Businesses, Do You Feel Informed or Overwhelmed?

Author: Guy Golan, CEO of Performanta

We need to take a step away from ‘cybersecurity’ and turn our attention to the concept of ‘Cyber Safety.’ This new mindset is based on real-time, accurate and relevant data on moving risks, and the process of making this accessible to all within the business. Accurate data leads to accurate decisions – not ones made in panic.

If you work in cybersecurity, you’ll understand what I mean when I say our industry is overwhelming us. The ‘always on’ culture that has flooded our business conversations over the last two years is a familiar concept to cyber experts. Criminals don’t ‘tools down’ just because it’s the weekend, which means we can’t either.

The complexity of the sector, and the speed at which the threat landscape has grown, means cybersecurity as an industry has adopted a practice where a risk alert is sent the second something changes within the ecosystem, whether critical or not. An empty inbox can fill up within seconds – though the idea of an empty inbox is farcical in itself.

It’s then standard practice to keep the CEO and board executives updated with the data received, overwhelming them with risk alerts as well.

There’s an ongoing belief within most industries that to be unaware of every small update, is to be out of touch. But is this really true?

By indulging in this culture, are we really keeping the wider business informed of cyber risks, or are we just overwhelming them? Wouldn’t it be better to channel a cybersecurity approach that works on a need-to-know basis? Let’s explore how this is possible.

Real-world application

When we think about the desired level of awareness of the multitude of changes taking place within a cyber-ecosystem, it’s worth looking to another sector to see if the same logic applies, for example, the aviation sector.

Also Read: Top Cybersecurity Challenges for Healthcare CISOs

When you’re on a plane, which would you rather: the pilot telling you when every single little error occurs, or only when it requires you to act? Problems happen all the time, but they are dealt with behind the scenes. We rely on flight staff to practice discretion, for our own peace and comfort, so why can’t the same apply to cybersecurity?

The practice within cyber is currently the opposite – every problem is front and center. Being aware of the changes within the ecosystem is good, but quite often this awareness turns into an overwhelming tumult of alerts.

A change in mindset

To best respond to the modern threat landscape, we need to re-address cyber practices and strategies to ensure they all align.

We’ve found a sense of familiarity within our existing cybersecurity practices, having established them many years ago. The idea of a process overhaul is therefore a daunting prospect.

But if we bring it back to logic, the task seems less drastic. We know cyber breaches occur on a ‘when’ not ‘if’ basis, so when the inevitable happens, what would be the minimum level of operation you’d want your business to continue working on? And in the meantime, how ‘aware’ does the business need to be of every incident detected, large or small?

We need to take a step away from ‘cybersecurity’ and turn our attention to the concept of ‘Cyber Safety.’ This new mindset is based on real-time, accurate and relevant data on moving risks, and the process of making this accessible to all within the business. Accurate data leads to accurate decisions – not ones made in panic.

By narrowing focus on relevant data and business operations, organizations will naturally start thinking about how to lower the risk and limit the impact on the business itself, not just the network.

Putting it into action

Businesses can apply this approach to their existing strategies without having to overhaul their entire security ecosystem in three core steps:

First, spend some time determining your ideal end business-state. How are you trying to run as a business, and what would be the minimum operational level you’d accept post breach?

Step two, work backwards to calculate what needs to be done to help ensure that business-state is possible. This is where technology and processes start to come into play.

And finally, agree on when a risk alert is to be elevated through the company. If the genuine cyber risk situation is quiet, then reporting can be kept to a minimum.

Partnering with a security service provider that aligns its approach with Cyber Safety can be an additional arm of support for security teams, but organizations can equally progress through the steps independently – there’s room to scale as needed.

In general, security founded in the midst of panic is unsustainable, so taking a step back – out of the noise of the industry – to see where their business stands can be extremely valuable. Buying the next flashy security product released to market often instils a false sense of security when, in actual fact, they’re still just as prone to attack as before.

The intention behind Cyber Safety is not to remove all risk of attack – because that’s impossible – but instead to help maintain sufficient business operations using real-time data, without overwhelming teams with millions of risk alerts. Staying afloat in the sea of cyber threats requires complete visibility; unrestricted access to information and insight, but presented in an accessible and controlled way.

Cybersecurity has become the product; Cyber Safety needs to become the strategy.