For too long, our industry has framed cybersecurity as a technical issue.
We have measured success on the volume of malware we detect and block, not how we respond to the threats that matter. We have taken a one-size-fits-all approach to security incidents, regardless of who’s attacking, how they work, and what they’re after. We have rarely engaged other business units when responding to incidents — and when we do, we fixate on the technical details rather than weighing their business impact.
Yes, cybersecurity has a technical component. But more than anything, it is a business issue.
Fortunately, the old mindset is changing. Under the banner of “cyber resilience,” security leaders are beginning to acknowledge that cybersecurity must evolve. Striving to ward off attacks is no longer enough — organizations must also respond to incidents with a focus on managing their business impact.
To gauge how far along organizations in the Europe, Middle East, and Africa (EMEA) are in this evolution, FireEye recently asked 25 security leaders across the region about their experience and perceptions. Their answers reveal a sizable divide among in both awareness and maturity when it comes to cyber resilience.
Breaches Increasingly Routine
Not surprisingly, EMEA security leaders say that cyber breaches are increasingly routine. In our survey, 44 percent of organizations said they had breached at least once per year. And that total probably understates the problem — a full 28 percent were not sure whether they have been breached.
All threats viewed equally — regardless of risk or impact
A solid majority of respondents (68 percent) said they “always” care about breaches. Only 16 percent said their level of concern depends on the severity of the incident. This lopsided statistic suggests that IT professionals are not yet looking at breaches from the perspective of risk or impact.
Priorities misaligned in incident response
We see the same lack of business alignment in organizations’ responses to breaches. When a breach occurs, 84 percent of those in our EMEA survey notify relevant business leaders, and 76 percent notify company executives. We often hear that companies are looking for security leaders to engage at a business level. But if business leaders and executives are still being notified about most breaches, we’re still treating security as a technical problem.
Our survey found a split in where security teams focus their response. About 60 percent base their response plan around all IT systems, and 40 percent focus on critical systems and resources. This response, too, suggests that organizations see many breaches as a technical problem rather than a business problem.
Along the same lines, communications, public relations, and business teams are typically far less engaged in incident responses than IT security and technical teams, executives, and HR departments. If cyber resilience is about enabling business resilience, then business teams should play an equally critical role in incident response.
When engaging with executives, we in the security community do not seem to be taking a risk-based approach. And clearly, we are not speaking executives’ language: the impact of a breach on the company’s financial results.
Who is included in incident response plans?
Moving toward a risk-based security framework
Most security leaders leverage at least one security framework or standard — and in most cases, they leverage two or more. These frameworks include best practices defining what to protect, how to protect it, and how to monitor deployed controls. These features make the frameworks valuable tools to help define strategies and gauge their effectiveness. But adoption of ISO27005 — which focuses on business-risk assessment — is far behind that of ISO27001.
Just about every security leader would like more resources. But most of us must make the most of what we have.
What is clear from our survey is that incident response is consuming the biggest share of time and resources.
The volume of attacks is rising. And IT systems are playing an increasingly critical role in business. So having well-defined and tested response capabilities that leverage automation would seem a key component to cyber resilience.
Bolstering cyber resilience
Cyber security is, and will remain, an evolution. Everyone is on their own journey along the maturity curve. Security leaders must evaluate their place along that curve based on their perceptions of risks and the controls they need to put in place.
Cyber resilience recognizes that prevention is only part of the solution. Organizations must realize the following:
- Businesses will increasingly measure security leaders not just on what they stop or let through, but on how they respond to what does get through.
- A breach can happen in seconds, yet the exfiltration takes hours or days and can last for months.
- When it comes to measuring business impact, not all breaches are equal.
At the same time, organizations must retool their strategies to better discover and respond to security incidents. This shift requires:
- Having a documented, regularly reviewed, and well-tested cyber response strategy that includes both the business and technical response plans.
- Reducing the time and costs involved in response.
- Being able to qualify the business risk of the incident. By better aligning cyber strategies to business drivers and business risk, security leaders can have a bigger business impact and increase their relevance to executives.