Security is really hard.
How many emails, LinkedIn messages, phone calls do you get from security vendors everyday touting their new and shiny solution that’s going to solve every single one of your cybersecurity challenges? Just when we thought we had established a solid understanding of the issues we needed to prevent (e.g. ransomware, data breaches, DDoS attacks, etc.), we’re now inundated with proposals from organizations that say their tool offers protection from all of the above. These vendors make it sound like cybersecurity isn’t really that hard.
No, it’s actually really hard. You see, many of these vendors actually do have really amazing products that have played a massive role in uplifting the cybersecurity posture of many organizations. However, when the vendors’ selling targets become those who play a role other than that of cybersecurity executive, this is when things get scary. These executives will procure and roll-out a couple of thousand licenses of BlueThunderDoomMaker (to my knowledge, this is not a real product), waive the ‘Mission Accomplished’ banner at the next Board meeting, and confidently state that cybersecurity can be considered ‘closed’ from a risk perspective. Hopefully there isn’t anyone else in that room that shares that same opinion.
Buying a tool or buying licenses to a tool is not in and of itself a control nor does it make your organization inherently more secure. This would be as if I bought an electric fence to keep my dog from running away but never turned the fence on or never put the shock collar on the dog. To maximize the value you obtain from your investments in security technology, you need access to security executives who understand how to successfully implement and configure such technology in a manner that meets your original objectives.
However, as much as technology needs humans, humans need technology. While a company’s best cybersecurity defense may be a security-savvy employee, this same employee may also be their biggest nightmare. In Verizon’s 2022 Data Breach Investigation Report, 82% of reported breaches involved a human element.
So what can we do about it? First, cybersecurity awareness training should be a cornerstone of incident prevention. Training should focus on the relevant risks of today and required to be completed by all employees. Second, investing in cybersecurity tooling to help you more efficiently and effectively manage your environment is highly encouraged, but your spending prioritizes should align with the organization’s largest cybersecurity risks. To learn what these risks are, you should partner with a cybersecurity expert to perform a cybersecurity risk assessment. From there, this security executive can provide you with input as to what tools on the market will best address your problems.
Third, as mentioned above, technology alone isn’t enough. Once you’ve decided to invest in a cybersecurity tool, you need a partner to help you manage it. You need partners who are trained to configure and manage these cybersecurity tools to prevent them from becoming ‘shelf-ware’ and partners who can analyze the output of the tool and identify a potential cyber attack. You will then need partners to help you run an incident response and clean-up in the aftermath.
Security is not easy, but there are companies out there trying to make it easier. Companies like Cyera for data identification and protection, Guardz for managed detection and response, Qualys for vulnerability management, etc. But if you don’t have a resource available to explain to you how these tools could help better secure your organization, you likely won’t be able to maximize the benefits the investment brings to the organization.
This is why Malcom Risk Advisors was formed and this is how we can help. First, we’ll work with you to identify what cybersecurity threats are of greatest risk to your organization. Second, we’ll assess the controls you have in place to manage these risks today. If the controls are not deemed as adequate, and the resolution plan involves the purchasing of technology, Malcom Risk Advisors can make recommendations, help you negotiate with vendors, oversee the implementation of the tool, and if desired, continue to run and manage the tool(s) on a go-forward basis. Finally, we can provide comprehensive cybersecurity awareness training for all of your employees, updating the content to align with the ever-evolving risk landscape. We’ll craft highly sophisticated phishing test emails to constantly remind your employees of the role they play in securing your organization.
Security is definitely not easy. But that’s what we’re here for. If any of the above resonates with how your organization has handled cybersecurity in the past, but you now see the value of investing in an executive-level resource to help uplift your environment, please reach out directly to me. I would love to work with you to either solve a specific security problem or to work with you on a retained basis and become your partner in leveling up your cybersecurity capabilities. There isn’t a problem too small or too big for us to handle.
d
