· Abderrahmane Smimite · articles · 4 min read
Five mistakes Executives Are Still doing About Cybersecurity
Five common mistakes that executives keep repeating about cyber security and some actionable insights on how to deal with them
Introduction
Cybersecurity has become crucial to every organization’s success in today’s digital age. Cyber attacks are becoming increasingly sophisticated and frequent and can have devastating consequences for businesses. However, many executives are dismissing essential aspects of cybersecurity. This blog post will discuss five critical points executives often overlook about cybersecurity and provide actionable insights to address them. It’s important to note that the list could be more comprehensive, but we highlight common topics we frequently discuss with our customers’ executives.
Prioritizing Compliance Over Remediation
Many organizations concentrate only on compliance and assessments to verify that their cybersecurity measures are checking the boxes. Although compliance is crucial, it can give a misleading impression of security. Therefore, organizations should avoid the trap of filling compliance checklists and prioritize actionable remediations to enhance their cybersecurity stance.
Actionable insight: Build your cyber security program first and then use compliance through continuous controls to make sure it won’t regress.
Bonus point: We have noticed that the most successful cyber security programs are paired with continuous control teams instead of having compliance managed by legal or isolated GRC teams.
Focusing On Protection Rather Than Resiliency
Another common mistake executives tend to make is focusing solely on protection rather than resiliency. Protection measures such as firewalls, EDR, and IAM are essential, but as with everything, they can be misconfigured, fail, or even worse, be the attack vector. Organizations need to focus on resiliency and have a plan to address incidents when they occur instead of trying too hard to avoid them, i.e., this echoes the « assume-breach » mindset that many cyber security professionals advocate.
Actionable insight: To improve resiliency, organizations need to focus on incident response planning, backup and recovery measures, and active and realistic testing. Chaos engineering practices can be of value in this context.
Bonus point: Many organizations overlook the threat posed by insider attacks, which can be just as devastating as external ones, if not more. So, it should be considered for resiliency and protection.
Considering CyberSec As A Technical Function
Cybersecurity is often perceived as a technical function, leading to a disconnect between the cybersecurity team and the rest of the business. Organizations need to view cybersecurity as a business function and involve all « ranks » in the process to improve cybersecurity. This is where a risk-driven approach to building a cyber security program is valuable, and the best ones are business-aligned. Furthermore, organizations must recognize that cybersecurity is not just about implementing tools but also about mindset, processes, and other people-related issues such as social engineering and phishing attacks.
Actionable insight: Create bridges between all organization functions around risk analysis and management where cyber security teams will provide the tools and processes to handle them.
Underestimating Third-Party Risk Management
Many organizations overlook the risks posed by third-party vendors and suppliers. This covers libraries developers use in their code, a SaaS service, a Cloud Service Provider, and contractors’ cyber security responsibilities. Failure to manage third-party risks can lead to devastating consequences, as seen in several high-profile breaches in recent years.
Actionable insight: Implement third-party risk management workflows and support them with the right tools. Organizations need to assess all third-party vendors and suppliers, implement appropriate controls to mitigate risks, and understand each party’s responsibility.
Missing The Business Value Of CyberSec
Finally, many executives perceive cybersecurity as a cost center rather than a business enabler. There are so many layers to this discussion. Still, the easy way to look at it is that while cybersecurity can sometimes be expensive, it should be treated as an insurance policy and, even better, can be a competitive advantage. Organizations prioritizing cybersecurity can build trust with customers and partners and differentiate themselves from competitors. If you are still debating whether or not to implement MFA for your end-users, you may need to have the proper discussion.
Actionable insight: Organizations need to assess the financial impact of cybersecurity through a risk-driven approach and develop a long-term financial plan that incrementally prioritizes cybersecurity investments. A cross-functional discussion involving security experts, product management, and marketing can also be beneficial to expose the business value.
Summary
In conclusion, most organizations have gained enough awareness about the importance of cyber security as a vital function of their businesses. The five points highlighted can trigger a healthy debate to improve the cyber security posture.
In addition to its product activity, intuitem has a consultancy service dedicated to helping companies build optimal cyber security programs that fit their needs instead of pre-packaged ones. You are welcome to reach out to learn more about our services.