We all know that cybercrime is increasing and likely to jump from a $75 billion problem last year to a $170 billion problem in 2020. Most will argue that this out of control spiral is unavoidable. It’s just the nature of the game. We will always be one step behind – that much is true. At the rate we are traveling, though, we are slipping behind by not just a step but a mile.
There are five possible states of preparedness that an enterprise can be in when faced with the battle of cybercrime. Ironically, most enterprises seem to fall within two of those states, and it should come as no surprise that those states are a long way from where enterprises need to be if they want to have a fighting chance of defeating cybercriminals.
The Vulnerable State
The first state is known as vulnerable. In this state are many smaller enterprises that have made the assumption that dealing with cybercrime is expensive or out of their control. These enterprises usually do nothing and pay the price when it comes to recovery from incidents. Fortunately, most enterprises have moved beyond this state.
The Reactive State
The second state is reactive. In this state are those enterprises that have a goal of achieving security, which is the majority of enterprises. What typically happens is a focus on prevention using traditional technologies, such as firewall, intrusion prevention and anti-malware, as well as spontaneity as these technologies increasingly struggle with emerging threats. This makes for a lack of consistency and unnecessarily lengthy incident recovery times.
The Compliant State
The third state is compliant. In this state are those enterprises that have a goal of achieving one or more regulatory compliance objectives and typically do so because they are mandated. If it wasn’t for regulatory bodies auditing and imposing penalties for failure to comply, these enterprises would most likely slip back to the state of reactive. Whilst compliance seems like a great goal to achieve, it is based on a limited set of static criteria with a limited scope at a specific point in time. Target was PCI-DSS compliant, but it was still no match for theft of credit card details from POS terminals by cyber criminals in 2014.
The Proactive State
The fourth state is proactive. In this state are those enterprises that have an emphasis on awareness of risk. Very few operate in this state. These enterprises are more strategic in their planning, and the scope of their efforts is enterprise-wide. They do not just focus on the target scope mandated by compliance, and they generally follow well defined processes to ensure consistency in responding to similar incidents.
The Resilient State
The fifth state is resilient. In this state are those enterprises that go beyond risk awareness to risk understanding. Across the entire globe, the number of enterprises in this state is in the double digits. These enterprises excel in communicating risk throughout the enterprise; they have the entire enterprise engaged, from the directors who are accountable for fighting cybercrime to everyone else. Adaptability is a key outcome for resilient enterprises. They might get knocked down from time to time, but they always get right back up again. Risk is seen as an opportunity rather than a danger in resilient enterprises.
One common question that I am asked is what is the difference between security and compliance. Security is a binary state. An enterprise is secure or it is not. Nobody would call a bank vault that is broken into or a prison broken out of “secure.” Resilience, on the other hand, goes beyond the mindset of prevention to include identification and remediation of vulnerabilities; prediction and prevention of threats; detection of and response to attacks; and confirmation and recovery of breaches.
Having read about these states now, you will likely identify with one of the states above. In which state does your organization find itself? Let us know in the comments.
About the Author: With more than two decades of cyber security experience, Andrew Bycroft has provided design, implementation, advice and thought leadership to some of the largest organizations throughout the Asia-Pacific region, Andrew has a strong grasp on what makes every organization different, yet can appreciate the common challenges organizations face regarding cyber security.
Having had the luxury of being able to communicate with a range of audiences, from those who think and speak in ones and zeroes to those who prefer to think and speak in dollars and probabilities, Andrew, in his role of CEO of The Security Artist, is in the unique position of being the leading authority on helping IT, executives, and directors complete the journey to cyber resilience.
Andrew is a member of the Australian Institute of Company Directors, a member of the Risk Management Institute of Australasia, member of the Australian Information Security Association and a member of the Information Security Audit and Controls Association.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.