In our previous blog post, we took an in-depth look at why organizations are vulnerable. Now, we’ll take a step forward and move from an academic conversation toward a more practical and actionable path.
According to Gartner, through 2022, at least 95 percent of cloud security failures are predicted to be the customer’s fault. Yikes! We know statistics can be misleading at times, but this should be a clear and resounding statement that we all can do more. The onus is on cloud consumers to be proactive in protecting their data assets.
Proactive Security Assessments and Penetration Testing
The easiest leaks to plug in the security dam are the ones we already know about. The bigger problem that we are focusing on in this blog is the unknowns. While it may sound simple, organizations must take security assessments and testing more seriously if they want to understand (and fix) their vulnerabilities. Let’s look at a few proactive steps that present an initial framework on how to do more.
First and foremost, a vulnerability assessment needs to be conducted. A vulnerability is a hole in your security efforts. These assessments identify and prioritize vulnerabilities in a service or system. This generally includes cataloging resources, assigning rankings, identifying threats to each component and mitigating risk to said services or systems. This gives you a baseline for where you are today, so you can plan where you want to be in the future.
The next thing you can proactively conduct is a threat assessment. A threat differs from a vulnerability in that it is what you are trying to protect against. These assessments go a step further by looking at existing and potential threats and attempting to validate their credibility, seriousness and probability. These assessments can look at a host of areas but will generally provide insight on application vulnerabilities, malware/botnet detection, at-risk security devices, user vulnerabilities and network anomalies; they will potentially identify determined adversaries and nation-state sponsored threat actors as well.
Finally, every organization should pursue penetration testing. These tests, often called “pen tests,” seek to emulate real-world attacks on your applications, systems and networks. These tests are a controlled form of ethical white-hat hacking, where the pen tester is operating on your behalf. Depending on the nature of your business, the frequency of recommended testing intervals can vary, but generally, an annual test is prescribed (quarterly for organizations with highly sensitive data).
The Security-Corporate Board Relationship
According to CIO magazine, only 37 percent of corporate directors feel confident the company they serve is properly secured against a cyberattack. One of the biggest issues driving this lack of confidence is that senior leadership is not directly involved in the information security program. Not only should senior leadership be aware, but they should also be an integral part of the plan. After all, those leading a company should have knowledge of threats to its success. All too often, engagement only occurs after a compelling event (such as a business-impacting incident or a public breach disclosure).
This is by no means a blame game, but rather a call to action. Corporate boards should be involved in security, and security executives should be engaged with boards. The simplest way to do this is to have security executives attend board meetings and have allotted time to brief the board. In this manner, the security group gains deeper insights into the company and the board can ensure they are truly thinking about security as they guide the business.
The most positive change that occurs here, which is also noted by the Harvard Business Review, is that it changes the corporate culture to one of proactive security. This may be a new role for security leaders, but it is incumbent upon today’s security leadership within organizations to act as advisers to the board under the terms and language that they speak.
Corporate leaders understand risk — business risk — and they also understand that cybersecurity is a business risk. Therefore, security professionals need to translate all technical vocabulary into the organization’s focus areas, such as legal, compliance, reputation, brand, financial and safety. Mapping technical gaps to business risks is a formula for success.
Data Integrity at Risk
When we previously discussed data integrity, we asked the question: Can you “trust” your data over its entire lifecycle? Well, we think for most organizations that the answer is no — at least, not today. There are many ways we can address this.
First, you should make predictions and play out scenarios in your environment, no matter how unlikely the threat seems. In a recent conversation, a client expressed the belief that the organization’s data was more than secure because it was encrypted. This perception was revealed to be false after we explained encryption’s irrelevance in the face of quantum computing. And although quantum computing might not be an immediate threat, it should be considered when making security predictions for the future.
The easiest thing to do to prepare is to gain insight on a variety of security topics. Does your security team have a firm grasp on cryptojacking, IoT/OT, spear phishing and public cloud security? While your team may never be experts, knowing about what is potentially out there is the first step to a proactive approach.
Finally, use your vulnerabilities as an opportunity to educate and garner free advice. Do you have an existing partner that is credentialed as a solution adviser? Reach out to them first and get the lay of the land. They may shine new light to the situation or even advise you on other avenues to pursue. Also, don’t forget that you need to educate not only yourselves but also all of the users in your organization. Focus on basic security hygiene, educate your humans and get your house in order among policies, procedures and technical controls.
Securing your organization is not a one-time thing but a continual process. When you create a plan to perform regular testing, actively engage leadership and ensure your data’s integrity, you get the chance to align security and the business — not only on priorities but also on strategy.