Being honest about your best attempt securityMar 6, 2019
It’s important to prioritize skills, money and liability in the right ways to make sure you’re as secure as possible.
In the first post of this series, we introduced the concept of drawing your IT management line in the sand. When new IT requirements arise, how do you decide how to manage them, while still addressing ongoing operations?
The concept came up in discussions with two TELUS experts, Customer Solutions Architects David Steele and Nathan Roarty. In their view, how you make decisions about skills, money and liability can determine how much IT you manage on your own and how much you entrust to the experts.
We thought we would explore how this idea plays out in different areas of IT. In this case, cyber security. Dave and Nathan have some interesting thoughts.
Q: Can you comment on the current state of IT management as it relates to cyber security?
DS: Cyber security is expensive to address proactively. You have to think about skills, equipment, architecture and audits to name a few. Like many aspects of IT, but particularly for cyber security, it’s expensive to maintain, but more expensive if you don’t do it as a result of the liability. Security really is a moving target. It’s changing so fast. As a result, response needs to keep pace. But even when you’re up to date, you’re still behind.
NR: Cyber security is a little bit different than the rest of IT. There is this third party that is waging war on you – a threat actor that you have no control over and that you are competing against. There is a perpetual battle for dominance and a constant game of leapfrog, the good guys over the bad guys. Cyber security is the only part of IT where that third party, the threat actors, has such an impact. It’s a blind spot that makes solution decisions very difficult.
You have to ask uncomfortable questions – what do you think you have to lose and where are you likely a target? With those answers as your guide, you can decide where to invest and prioritize. It’s also important to account for internal and external factors like size, typical customer profile, regulatory environment, specific vulnerabilities and threat landscape, as well as technologies being used.
Q: What is your advice about drawing the line in the sand when it comes to skills and security?
NR: The cyber security skills market is a scarce one. Finding someone with skills to match your unique threat landscape is even more difficult. Because security is always changing, it’s almost impossible to maintain the right skills profile in house to cover the complete and continually evolving security lifecycle.
DS: There is also a longevity consideration when it comes to security skills. Do you need someone full time or do you need a point-in-time engagement to focus on specific aspects of your IT security? There are some skill sets that you want to cultivate inside of your organization as a part of your intellectual capital. But many aspects of security are externally focused and don’t have strong synergies with other lines of business. When drawing your cyber security skill line in the sand, the question I recommend asking is: does the company need to know the skill or use the skill?
I worked with a client that exemplified that point. As a medium-sized business, the company had an internal IT person. He was a generalist and could service the company’s IT operations effectively. But when the company encountered a security attack on its phone system, he didn’t have the deep security knowledge that was needed to address it. There were also geographic challenges in accessing the branch locations to implement the appropriate security solutions. Based on the skills limitations and geographic challenges, the company chose to partner with a provider to address the security issue. It was a skill that the company needed to use rather than maintain in house.
Q: What do companies need to spend to be safe enough?
NR: Security is one area where you can spend an infinite amount of money with diminishing returns. For security specifically, money and liability are inextricably linked. Every company needs to balance off the cost to provide cyber security against the cost of a breach. When the TELUS security team engages with a client, we start with investigation and analysis, producing a report that ranks different activities by cost to implement and the threats that they address. It’s about spending wisely and quantifying risk.
DS: There are no absolutes when it comes to security spending. It’s more about becoming as secure as possible in the most cost-efficient way, taking into account skills and liability. Some questions to ask include: what am I spending already? Are those existing solutions addressing my current needs? Based on how I’m spending, am I secure enough? What is the likelihood of a given type of breach and what are the costs to remediate it? That’s really how you draw your line in the sand.
Q: What about liability? How do you draw the line there?
NR: With new regulations, there are two levels of liability – organizational and personal. In this new regulatory environment, individuals can be held personally accountable and liable for breaches. Nobody wants to be that person that let the organization down, which is a big motivator for working with experts.
DS: When deciding what to take on yourself and what to entrust to the experts, it’s important to look at both sides of the liability coin. First, there is the real cost of the liability. What is the dollar value in fines? And what are some of the more intangible costs like brand and reputation damage? Second, there is the regulatory liability. Being aware of your regulatory compliance requirements and the associated implications of a breach is essential insight when drawing your liability line in the sand.
Q: Any final thoughts?
NR: Skills, money and liability all influence how you choose to manage cyber security. Skills are a challenge, money is a controlling factor determining your “secure enough,” and liability is the outcome that impacts skills and money decisions. It’s a three-pronged tug of war, with each element exerting pressure on the others. Understanding how skills, money and liability play out in your organization can help you determine your level of risk and exposure.
DS: Drawing your cyber security line in the sand is really your best attempt to make decisions that will keep you secure enough. And I say “best attempt” because you are working with the information that you have at any given time. With how much and how quickly things change in security, best effort is a realistic aspiration. Being honest about skills, money and liability is a vital part of your due diligence, which will help you determine how and where a provider can fill the gaps to lower your risk.
Next up: Nathan and David discuss drawing your IT management lines in the sand for technology refresh.
Missed the first in our series? Get all caught up and read it now.