Dramatic music fades in, there’s a man in a hoody in a poorly lit room sat in front of his desk, lines of green letters and numbers move horizontally across his laptop screen. ‘I’m In’ he says triumphantly, as he folds up his laptop and walks off stage left.
Isn’t it time we took back control of the cyber narrative? The above scene is common place in film, cinema, adverts and more, and are usually accompanied by statements like “its not if, but when”, “don’t be next” and “they’re coming for you”.
Could you imagine if we followed this narrative for health and safety? “slips are everywhere”, “don’t be next to fall off the wrong type of ladder” and “the workplace is out to get you”. No one would want to do their job!
Whilst the risks are real, and threats exist and breaches happen, this narrative doesn’t support the right behaviours when it comes to cyber. Much like health and safety, the best approach is to make as safe and secure an environment as possible, whilst being prepared that something might still go wrong. “But how do I do it?” I hear you cry; despite the fact your browser doesn’t have ears and can’t hear you…
As Softcat’s Principal Security Consultant I’ve worked with organisations big and small to help them answer that question. I’ll share some insights below:
- Understand Today.
Look at your organisation wholly, both internally (currently technology, people and controls) and externally (threats, risks and landscape). This latter part is more often neglected in the name of the internal optimisation, which whilst important, may not be the right first step.
Think about two buckets: threats that are common, and threats that are likely. Understand where various threat actors and attack scenarios sit, and put them into one or more of these buckets. If you work in a kitchen, drowning isn’t probably a common or likely risk, but pan fires are. If you run a swimming pool, the opposite is true. Another parallel cyber has with health and safety.
- Understand your Goals
Whilst I’d love to say everyone has a bottomless budget when it comes to cyber, that simply isn’t the case, and the next step is to look at what an achievable goal in cyber is for you. Whether its certification based, policy driven or none of the above, what do you need in place, so you can drive your business forward knowing cyber is under control.
- Create a tangible plan.
Now we know 1, and we know 2, all that is left is to work out the route forward. Be realistic with this, if you can only resource 3 projects, don’t build a programme that tries to achieve 7. Understand the speed you can run at and start working.
- Have Cyber ‘first aiders’
Much like health and safety, stuff still could go wrong, and if it does, you’ll need people and processes in place that you can rely on. Having a well-established incident response process, and whether using in house resource or a service provider, gives you a ‘break glass’ solution should the worst happen, especially if the incident falls outside of your common and likely risks.
There’s a lot more that can be done here, but fundamentally cyber isn’t the monster under the bed, or the hoodlum lurking in the dark. It’s a business risk like any other, and with the right focus, mindset, and approach, can be brought to heel like anything else. So let’s change the narrative, and stop feeling out of control, lets illuminate the darkness and remove our hoodies, and let’s not use programmes that use horizontal random green lines of text, it’s 2020 man. Get a GUI.
Alexander is a finalist in the Security Serious Unsung Heroes Awards 2020, sponsored by KnowBe4, Proviti, and Qualys