Strategy
Business Risk-Driven Cybersecurity
Cybersecurity has historically been treated as a primarily technical problem best characterized by companies “bobbing” for technical apples (solutions) based upon a perceived need to identify and remediate known or newly discovered vulnerabilities. The use of a technological vulnerability model results in an endless and unnecessarily costly game of whack-a-mole, as businesses robotically move to address the latest technical problem. Such a focus leaves little time for, and supports little interest in creating significantly more impactful and cost effective security solutions responsive to each business’ relatively unique security profile and business strategies. Moreover, the technology-focused approach tends to result in less attention paid to other aspects of the core cybersecurity requirements, such as the non-technical safeguards, the cybersecurity program process, proper business risk assessment, and business cost analysis.
When you own or run a business cybersecurity is not a security or technical problem, it is a business problem. We view cybersecurity from the perspective of business risk and not technological vulnerability. Its purpose is to help you enable your business’ strategic goals. Achievement of your business strategy requires identification and, where called for, remediation of anticipated risks to those goals. A business risk-driven approach views cybersecurity as the means of determining and addressing cyber-based risks to the business’ strategic goals. Cybersecurity therefore becomes the component of your overall business strategy, focused on those cybersecurity issues that could have the most significant positive or negative business impact.
This business-focused perspective drives your cybersecurity strategy and informs the technical solutions and other security measures employed to achieve the objectives of that strategy. Thus, selection and implementation of all security measures is characterized by an effort to identify and address those activities and conditions that are likely to adversely affect the business’ core cybersecurity goals and consequently adversely impact one or more strategic business goals. Under this approach, business strategy informs analysis of the security safeguards needed, and the needed safeguards inform the technology choices. On a practical level, business strategy informs technology choices, not the other way around.
This business-risk-driven orientation also acts to greatly control the costs associated with protecting data, because it eliminates the often needless selection of technology controls for technology’s sake by constraining technology decisions to those business data and processes most likely impacted by identified security risks. It also forces the business to critically identify and weigh the strategic economic risks associated with implementing or failing to implement a particular cybersecurity decision.
Simply put, this approach represents the difference between looking for and addressing “business risks” versus looking for and addressing “technical risks.”
The Core Cybersecurity Requirements
We believe that the sole purpose of cybersecurity is to protect your business data, and therefore your business, from the consequences of a cyberattack. To achieve this purpose, a business of any size must have cybersecurity which is resilient, defensible, and cost effective.
Cyber resilience is the capability to withstand the full spectrum of cyberattacks and thereby prevent compromise of the confidentiality, integrity, and availability of your strategic business data. It is achieved by selecting and deploying administrative, technical, and physical safeguards which are designed specifically to prevent the compromise of your strategic business data, and which are appropriate to the data risks faced by your business.
Cyber defensibility anticipates how your security measures are likely to be viewed and evaluated in hindsight if the applied cybersecurity safeguards fail to prevent a compromise of your strategic data. Its purpose is to eliminate or reduce the adverse economic and non-economic consequences which may arise from a compromise of strategic business information, and which may be reflected in both current and future economic performance.
Cyber defensibility can only be achieved through the implementation of a comprehensive and dynamic cybersecurity program made up of reasonable cybersecurity safeguards, processes, and practices which taken together can both reduce the risk of a data compromise, and also reduce or eliminate adverse post compromise consequences.
Cyber cost-effectiveness is best achieved by focusing, primarily, upon those security measures likely to have the most significant impact upon your strategic business goals, and by avoiding piecemeal, ad hoc selection, and implementation of cybersecurity measures.
The first and most critical step in achieving resilient, defensible, and cost-effective cybersecurity is the creation and implementation of a comprehensive cybersecurity program. A cost effective, resilient and defensible program is comprised of processes, policies, and technologies appropriate to the size, scope, nature and complexity of your business and its attendant risks; and to the sensitivity of your business data. Many businesses fail to create and use a cybersecurity program because creating and utilizing these components seems daunting, confusing, difficult and time consuming. With proper guidance, this need not be the case.
Using such leading industry standards and best practices as the Safeguard Rules; the NIST Framework; and the CIS-20 Controls, we guide you and your team through the cyber risk issues specific to your business. The Safeguards Rule is a widely accepted and followed data security practices standard, as well as a legal standard of care for judging potential liability in the aftermath of a compromise. The Safeguards Rule provides a template for identifying strategic risks and a process for mitigating those risks. The NIST Framework supports a business-driven cybersecurity strategy by providing a comprehensive methodology for selecting and implementing the specific technological, administrative, and physical safeguards needed to mitigate identified cyber risks to your business data, and therefore to achievement of your business goals. Utilization of these standards allows our clients to achieve the core goals of any cybersecurity program: (1) strong protection of your digital information; (2) improved legal defensibility; and (3) cost-effectiveness.