Cyber Security: Often a case of ‘too much, too late’

We live in a new world where cybercrime is bigger business than the global drugs trade. Cybercriminals can be both targeted and indiscriminate. It’s a $2 trillion business. Worrying stuff. Almost numbingly so, given the endless breaches, incidents and vulnerabilities reported by the (not so fake) news media.

On the flip side, business leaders increasingly claim that at last they ‘get’ cyber security and they’re prepared to throw resources at it. Rejoice! Well not so fast, because here’s the rub…

In our experience there’s a significant disparity between the view of top management – that they’re affording cyber security the attention and budget it deserves – and the view of the professionals tasked with delivering said cyber security. That’s a dangerous situation to be in, and at best it lulls companies (and the rest of us) into a false sense of security.

Here’s the logic… 
For many organisations, a cyber security programme amounts to little more than slamming the stable door shut after the horse has bolted. Why? Because these organisations devote huge resources to implementing point solutions that may bear little relation to the underlying risk they face. Such point solutions, while bearing impressive names and costing a small fortune, are often the equivalent of slapping go faster stripes on re-packaged implementations of technologies that have known limitations.

Don’t get us wrong. Technologies have an important role to play. Just don’t place blind trust in them. Rather, understand what information assets are important to you – along with how and why they might be compromised – and then prioritise your efforts from there. At CRMG we do the following:

  1. Understand what’s really important to you (in our language we call this ‘identifying mission-critical assets’)
  2. Identify laws and regulations that you need to stay the right side of, irrespective of what might be good for your bottom line
  3. Use a proven approach to identify what threats your mission-critical assets face, and what actions (‘controls’) have been proven to mitigate these threats
  4. Implement a structured programme that focuses on protecting your mission-critical assets and complying with laws/regulations that affect you – while protecting the rest of the organisation to a sensible minimum (‘baseline’) level.

By following a pragmatic process that focuses on your requirement for security, you’ll avoid devoting time and money to programmes that, when push comes to shove, amount to ‘too much, too late’.

About the author

Simon Rycroft
Co-Founder, CRMG