B2B companies are urging their technology leaders to re-think their approach to protecting their systems and data, which raises the critical question:
Given limited resources and constantly evolving threats, how should organizations determine where to invest their resources to address their most critical risks?
The answer lies in the cyber security program’s ability to proactively assess and take ownership of risk, as well as the ability to build and maintain a cyber security workforce trained in the most current tools and techniques.
Creating an approach to proactively assess, own and mitigate technical risk
System owners and program managers should approach their cyber security programs with this reality in mind: their systems are vulnerable and cyber threats are continually emerging.
Since security resources are limited, B2Bs must implement proactive plans to identify and prioritize their cyber risks, enabling a clearer picture for how resources should be spent to mitigate them.
While Risk Management Framework (RMF) has undoubtedly introduced a higher level of security control, several factors (ie: more controls to address without more resources to address them) have led, at times, to this implementation becoming another “compliance drill” — often allowing both new and existing system vulnerabilities to remain unmitigated, or worse unidentified, exposing systems to critical risk of intrusion and compromise.
RMF also unintentionally created incentives to shift risk ownership to other organizations (ie: minimizing the number of security controls that must be addressed and tested by the system owner for a perceived, but often unrealized, cost savings).
System owners and their cyber security teams know their systems better than anyone. Therefore, system owners should look to own and manage as many of their system risks as possible, as they are best positioned to understand the impacts of vulnerabilities and develop the most effective mitigation strategies.
The introduction of RMF has also unintentionally created the requirement for unmanageable numbers of policies and processes that are often enforced inconsistently due to lack of oversight resources. Identifying and implementing technologies and automated solutions that implement and enforce such policies and processes will make programs inherently more secure.
Proactive workforce transformation and continuous training
A large portion of money allocated for IT in B2B organizations is often spent on operations and maintenance (O&M). Companies also often find themselves in need of substantial security improvements to protect their systems but lack the resources to do so.
While some O&M money is focused on cyber security tools, technologies and resources, much of it is spent on manual system maintenance activities.
As artificial intelligence (AI) continues to emerge, businesses should review manual O&M processes and identify ways to automate such tasks, thereby enabling the re-allocation of resources to focus on mitigating critical cyber security threats.
The view that jobs will be lost as artificial intelligence (AI) expands is a common theme of resistance to implementing automated technologies to complete tasks historically handled by humans.
Forward-thinking system owners and managers should talk with their employees about cyber security training opportunities and help them understand that as cyber threats continue to evolve, the need for trained cyber security experts who can identify them increases.
The role of humans in the field of cyber security is only expected to grow
This is an opportunity for team members to advance their careers, and many companies have robust, paid training programs in place to support the demand.
Ultimately, it is imperative that businesses re-focus on the human element of cyber security. System users and managers often fall into the trap of complacency, believing their systems are secure and their data hasn’t been, or is unlikely to be, compromised.
The weakest link for system breaches are people who create risk by not following even the most basic security guidelines, such as:
- frequently changing passwords
- creating passwords that can’t be easily guessed
- and connecting and working on unsecure networks
According to an industry study, the average cost of a data breach is $3.9 million, not to mention second- and third-order impacts that can manifest themselves over longer periods of time.
It is critical that system owners implement concise, targeted and current cyber security training programs with the goal of creating and incentivizing a more proactive and vigilant cyber workforce.
Transforming critical challenges into great opportunities
Despite these enormous challenges, there are great opportunities for B2B companies with forward-looking attitude and ambition. Cyber strategy that adopts the latest cyber security technologies along with a robust workforce adoption and transformation program are critical starting points.
Learn more about how we help B2Bs mitigate risk through security technologies and processes that extend protection and management controls across the expanding digital environment.