What it Means to Redefine Success in Cybersecurity
Digital transformation, cloud migration, Internet of Things adoption – the changes buffeting companies in the information technology space have the potential to create enormous benefits but they also come with increased risks. These hazards come on top of the threats that companies already face in protecting their websites, data, and online services. Given this combination of new and emerging threats to cybersecurity, managing corporate cyber risk can seem daunting. Even chief information security officers can feel overwhelmed by the proliferation of solutions, services, and options.
A key driver behind this situation is an outdated way of thinking about cybersecurity: considering it a “castle and moat” problem. In this way of thinking, the goal is to keep the bad guys “out” of your network. To achieve this goal, you build a high wall and wide moat. As the threats evolve and increase in capability, you build the wall higher and moat wider. However, this approach to cybersecurity does not work. In fact, it sets an organization up to fail, because eventually, the attacker will succeed in building a high enough ladder or a long enough bridge. Further, if the end goal is defined as “keeping the intruders out,” then attackers only have to succeed once for the defense to fail. Defenders have to be 100 percent right all the time. Those odds are not in your favor.
Yet, “keeping the bad guys out” is not the only way to define success. A better way of thinking is to define success as preventing the bad guys from achieving their goals. Such a reformulation may seem to be trivial, but in practice it is profoundly different. The bad guy’s goal is not to get into a network; rather, his or her goal is to take some other action – stealing money, pilfering data, disrupting operations, or robbing your computer processing power. Those outcomes are what defenders should seek to disrupt.
When an organization adopts this definition of success, stopping adversaries from getting into a network becomes only one way among many to thwart their activities. Any action that hinders the adversary’s ability to reach their goal becomes part of an organization use of cloud services or limiting the activities administrator accounts can perform; these steps create friction for the adversary and opportunities for the defenders to detect and stop them. Layering and combining these defenses mean the attacker has to be right at every step, and the defender only has to be right once. This approach turns the cybersecurity problem on its head and alters the intrusion/defense balance. It makes the odds much more in your favor.
Adopting this definition of success provides another advantage. It enables an organization to use technology changes as an opportunity to reduce cyber risk rather than increasing it. Since any action that reduces the bad guy’s chance of success is useful, almost any change can become an element of improved cybersecurity. Implemented correctly with cybersecurity in mind, software upgrades, architecture changes, or service changes can all reduce risk and increase security over what existed previously. For example, migrating to the cloud often increases an organization’s data security posture, because cloud storage providers often offer stronger security than an on-premise server. On the other hand, migrating to the cloud raises other kinds of risks such as decreased visibility, increased complexity, and application exposure. Yet, if a company adopts appropriate security services as it migrates to the cloud, then those new risks can be managed and mitigated. As a result, cloud migration done with cybersecurity in mind can produce dramatic security improvements and significantly reduced risk.
Finally, this changed mindset enables a different way of interacting with a cybersecurity provider. Rather than treating the provider as a technology supplier, a “prevent their success” mindset encourages collaboration with a provider. Working with collaboratively with a security provider (who should in turn be working collaboratively across the security ecosystem) creates a defensive multiplier that can further reduce your risk.
Cyber threats are not going to decrease for the foreseeable future, and the challenges they pose to organizations are very real. However, organizations are not helpless in the face of this danger. Although they cannot drive their cyber risk to zero, they can meaningfully reduce their risk and improve their productivity at the same time. Adopting the right mindset provides more opportunities to thwart the bad guys, to harness changes in the IT landscape, and to work collaboratively towards improved security. Digital transformation and cloud migration may be disruptive, but implemented correctly, they can provide not only business benefits but cybersecurity benefits as well.