Digging deeper, cybersecurity best practices, compliance checklists and frameworks are freely available online from NIST, MS-ISAC, the US-CERT and more. So why is this guidance so often ignored?
Experienced security pros understand that solutions involve people, process and technology. And most leaders know where to go to get help. And yet, ransomware and data breach stories just keep pouring in from victim organizations who only wish they had a second chance to implement better security protections.
Typical answers to these “why so little progress?” questions often surround insufficient funding, lack of trained staff, difficulty in keeping teams together, a sense that hackers are just too good or work too fast, or technology governance challenges. No doubt, these issues are often real and difficult to overcome. But are there less complex, yet compelling, answers to consider when exploring why cybersecurity best practices are not successfully implemented in a government near you?
In November 2021, my book Cyber Mayday and the Day After: A Leader’s Guide to Preparing Managing and Recovering From Inevitable Business Disruptions was released from Wiley Publishers. In the book, my co-author Shamane Tan and I describe more than 35 global ransomware and data breach stories in the public and private sectors through the eyes of technology and business leaders.
While the first 10 chapters are full of examples that offer “the good, the bad and the ugly” regarding emergency cybersecurity incidents, Chapter 11 is my favorite because it covers “turning cyber incident lemons into organizational lemonade.”
Here are five of the top 10 excuses from the book that organizations give for not implementing best practice cybersecurity protections:
Excuse: We didn’t have the time.
Questions to ask: Where are we spending the bulk of our time? Are we allocating our time proportionately according to the criticality of risks?
Tip: Project management team needed.
Excuse: Our organization is different.
Questions to ask: How have we educated our stakeholders to raise their level of awareness? Who are our security champions who can influence laterally and upward?
Tip: Every company “is different.” Culture change and leadership are required.
Excuse: The vendor told us it wasn’t necessary.
Questions to ask: How are we cross-checking what our third-party experts are telling us? Who is ultimately responsible for customer data and trust?
Tip: Ask who, what, when, where and how?
Excuse: It was too hard.
Questions to ask: Have you tried getting allies so that it is not just your team fighting organizational battles? Are there smaller steps you can take?
Tip: Time and resources along with priority and follow-through are required.
Excuse: We were afraid of what we might discover.
Questions to ask: Are you comfortable with not knowing what the malicious attackers likely know about your organization? How are you managing your risks if you do not know what needs to be managed?
Tip: Ongoing risk assessments are a must. Cyber risks do not just stop at us. We must think about our customers and their data.
We also share a few strategies that help fight “best practice apathy”:
First, make failure real. Cyber exercises are a must. Ask: What is your mindset regarding cyber failures? Who is accountable? How can you build a culture that does not finger-point or blame, but encourages transparency in sharing lessons learned and mistakes owned?
Second, consider Failure Mode Effects Analysis (FMEA). This process will allow you to create a structured process to help. Do you know what your industry peers are using to reduce risk? How does your process benchmark against theirs?
Finally, consider getting a second opinion. We should constantly be looking to improve, and we are stronger together. How can you play to your strengths while leveraging community and collaborating with existing or new partners to complement and strengthen your business case for stronger cybersecurity?