Stop Asking if Your Organization is Secure — It’s Not

Journey written art

“Is my organization secure?”

If you are asking that question, you are asking the wrong question.

There is an important, underlying truth that the entire industry needs to acknowledge and be more transparent about; there is no such thing as “secure” in cybersecurity. There is vulnerable and there is less vulnerable — but invulnerable is not possible. Let me say it again, there is no such thing as being “secure.”

Security journey: Surface. Address. Improve.

Cybersecurity is a journey of continuous improvement. It’s a never-ending process of surfacing and addressing risk. As the business environment changes over time, so does the digital technology available or in use in your environment. This has a direct impact on the threat landscape, the attack surface of your organization, and the level of risk.

Success lies not in being 100% secure, but in being passionate, courageous, and perseverant to resolve the highest risks in your environment, step by step. You will always have to address security risks (unless you shut down the business!). Cybersecurity is all about managing risk to a level that is reasonable and defensible based on your industry, the sensitivity of the data involved, and the expectations of the data owner or subject. It’s a never-ending journey of reducing risk and never a destination of being secure.

Cybersecurity challenges and nuances

So, why is the cybersecurity process so difficult to nail for many organizations?

It’s simply because every organization is different. There are nuances in risk appetite, technology maturity, the way technology is used or not used, the technical chops of the end user community, the expertise in the information technology department, the size of the organization, and so on. All these factors impact how cybersecurity processes align with the business, and what works or doesn’t work.

Tips for your security journey: Start with basics

How should you start your security journey? First, go back to the basics and determine what you need to prioritize and protect. Not everything has the same importance or sensitivity. You are probably not too concerned with someone making off with the company lunch menu!

Next, think about where threats are likely to come from. Phishing, remote access, and credential compromise are some of the most common threat vectors according to the Verizon 2022 Data Breach Investigation Report.

Understanding the threat landscape is critical, but to reduce risk, you need a reliable strategy to detect and respond to threats. Ineffective security operations processes is one of the three main contributing factors to poor protection against ransomware, according to the 2022 Microsoft Digital Defense Report. This should surely drive organizations to include an effective platform for security operations as a basic necessity. A relevant question around an efficient platform might be, “Does it enable the analyst to confidently defend the environment by arming them with high quality signals whilst reducing noise?” Delivering on this vision reduces risk while making the security team both efficient and effective within the limited personnel they typically have at their disposal.

Continual risk reduction

If you start by covering the basics such as, security hygiene, patching, user training, and backups, you will have a strong foundation for a cybersecurity risk reduction program. As you continue to seek improvements in risk posture, visibility becomes a key element and necessary to gain insight across the entire environment which may be hybrid, widely geographically distributed, and include both IT and operational technology (OT).

The iterative process of risk reduction can become more entrenched once either a formal or informal security operation center is established, with appropriate tooling to provide that overall visibility and remove silos, whilst delivering the ability to detect end-to-end threats through purposeful analytics. Automation within the process of threat detection, rather than focusing on response, is key to addressing issues of skills shortage and alert fatigue. If the systems in place can carry out the heavy lifting of making sense of security telemetry this frees up the cognitive cycles of the analysts for more fulfilling and effective activities.

Destination = Journey

As the saying goes, the journey is the destination, and if you take nothing else from this blog, use it as inspiration to assess and modernize your cybersecurity efforts. The evolving digital landscape presents an ever-changing risk profile requiring passion, courage, and perseverance to address security obstacles. You will never be 100% “secure,” but every step you take to improve processes and reduce risk counts!