Posted by Hal Overman + Joe Vigorito on Jan 29, 2019 10:00:00 AM
If you aren't doing the cybersecurity basics, then it’s time to take a step back.
At ConvergeOne, we begin our conversations with CISOs and Directors of Security by asking questions. We have no specific agenda in mind, no product to push, no PowerPoint that shows how wonderful and experienced we are. We simply want to hear about the customer's program and see if we can help them meet their cybersecurity goals while delivering a cost model that makes sense for them. For new customers, we call this the cybersecurity discovery conversation.
Often, we ask a question somewhere along the lines of: “Let’s hope it hasn’t happened and never does, but if you had a serious security incident, how would you and your team know?” This usually gets the conversation percolating in earnest. Why? Because now we have moved into an area that is uncomfortable to even consider: What if your defenses could be, or have been, penetrated by someone not authorized or permitted to do so?
We come across customers who have expensive, complex cybersecurity solutions with features like advanced analytics, machine learning, artificial intelligence, and so on. Just think of the latest buzzword and insert it in there, too. In the meantime, the customer still isn’t doing the basics well—if at all. The basics start with a well-planned, methodical risk assessment. How do you know what you need to do to protect your organization if you have not determined where you are most exposed and threatened?
Instead, we see customers fill a whiteboard with projects that have a product name or type next to them. If products could carry the day in terms of cybersecurity, then none of the high-profile breaches we see each week would occur. The list of affected enterprises could go on for pages, and we guarantee you that every one of them had premier products and highly paid staff—yet they were all successfully attacked, some multiple times.
Perhaps more importantly, product implementations require well-trained staff, and we know we have a severe shortfall in skilled, knowledgeable people in cybersecurity. In fact, Gartner estimates that there will be more than one million open jobs by 2021.
Enterprises are overwhelmed with data that humans cannot consume. Therefore, we are challenged to deliver secure outcomes. Tony Sager, from the Center of Internet Security, calls this form of battle fatigue “The Fog of More,” as we become uncertain of how to prioritize and approach our cybersecurity efforts. In the second part of this blog series, we will share how to best approach the basics to reinforce your cybersecurity program.
[ GUIDE ] Building HUMAN FIREWALLS:
10 Steps to Cyber AWareness
Are your employees equipped to act as a human firewall, defending your organization against attempted cyber attacks?
The statistics are staggering: spear phishing accounts for 95% of enterprise network attacks, according to the SANS Institute. Since attacker can craft messages to your employees posing as a reputable contact, technology can only do so much. To effectively prevent your organization from falling victim to cyber attacks, it’s essential that your employees develop strong cyber instincts.
This guide contains an extended overview of ConvergeOne’s 10 steps to creating a cyber aware culture, including key questions and ideas for tackling each step.