Assaf Egozi, Managing Partner of B-Hive Israel
Most organizations I encounter tend to define their cyber security strategy through one of two frames: the regulatory requirement frame, or the business-oriented risk management frame.
Although these frames are not mutually exclusive, defining a strategy with a focus on only one of these two frames will inevitably lead to a strategy that falls short of a comprehensive risk management approach.
Developing a Cyber Security Strategy on the Basis of Regulatory Requirement
Generally speaking, organizations more nascent on the cyber security maturity scale will rely on a regulatory-driven approach.
This approach starts by identifying the various regulations that would apply to the organization, as well as its business practices, customers, suppliers and data (whether mandated by law, industry organization or by customers). Once all the relevant requirements are defined, the organization will proceed to address each of them. Typically, organizations following this strategy will aim to "check all the boxes" in the most cost-effective manner.
If executed well, this approach could help an organization "pass the bar" from a legal perspective, but it will inevitably fall short of its cybersecurity needs (i.e., regulations change slowly, while the threat landscape changes rapidly).
Simply meeting the existing set of standards and regulations cannot effectively protect an organization's core assets against advanced and persistent threats.
Also, while it may seem like a simple and well-defined approach to follow, the reality is that understanding the exact set of regulations and guidelines that affect an organization is not a simple task, especially for companies operating across different countries. And as cyber law is still evolving, obtaining experienced advice from counsel on the subject is not trivial.
Finally, even if an organization does manage to meet all of its legal obligations, and even if courts determine that the organization and its executives have no legal liability in case of an incident, the damage to the organization's reputation and the costs associated with the incident, response and remediation may cripple the organization regardless.
Leveraging on Business Risk Management to Build Your Cyber Security Strategy
More mature organizations tend to look at their security strategy through a different lens: business-risk management. This perspective is predicated on the notion that cyber security is a business risk that cannot be eliminated, and that even trying to do so would be too costly, and would likely lead to constraints on the organization which would greatly undermine its ability to conduct business (e.g., slow down time to market for new products, create burden on employees, on customers, on suppliers).
Therefore, these organizations aim to identify their core assets ("crown jewels"), define the attack scenarios that could potentially be most impactful or cause most harm (whether directly or through impact on reputation), and design their security capabilities based on these scenarios.
This approach has obvious appealing features however it too is not without its challenges. Executing against such as strategy requires either extremely strong internal cyber security capabilities, or the assistance of external experts - both of which are very costly.
This strategy needs to be continuously updated and revised as the business environment changes and as the security landscape evolves. Most importantly - for this strategy to be executed, it requires alignment across all business functions - this cannot be accomplished if security is managed within a silo in IT.
Interestingly, organizations following this strategy often end up so focused on addressing business risks and advanced threats, that they fail to address all their regulatory requirements, leaving them susceptible to law suits and investigations.
Why is understanding these biases important? Well - if you are an executive, the answer is clear - you want to understand what drives your organization's security strategy, and the potential implications. Understanding these frames and what drives organizations' cyber strategy is also of paramount importance to cyber security start-ups. Too often I feel that this is ignored, with start-ups pitching their solutions without understanding what drives security decisions in the organizations they are trying to sell to.
Interested in learning more about cybersecurity?
Come to our Fin & Tonic on October 26. We have a great lineup of speakers ready to discuss this hot topic.