Recently, our organization's CEO asked me a question about Cybersecurity: "Are we spending enough time and money on preventing cyber-incidents from occurring at our organization?" After a brief pause for careful consideration, I answered him: "It depends ... let me explain my point of view with an analogy."
I went on to explain how your home has some security measures included by design like a front door with a deadbolt lock. What makes you decide to add more security measures? Is it to gain extra peace of mind when you are away on a business trip to ensure your family is safe? Or is it to lower your home insurance cost? I think the biggest determining factor is the occurrence of criminal events like home invasions in your neighborhood.
Additional home security measures can include installing a burglar alarm system, security monitoring cameras, or myriad other security solutions. Really, the sky is the limit with the amount of money you could spend to mitigate the risk of a home invasion and theft of personal property.
The Unlocked Door
All these extra security measures will cost you money and will lower your risk. There is no guarantee, however, that these measures will prevent an incident from occurring. If you have a high-value home with high-value personal property, your risk is higher as well, and your home will require more expensive security measures as a proper deterrent for a potential thief. If thieves are determined to break into your home, though, they will likely find a way; no security measure will stop them, it will only slow them down. On the other hand, even with all your sophisticated security measures, it only takes someone in your family to let the potential burglar in. For example, leaving the garage door open or unlocked, or letting a phony repairman into your home by mistake, thus bypassing all your expansive security measures.
With the above mentioned home security analogy in mind, the same holds true with cybersecurity incidents, which occur on a daily basis and with an ever increasing pace. Your organization may have the best cyber-defenses in the world but your organization’s employees may let the bad guys in by clicking on a phishing link, bypassing all your expansive security measures.
How Much Risk?
To truly answer the CEO’s question on whether or not we are spending enough money and resources on cybersecurity, we need to consider the following: it really depends on the nature and level of cyber-risk your organization faces. Every organization is unique and has vastly different levels of cybersecurity risks and potential impact. For example, a hospital’s data on patients requires a different level of cybersecurity defenses than the computer network of the corner bakery. What may be too much money to spend on cybersecurity measures for one organization may not be enough for another. It’s a delicate balancing act between the level of cyber-risk you are willing to accept and the money you are willing to spend on cybersecurity defenses.
I concluded my conversation with the CEO by advising him on how best to think about addressing cybersecurity, and posed some relevant questions. Do you understand your organization’s cyber-risk exposure? Do you have the right people in place in key cybersecurity and IT roles? Is your approach to cybersecurity formalized with a comprehensive cybersecurity program that compares well with industry cybersecurity standards? If you can’t answer those questions in the affirmative, determining how much cybersecurity you need will remain an elusive pursuit.
Marius Bosman is IT audit director at Ball Corp. The views expressed in this article are his own and are not intended to reflect the views of any particular organization.