is one for which no patch currently exists. As of mid-2022, 18 such vulnerabilities came to light just this year. Given the near-certainty that some attack vectors will succeed, implementing a defense-in-depth strategy will help minimize the damage, in a cybersecurity version of James Reason’s “Swiss cheese model” metaphor in describing failure of complex systems.
While a defense-in-depth strategy can help minimize the damage, damage will almost certainly happen at some point; it is here that a well-developed incident response program matters most. This is really not dissimilar to good crisis management practice in any other discipline; a well-prepared, well-rehearsed plan for managing and communicating about a cybersecurity incident will go a long way towards mitigating damage, including reputational damage.
The concept of “reasonable security” may well be an elusive beast, given it can be subjective and/or defined differently depending on the entity or circumstances in which the reasonableness question is answered. But a security program structured on the foundation of regular risk assessments, deploying a well-considered strategy of defense in depth, and supported by a properly-rehearsed incident response plan, will be more likely to be perceived as meeting a “reasonableness” standard.
Alain Marcuse is a professor in the Information Security Leadership program at Brandeis University, and the Chief Information Security Officer at Validity Inc.