The Goldilocks Theory for Risk Management
By Patricia Titus, CISO & CPO (Chief Privacy Officer), Markel Corporation [NYSE:MKL]
Companies need the flexibility to transform the way they do business in order to meet the market demands and security needs to transform its thinking. We know that technology hasn’t stopped evolving therefore adoption continues to grow at a rapid rate. This means security has to stop being viewed as the sales prevention team. The fact is security must become nimble enough to react to the changing demands and priorities of their business partners or they will be pushed aside in the interest of growing the bottom line.
So how does security raise itself to the right level and be a key priority for the business. Education and awareness is one key to how you cultivate the security behaviors necessary for success, and even better if you can make it a key corporate goal or priority. One example is educating people about the harm that can be done by clicking on links from unknown sources to raise their awareness to phishing and other malicious activity. This process must be closely followed up with testing them on how well they’re performing and is an excellent way to keep employees on their toes. Keep in mind that educating them on what happens when security isn’t a priority is also a great way to change behavior. No one wants to be the person that is deemed the weakest link. Many people have tied this to performance goals of their employees with good success.
Today’s digital transformation requires security professionals think outside the box and develop new ways of handling the dynamic way our companies adopt and use technology. Some are moving toward developing a ‘cloud first’ strategy which means they are moving as much as possible into cloud based service offerings or ‘as a service’ models. Cloud creates unique challenges for many companies who have a perception that they will lose control of their data, could suffer catastrophic outages or data breach. These are all the same concerns they should have with in-house systems which often isn’t the case. I have a strong opinion that some companies would increase their security posture if they moved to the cloud for some of their basic back office automation capabilities like email, calendar, etc. There are also plenty of options for ‘brokering’ the move to the cloud which can help eliminate some of the fear by adopting Cloud Access Security Broker (CASB) offerings. This solution can give you a sense that your security is being provided by a separate vendor from your Cloud provider. And the most important part is making sure you write a great contract with an exit strategy in mind.
"As companies continue to adopt cutting edge capabilities and technologies to help build the bottom lines, security must do the same"
Having a well thought out approach to third party risk management and supply chain security and necessitates the need to build proactive and rapid capabilities to assess risk with the third parties we partner with. Gone are the days of long-lead times to perform risk assessments, apply security governance and sometime deny the relationship with a third party because they seemed too risky. We now need to determine the risk tolerance level, layout the required checks and balances and allow the adoption of new and innovative capabilities with little to no lead times.
As companies continue to adopt cutting edge capabilities and technologies to help build the bottom lines, security must do the same. We cannot rely on traditional capabilities but need to find new and innovative ways to visualize the risk to the business and assist them in grasping the full risk picture when making corporate decision. Imagine Company A has recently decided to acquire Company B to meet growth objectives and neglects to perform a cyber security risk assessment before the acquisition decision. After the deal closes Company A finds out that Company B had been hacked and their intellectual property was now for sale on the dark web to the highest bidder. Company B had no idea it was hacked and Company A is out a significant amount of money. In this case a risk assessment with a dark web search could have alerted Company A and kept them from making a poor acquisition decision.
An area that Chief Information Security Officers continue to struggle with educating their company that there is no silver bullet when it comes to security and it’s important to have the right safety mechanisms in place which means there has to be adequate investment in cyber security. Companies recognize that investing in security is just like purchasing auto insurance. Just because you have car insurance doesn’t mean you’re not going to have an accident. But having a security program will help protect the information you’ve been entrusted with. But equally important is ensuring that there is a balance of investing the right amount in cyber security or what I like to call the Goldilocks Theory. Not too much security and not too little security but just right. The media has reported there are plenty of companies saying they’re spending millions on security and yet they still suffer a data breach. So what is the right level of security and how is it best approached.
Several contributing factors are at play. First what is the vertical market you’re in and what threat actors are interested in your business. My experience in several vertical markets has shown me that no two companies are the same even if they’re in the same vertical market space. One rule of thumb I’ve followed over several years in this profession is that security is 80 percent people and process and 20 percent technology. All three people, process and technology are critical to your success but using this simple reference point may help you put your security program into perspective. Deciding how to ensure your company is leveraging your security professional to the fullest has been a challenge for many companies and addressing security concerns as quickly as possible is very important. Many security professionals joke that ‘security is hard’ but I can honestly say that dealing with a security incident or data breach is much harder.