For example, a company whose business model is based on building a community of users might view
personal customer information breaches as the most fatal to that business, while a B2B business focused
on proprietary product information might view espionage or data breaches as most significantly damaging
to its model. Using the lens of risk unique to the business, enterprises need to focus on cyber resiliency
- protecting the part of their organization most vulnerable to severe damage and preparing it for recovery.
Enterprises shouldn’t necessarily be focused on the latest high-profile breach in the headlines. Don’t fight
the last war. Instead, focus on the next war most likely to affect the enterprise.
Given that boards understand strategic threats, not cybersecurity functions, developing a risk-based
roadmap to cyber resilience becomes essential. Resiliency roadmaps provide unparalleled insights to
board directors, allowing them to review maturity status over time and gain a better understanding of the
strategic concerns the company faces, along with a comprehensive view of the ways to address them.
Maturity and resilience reports provide a common language that enable organizations to prioritize their
operational needs and evolve their programs in response to the fluid threat landscape.
In many cases, this process helps bring into focus the need for greater emphasis on security
fundamentals. Take access control as an example. Did you know that the controls relating to managing
identity and appropriate access with adequate security are usually considered the most important? It may
seem logical and obvious that having features such as a central identity and access architecture –
consistently restricting access to the least amount required to do each person’s job and splitting high-
value approvals to require at least two different people to sign-off – are important. However, security
auditors who take a look inside many different organizations rarely find those essentials are properly in
place.
“We lost your data – but we value your business” is becoming a very tired message. “We cannot keep
your data perfectly secure – but we would like to have it anyway” also is a bizarre message. The larger
question becomes: can breaches be prevented?
The answer is that it is possible to keep data secure, but it requires what has now become known as
security by design, also sometimes referred to as DevSecOps. Fundamentally, these two terms mean
that security can only be fully effective when it has been adequately established from the very beginning
- and is then continuously monitored and maintained.
Yet again, though, go on a few cybersecurity assignments as an auditor or manager, and very much in
line with the results from the ISACA State of Cybersecurity research, infosec departments rarely have
enough resources, and many are still not invited to look at the security of a new product until after it was