Last Updated on July 26, 2021
Is your company ignoring security? Or making fundamental security mistakes that leave it vulnerable to a devastating ransomware attack or other hack?
To give technical and business leaders a pragmatic, informed view of what really matters in cybersecurity, Dr. Eric Cole, trending author and Founder/CEO of Secure Anchor Consulting, joined a recent episode of The Virtual CISO Podcast. John Verry, Pivot Point Security CISO and Managing Partner, hosts the show as always.
“We have a problem that’s been brewing for a couple of years, which is we are ignoring security,” Eric asserts. “Organizations are doing crazy, crazy things. I know after the recent pipeline breach, they tried to do various PR campaigns. But let’s face it, it’s pretty obvious that what happened at the pipeline was they took operational technology that had known vulnerabilities and connected it to the internet. There’s no other way that could have happened.”
Fixing the disconnect
The bottom line is companies are making a lot of fundamental mistakes, and these are being ignored. The question is, what can we do to change this?
“We, as cybersecurity professionals, need to do a better job of explaining [security] to executives,” Eric relates. “I was just talking to security engineers the other day, and they were like, ‘Eric, we have the exact same problems like Colonial and all these others. We have systems that are missing patches. They’re vulnerable. We know we’re on the brink of disaster. We know we’re going to have a major ransomware attack. But the executives aren’t doing what they’re supposed to.”
So, are the executives in question unfortunately just morons? Or do they not understand the problem and the risk… perhaps because the engineers haven’t done a good enough job explaining the situation so they can relate?
Communicating about risk
Is our cyber crisis driven by a disconnect between technologists and executives? Eric thinks so, and John agrees. John adds that even when risks are clearly communicated, risk ratings aren’t always trusted because the numbers are soft.
“I think one of the challenges is there’s not enough actuarial data that a businessperson can look at and make a good, sound judgement on,” John observes. “In the business world, you’re working off financial data. It’s clear, versus the security guy coming in… Is he just overblowing this risk? Or is that the real risk? There’s no true equation for them to look at.”
“Especially with some of the recent attacks, you have some folks starting to say—which I do not agree with—that cybersecurity is a zero-sum game,” replies Eric. “They’re like, ‘No matter what you do, you’re going to lose. You just can’t win now.’”
“I disagree, because if managing risk couldn’t be done, insurance companies would’ve gone out of business,” rationalizes Eric. “Clearly, insurance companies show us that you can manage risk. They have proven that historical data and comparative data are the best models for doing that. Now I do agree that insurance companies have a lot more data than we do. Yes, we’re going in and using some limited data sets.”
Running the numbers
“When I go in with the executives I’ll always go with the conservative [probability] numbers,” continues Eric. “But what I’m more concerned about are the other two data [elements], which are: What is the cost if it occurs, and what is the cost to fix it. Those I think we can do a better job [estimating].
“When I talk to executives, what they always struggle with is we don’t give them that first number. We come in and say, ‘I need $500,000 to prevent a ransomware attack.’ They’re like, ‘Well, we haven’t had a ransomware attack. If we don’t spend the $500,000, nothing will happen.’ But if I go in and say, ‘Hey, the average ransom of businesses our size is $2,000,000. Whatever that percent [likelihood] is, it’s more than zero. You can pay $2,000,000 if we get hit, or $500,000 to fix it. Which do you want?’
“I think that starts to give them perspective. But if we don’t give them both numbers, that’s where some of the problems start to get created. Because they don’t have a leverage point of saying how bad this could really be,” says Eric.
As a professional concerned with cybersecurity and the viability of your business, you’ll certainly appreciate all the practical guidance in this podcast episode with Dr. Eric Cole.