It seems that every other week, someone is touting a new solution to cyber security. They tell you that all we need to do is install our boldly coloured box which leverages algorithms and machine learning. The best part is that YOU don’t have to do any hard work at all! Once it’s installed, you will be secure!
Although playing with new toys can be fun, businesses need to focus on getting the basics right which begins with identifying risk. Cyber security at a high level is just a never-ending exercise of risk management.
Identify and understand the risks
To act appropriately, an organisation needs to be well informed about what risks they face.
Depending on the context, this visibility can be gained through a wide variety of exercises such as, penetration testing, vulnerability assessments, threat modelling, policy reviews etc.
The important thing to remember is risk stems from:
a) People;
b) Process; and
c) Technology
Ignoring any of these creates blind spots in your ability to identify threats.
Decide what you want to do with that risk
Standard risk management methodology defines four options to treat risk:
Depending on the severity and specific context of the risk, you might choose to mitigate the risk. Mitigation measures may be people, process or technology focussed. If it is technology based, the most effective mitigation often involves more appropriate use of existing technology by implementing configuration changes or similar hardening.
However, whilst less often a requirement, a common approach is to try to solve the problem with a new product. The temptation for a new technological toy, coupled with the convincing brochure, website and demo, are often too much for IT to resist.
Technological solutions form an important part of every organisation’s cyber toolkit. However, it is important that key decision makers ensure risk identification and solution evaluations stages are performed correctly to realise the full value of their decision.