It’s estimated that cybercrime will cost the world $6 trillion annually by 2021. There are over a billion malware programs currently in circulation. And according to a Clark School study, there is one cyberattack every 39 seconds.
Clearly, actions taken by cybersecurity practitioners in managing cyber risk and preventing cyberattacks are not working. A cyberdefense strategy that is centered on security controls with a heavy reliance on the likes of firewall and anti-virus software is simply insufficient to manage the onslaught of cyberthreats.
The industry has been groomed and coached to pay attention to cybersecurity alerts, incidents and breaches. These are what we refer to as “cyber events.” Our brains have been wired to jump and take action whenever we see a blinking red light on a SIEM or SOAR dashboard. And we react, en masse, when an actual cyber incident has already occurred. A cyber incident gets the attention of everyone across the corporate hierarchy, from the rank and file to the board of directors.
To effectively reduce the number of cyber intrusions, a radical mindset shift is needed. Leaders must redefine the concept of a strong cyber posture and relegate event-based security to its rightful place — as an inferior approach to managing cyber risks and threats.
Let me paint a couple of scenarios to illustrate what a typical event-based mindset looks like in an organization.
An IT operations team spends time chasing down bug fixes and security patches, solving business users’ IT issues (“Help! I think I clicked something funny!”), running data backups, and doing other operational tasks. These day-to-day functions keep everyone looking productive. When a cyber incident or data breach occurs, alarms start ringing. Remedial actions take precedent and priority. The team becomes 100% focused on solving the cyber incident.
When studying the breach, the focus is on conducting a technical investigation, analyzing the malware that just landed and its malicious signature and pattern, and maybe even trying to reengineer the attack, if time permits. More often than not, a herculean effort is invested in recovering data and getting applications up and running again. And then the team sits around and waits for the next incident.
Organizations with an event-based mindset are in hyper-alert mode when the annual IT, risk and governance audit comes around. All cybersecurity initiatives that were tabled the year before suddenly become urgent and important, and actions kick in to align them for audit compliance.
When a significant business event occurs, such as expansion into a new market or a merger with another company, cybersecurity controls, people and processes are once again on the agenda. A privacy lawsuit also raises cybersecurity’s importance and profile within the company.
Cybersecurity awareness and education are introduced to all employees when an incident has occurred or to fulfill industry compliance.
In the scenarios above, actions to strengthen cybersecurity posture and controls only take place after a negative event has happened. The call for situational awareness becomes a mere knee-jerk reaction.
A proactive and holistic approach to managing threats and risks, both known and unknown, is simply absent.
Now, let’s turn this situation around.
When leaders view cybersecurity from the outside by adopting an intelligence-driven approach, they know security operations teams are not merely reacting to events and alerts; rather, a proactive hunt for threats would take center stage.
As a security leader, your metric of success is not how many incidents you have managed, but how many potential threats you have discovered and remediated.
By shifting away from event-driven cybersecurity syndrome (where alerts, incidents, breaches, audits, compliance and privacy take precedence), you embrace cyber insights, signals and intelligence as guiding principles as you navigate toward a stronger cybersecurity posture.
Resources are directed to proactively identify potential attack vectors and build appropriate security controls. Security leaders are focused on unraveling the context around a threat indicator (such as attack motive, intent, etc.) and not just remediating indicators of compromise (malicious IP, signatures, patterns, files, etc.).
Leaders are expected to predict a cyberattack and ensure cyber readiness before an event is triggered. Knowledge of the external threat landscape becomes a key insight that guides leaders in making business decisions. Cyber intelligence gathered is also applied across the various business functions.
And when it comes to audit season, cyber intelligence should be an input to drive a company’s remediation approach, ensuring internal and external risks are mitigated at all levels. Compliance management should be conducted based on intelligence leads from the external threat landscape, and compliance requirements and metrics should be adjusted as the landscape changes.
The organization appreciates the importance of privacy and ensure the data of employees, clients and suppliers is duly anonymized, sanitized and encrypted.
Security processes are updated and adjusted as the threat landscape evolves. This is agile cybersecurity strategy at work.
With an intelligence-driven mindset, the organization also adopt a “hacked culture” approach in which cybersecurity personnel work on the assumption that you have already been hacked. As an effective leader, you design your cybersecurity controls, processes and strategy based on that premise, leveraging insights, adversaries’ motivation, and attack probability as guideposts.
An intelligence-based mindset guiding cybersecurity is distinctly a better approach than waiting for adverse events to happen before taking action. This shift requires leaders to view cybersecurity not just as a function under IT, but as a core business driver to power growth and innovation.