Managing Your Love/Hate Relationship with Cyber Security in 3 Critical Steps
Volume 1 - Issue 1 ~ October 26, 2021
Welcome to the first edition of the “CIO Two Cents” newsletter from me, Yvette Kanouff, Partner at JC2 Ventures.
I will be sharing insights especially tailored for CIOs on a regular basis—read on for more about what’s on my mind at this moment in time.
the JC2 Ventures team (John T. Chambers, Shannon Pina, John J. Chambers, Yvette Kanouff, Pankaj Patel)
Managing Your Love/Hate Relationship with Cyber Security in 3 Critical Steps
Ah yes, we're wrapping up Cyber Security Awareness Month. Just a few weeks ago, Google’s Threat Analysis Group announced that it’s tracking over 270 government-backed threat actors from 50+ countries. At the same time, the Biden Administration concluded its Ransomware Summit with 30 countries, acknowledging that a concerted effort to address these serious threats may make sense.
So, how can we keep up with our own company’s security needs? As I talk with CIOs and startup founders, I realize that no matter how big or small the company, I’m not sure if cyber security is our favorite or least-favorite topic to discuss. What is our best practice example for cyber?
One of Gartner’s top CIO recommendations for 2021 is to make time to directly experience new technologies. I couldn’t agree more; it’s more important than ever to understand trends as well as technology innovation. I get it, it’s hard to find the time, but our adversaries have the time, so we must find a way to stay on top of best-practices, policy, and innovation.
Measure, Prevent, and Recover (MPR):
Here’s what I think CIOs can do to make this happen in 3 easy-to-action steps >
Measurement comes down to our security posture. As management guru Peter Drucker said, “If you can't measure it, you can't manage it.” I have had many discussions on this topic with Saket Modi, the founder and CEO of security measurement start-up Safe Security. If you simplify it, vulnerabilities really come down to three categories – People, Process and Technology, across first party and third party stakeholders. CIOs must be able to assess the security policy of employees, ensure that we’ve automated and implemented our policies, have visibility into our technology assets, ensure our cyber products are functioning as needed, and to properly evaluate our third parties to ensure they are properly prioritizing and addressing our cyber risks. Creating automation on this front has been an on-going challenge for our industry. The real-time monitoring and consistent / automated measurement of these pillars is one of the key innovation areas for us all to watch.
Prevention tends to be the most prevalent discussion. We have hundreds, if not thousands of vendors with great solutions to help prevent cyber-attacks. One thing is certain – firewalls, malware protection, zero trust, and traditional tools are far from enough. If we evaluate some of the more sophisticated attacks (and some simple ones too), application and workload security tooling is critical for secure operations. These are the solutions that I am evaluating these days.
And finally, Recovery – we could consider this one of the most important preparations; we need to have our business continuity plans in place, along with tabletop exercises and technology/process solutions to ensure a worst-case scenario. As I have watched ransomware victims recover and discussed those instances with other CIOs, we have all been surprised to see how many have paid the ransom and still had recovery issues. Having comprehensive backup and recovery tools and processes, preferably with integrated security and privacy filters is critical. We also cannot underestimate the value of preparation and practice in this area.
Given social engineering, phishing, abuse, dark web data, zero-day exploits, lack of policy implementation, and more, preparation is a journey, not a destination. I continue to be intrigued by the ongoing work in AI to help us stay on top of exploit mitigation – another topic for another blog.
Moving fast? I’ve got you covered - here are the key takeaways:
( 1 )
If we evaluate some of the more sophisticated recent cyberattacks (and some simple ones too), application and workload security tooling is critical for secure operations. These are the solutions we should all be evaluating these days.
( 2 )
If you simplify it, vulnerabilities really come down to five categories – People, Policy, Technology, Products, and Third Party. The real-time monitoring and consistent/automated measurement of these pillars is one of the key innovation areas for us all to watch.
( 3 )
Having comprehensive backup and recovery tools and processes, preferably with integrated security and privacy filters is critical. We also cannot underestimate the value of preparation and practice in this area.