President Biden met last month with the CEOs of major corporations like Apple, Amazon, IBM, Google, Bank of America and JPMorgan Chase to discuss our nation’s growing cybersecurity challenges. In the meeting, he called on leaders to increase efforts to battle cybercriminals, stating that both the public and private sectors must address cybersecurity. But the government’s interest in lax cybersecurity also includes a Senate-approved $1.2 trillion infrastructure bill with a $2 billion earmark for cybersecurity initiatives. The bill still awaits House approval.
As the federal government lays down the gauntlet for a more focused approach to cybersecurity, we wonder how businesses will respond. If history serves as an indicator, it’s clear that the private sector must do more than it currently has. For context, the famed Target breach in 2013 represented the benchmark for such incidents. But since then, there have been countless incidents across industries, such as SolarWinds and Colonial Pipeline. Just recently, T-Mobile experienced its fourth notable breach in as many years.
With each passing year, security breaches get more sophisticated and expensive and impact more people. IBM’s 2021 “Cost of a Data Breach” report found that the average incident cost organizations more than $4 million in 2020, a record high. But more concerning is that it took organizations 287 days to detect and contain a breach on average—a week longer than the year before. T-Mobile’s breach stole personal information from more than 54 million customers, according to the latest tally. As cybercriminals continue to stay ahead of the curve with inventive ways to exploit new vulnerabilities, we must ask ourselves if organizations are doing everything within their power to stop—or at least slow them.
When I speak with companies about their security efforts, many admit that they could do more. Still, they are also quick to point out that they experience barriers that prevent them from appropriately investing in security and make a tradeoff for business performance. In effect, many view security as a priority, but it still does not stop the business from operating until a breach happens, data gets stolen, and hackers demand ransomware or regulators demand fines that exceed the company’s net worth. The three most common reasons for not making security a top priority are cost, complexity, and talent. Let’s take a closer look at those arguments and what organizations can do to overcome them:
- Differentiate between cybersecurity cost and value.
Cybersecurity can cost a lot of money, but companies should not isolate cyber investment from business operations. Security represents an opportunity to add value to an organization, especially for those amid a digital transformation. Taking a DataSecOps approach can help, where IT and data scientists collaborate on how every decision will impact security. This approach controls costs and builds value because security gets woven into the fabric of managing the business itself, as opposed to being a reactive measure.
Many organizations also have the tools necessary to minimize the risk of data breaches, but opt not to use them. In 2020, IDG found that half of security and IT decision-makers surveyed were not using all of their security providers’ solutions. While we can understand if an organization lacks the capital to deploy new technology, it makes no sense to increase risk by not implementing tools already on hand. Companies should account for their solutions and create a roadmap that addresses security with respect to business performance.
- Analyze cybersecurity complexity.
In my experience, many companies don’t make use of existing security solutions because they don’t want to interrupt business processes. This includes application breakage, performance impact, or lack of visibility of infrastructure assets. The accelerated move to the cloud has spawned immeasurable cybersecurity complexity. Many organizations have gone from simply addressing an on-premises perimeter to a remote, cloud-based model where each device connected to disparate networks represents a potential vulnerability because of misconfigurations. And for those operating a hybrid cloud/on-premises model, reducing data breach risk has become even more difficult.
Companies can address complexity by identifying the full spectrum of an organization’s security solutions and why they use them and then eliminate the products that do not pass a risk-reward test. Very often, shrinking the stack can simplify security.
The process of understanding what to protect and how to protect it will never go away. Start by determining the company’s most important data—or which data the company could not afford to lose because the potential losses are too great—and prioritize security efforts there. As a fail-safe control, companies should protect data at the record level, particularly if it’s in the cloud.
Companies should also have clear, understandable rules for business users to follow. Most users only need to know all the complexities, they only need to know what’s expected of them regarding maintaining cybersecurity best practices.
- Address cybersecurity talent shortages.
The lack of available talent in cybersecurity has become very significant and will likely not improve in the near-term. In a 2021 study, ISSA International found that cybersecurity skills shortage and its associated impacts have not improved over the past few years and 44% say it has only gotten worse. The report also said that 38% of respondents have unfilled cybersecurity positions within their organizations. Given the scale of this shortfall, it’s almost inconceivable that organizations can fill these positions. Companies will rely more on tools that automate data protection processes, threat detection, and mitigation, and given the number of available vendors, most organizations should find suitable products.
I am encouraged by the up-leveling of attention cybersecurity has received and agree that addressing the problem requires a 360-degree effort from the public and private sectors. Data breaches are not going away any time soon, and the attacks are getting more challenging to address. Still, now’s the time to boost cybersecurity efforts up the priority queue.
Ameesh Divatia, co-founder and CEO, Baffle