Why neither compliance nor technology alone will keep your organization safe.
Technology providers love to talk about how the adversaries don’t care about your policies and procedures. The technology providers will tell you that adversaries will use a variety of automated and manual tools, techniques, and practices to attack your organization, and that only a strong technological defense will keep them at bay. Those technology providers are right…to a point.
While strong technological defenses are important, so too is the idea of embedding cybersecurity into everything your organization does. This requires:
- a careful review and prioritization of the organization’s mission, functions, and strategies;
- a detailed analysis of the threats to the mission, function, and strategies;
- quantifying, at least at a high level, the risks associated with the identified threats;
- creating policies, procedures, and plans for managing those risks, including allocating appropriate resources (i.e., budget, people, equipment, etc.);
- building governance programs that ensure the policies, procedures, and plans are followed; and,
- repeating this process on a regular basis to address changes in the organization’s mission, functions, and strategies as well as the changing threat landscape.
Unless your organization embraces this approach, it will suffer from at least one of two classic problems:
- Assuming that since you are “compliant” with a cybersecurity framework, you are safe; or
- Assuming that technology alone can keep you safe.
Check-the-box Compliance does not Equal Security
Cybersecurity frameworks like NIST SP 800-171 and the NIST Cybersecurity Framework help ensure your organization’s cybersecurity program has certain key attributes, like plans for how security will be implemented in a given system (referred to as a “system security plan” or “SSP”) or how the organization will respond to certain types of incidents (referred to as an “incident response plan”). But if your organization relies solely on “check the box” compliance with those cybersecurity frameworks, your cybersecurity program will likely be ineffective.
For example, when they learn that they need an incident response plans, some organizations find one online, change the name of the company, and assume that the requirement is satisfied. Unfortunately, this is almost never true. The way one organization should respond to an incident may be very different from the way another organization should respond, even when the organizations are in the same industry. This is because the organizations have different missions, functions, strategies, organizational structures, system architectures, and much more.
Similarly, if your organization crafts a custom incident response plan but never tests it, your organization isn’t truly ready to respond to an incident. In short, unless the organization embeds cybersecurity into its business practices (i.e., into its DNA), the organization’s cybersecurity program will be ineffective.
Technology does not Equal Security
Embedding cybersecurity into your organization’s DNA takes time and requires a culture change. That concept doesn’t always sit well with many executives because they perceive it as a distraction and a cost center rather than a revenue generator. Many slick-talking salespeople know this, and will convince these executives that their tools or services are the “easy button” to cybersecurity, including meeting legal and regulatory requirements like CMMC. But there is no easy button, and adding more technology, on its own, isn’t likely to significantly increase your organization’s security.
In fact, the opposite is often true. Business leaders frequently assume that the new tool they bought is protecting them. In reality, the tool is likely generating alerts but, unless someone in the organization is responsible for following up on those alerts and there is someone else who ensures the responsible person actually does follow up on the alerts, the organization is lulled into a false sense of security.
Without an understanding of the unique attributes of your organization, you can’t understand its threats or the corresponding risks. In turn, without understanding the risks, including the likelihood and magnitude of the risk, your organization is likely to invest in technologies that address threats that are not relevant to your organization, or to focus on addressing threats that won’t have as significant an impact to your organization as others.
That’s where policies, procedures, plans, and governance come into play. Without policies that define who in the organization is responsible for ensuring alerts are addressed, everyone in the organization will assume someone else will take care of it. Similarly, if the policies don’t include a governance component that ensures the work is being done, the responsible person can be distracted by other events and the alerts will continue to pile up. Procedures tell those named in the policy exactly what they are expected to do. Plans define how your organization will address any shortcomings or implement enhancements. The governance piece ensures that the policies, procedures, and plans are all being followed.
Cybersecurity is an ever-growing and changing field, and there are differences of opinion about how best to protect an organization. Some argue that technology is the only way to protect the organization. Others say organizations must focus on compliance, rather than technology. Both are wrong…and right. The best way to achieve a strong, effective cybersecurity program is to ensure you have the technologies in place to protect your critical assets and the policies, procedures, plans, and governance in place to ensure the technologies are used correctly.