In the last year, the connected world has experienced nearly all the joys and pitfalls of our ever-increasing reliance on networked technologies, and security has finally taken center stage. Look no further than the Solarwinds, Colonial Pipeline, CNA Financial, JBS USA, Kaseya, and Brenntag. We all have to deal with cybersecurity issues big and small regardless of what we are doing both privately and in the business world. Yes, there was a time when it could be ignored and hope that it happened to the other guy, but those days are over.
As security professionals we have been secretly (and perhaps not so secretly) waiting for this moment. Yes, believe it or not, there was a time when we had to fight for relevance. It wasn’t that horrible really, we knew it would not take long, and today the business world seems to be paying more attention. That is a good thing. It can get better, however, and we hope it does.
Recently, during a discussion with a large Fortune 100 company, we learned that people and organizations are asking lots of deep probing questions about security. Partners and customers are deeply concerned about cybersecurity issues and want to know what is being done to make sure business keeps running when serious cybersecurity attacks occur. Nobody wants to be on the receiving end of another major ransomware attack. Cybersecurity issues cost companies a lot of money and a lot of stress.
For the past 16 years, IBM has published research by the Ponemon Institute in the annual “Cost of a Data Breach Report.” Its 17th report was published at the end of July this year, and perhaps the biggest finding was that 2020 had the highest average cost for a data breach in 17 years. The cost rose from an average of $3.86 million to $4.24 million.
The survey found that the average time to detect and contain a data breach was 287 days. It took (as mentioned above) an average of 212 days to detect a breach and 75 days to contain it. The overall time is one week longer than in the 2020 report.
There was a time when companies could cobble together a press release or marketing paper that was riddled with lots of good cybersecurity buzzwords and share it with the inquisitive world, but that was before the inquisitive world became more educated. Today people have real concerns and want real answers to tough questions. We are living in a world where we can only trust what we can verify.
This can be quite burdensome for an organization. Having credible people in an organization who can answer an ever-growing and changing body of cybersecurity questions is indeed challenging.
This Fortune 100 organization decided that it would be prudent to produce a security position paper, which is indeed a great idea. The act of articulating in detail what exactly the organization means when it says cybersecurity is important, and explaining the approach it takes to manage cybersecurity issues over time can be indicative of the security maturity level of an organization. It can also help both internal and external customers, investors, and stakeholders understand risk. A security position paper should articulate a plan, and as the saying goes, if you fail to plan you plan to fail.
A security position paper should be the first place an organization points anyone who asks about cybersecurity. It can answer a lot of questions and will often serve as enough evidence to stakeholders that cybersecurity is being properly managed over time. A properly developed security position should touch on all parts of an organization and show how leadership at every level addresses and manages cybersecurity issues. This is perhaps the most important point of all, because the technologies being used are far less important than the support at all management levels. This is the essence of what a security position paper needs to show.
It is interesting to see this happening, and it is our hope that this will catch on and spread to all organizations. Farallon Technology Group hopes to be there to help make it happen.