You might remember that old saying, “When all you have is a hammer, every problem looks like a nail”.
In cybersecurity, many folks only see nails. Often, I hear CEOs saying “We have a firewall, I think we’re safe enough”. Others may say, “We do phishing training annually, we’ve got security covered”.
You already recognize that cybersecurity and compliance (like HIPAA or PCI-DSS) are critical for your organization’s health. What gets ignored is the fact that cybersecurity—especially a strategy that is tailored to your organization is not as easy as hitting nails into boards.
The threat landscape is constantly growing and changing. In 2017, healthcare cyberattacks amounted to a couple million dollars in damages. In 2020, it’s over 7 billion US dollars.
Way back last year at Black Hat (the big cybersecurity conference in Las Vegas), over half of organizations in attendance realized that they would have to respond to at least one major breach or attack within the next year.
Those in attendance had realized that their firewall or phishing training was inadequate alone in keeping their organizations safe from changing cyberattacks. Their problems were far from nails and they realized a hammer was not the right tool.
Often times whether we’re dealing with compliance issues, cybersecurity, or even operational problems within our organizations, we’re working on the same problems, but from different viewpoints. And when solving these different problems from different groups or perspectives is when you find the gaps in your approaches (for instance, finding that a firewall might not be your end all solution).
When thinking about cybersecurity, here are some different teams you might want to get involved thinking about your security issues:
Compliance—compliance teams typically are focused to reduce your exposure to various security and privacy risks. They may oversee what is shared by employees or on social media—which are both serious gateways to attacks and breaches.
Legal Team—your legal team will most likely engage in reviewing and drafting some of your organization’s policies. They are also concerned with reducing risk, mainly from the standpoint of keeping information private.
IT Team—your IT team is predominantly involved in cybersecurity and security compliance, as most organizations see these as IT issues. Your IT team is more likely to experience the backlash or pushback from users when it comes to security policies and the controls that help enforce policies.
So how can you get these teams together for one common goal of aligning your security?
Realize that hammers are only great if everyone is addressing nail-type issues. When you’re talking amongst different stakeholders or people concerned with their data, the most important consideration is to make sure you have the proper tools to address the problem. Cybersecurity certainly requires an array of tools—saws, drills, screwdrivers, etc. There’s no one fits all solution (if you haven’t already figured that out).
What is an easy way forward to start addressing some of the security concerns within your network?
Most cybersecurity professionals recommend a network security assessment to identify, priorities and define your network vulnerabilities. Having issues identified and well-defined provides your teams a clearer path forward to address and mitigate risks within your organization.