Cybersecurity professionals should be resolved to prioritize efforts in 2019
One of the most frustrating things about cybersecurity is the inordinate amount of time and effort gets applied to protecting assets that in the grand scheme of things don’t have much value. The reason this occurs is that most organizations are trying to defend every file equally versus focusing their efforts on the data that has the highest value.
The challenge cybersecurity professionals have, of course, is identifying what data that has the highest value to the business and then crafting cybersecurity controls commensurate with the actual value of that data.
Unfortunately, cybersecurity professionals are generally not the best judges when it comes to determining value of data. For example, a recent survey of 2,827 professionals working in seven different functional areas in the U.S. and United Kingdom conducted by The Ponemon Institute on behalf of DocAuthority, a provider of document security software, finds substantial differences between cybersecurity professionals and the rest of the organization when it comes to appreciating the cost of reconstructing a document that had been compromised.
For example, IT Security departments estimated the value of research and development (R & D) documents at less than 50 percent of what the business would estimate their worth, predicting that it would cost $306,545 to reconstruct an R&D document compared to $704,619 estimated by the R & D professionals. IT Security departments also underestimated financial impact of a financial report being leaked, Cybersecurity professionals put the cost at $131,570 versus the $303,182 finance professionals estimated.
In contrast, IT Security departments overvalued monthly salary lists at $94,148, compared to the $57,477 estimated by human resources professionals.
Dr. Larry Ponemon, chairman of The Ponemon Institute, says the lack of appreciation for the true costs of reconstructing data is symptomatic of a larger problem that has been plaguing organizations now for decades. In the absence of any meaningful guidance from business executives, cybersecurity professionals wind up be tasked with trying to defend everything.
“There needs to be a better evaluation of risk,” says Ponemon. “Organizations need to prioritize what needs to be done.”
As Frederick the Great of Prussia once sagely noted when discussing military strategy, to defend everything is to defend nothing. The same maxim applies to cybersecurity. As cybersecurity professionals head into 2019 one of the most important resolutions they can make is to get the organization they work for to identify its most valuable data assets and then work towards building a cybersecurity strategy focused on protecting that data above all else. The loss of data containing personally identifiable data (PII) data may be costly and regrettable, but it doesn’t represent the same level of existential threat to the business that would occur if intellectual property was stolen.
At a time when most cybersecurity teams are understaffed, it’s of the utmost importance from a self-interest perspective for cybersecurity professionals to force business executives to focus on the value of data. Otherwise, cybersecurity professionals will find themselves being measured based on the total number of incidents versus the actual cost to the business that loss of data represents. It’s always good to reduce the total number of incidents. But given how many of those incidents are caused by end users ignoring established protocols, savvy cybersecurity professionals need to establish metrics that better reflect the things they can control.
For those with the right skills and temperament cybersecurity can be extremely rewarding. But at a time when no one in cybersecurity can be 100 percent successful all the time, the definition of what constitutes winning needs to be more finely calibrated.