As one of the most volatile years in history comes to an end, the one thing that hasn’t changed is the importance of having a strong (and flexible) cyber security framework. While it can help to look to your peers and other organizations in your industry, it is critical to also understand your particular cyber security framework and its risk potential. Eyes on your own paper, as they say.
In the latest ReimaginingCyber podcast episode, Jim Routh, Head of Enterprise Cybersecurity at MassMutual, discusses the importance of understanding your risk profile and how to mitigate any threats of cyberattacks. “You can take the same type of company, in the same industry, same relative size, same technology architecture, it turns out that they could have a very different risk profile. There isn’t a one-size-fits all model for cyber security. There never was.”
A risk profile identifies and analyzes your current security resilience against industry standards. Assessments like the 360° Cyber Resilience Assessment Tool can provide a risk analysis for you, show you where your gaps are, and how you can become more cyber resilient. An organization’s risk profile is impacted by many factors: company size, amount of data that is collected, type of data collected, and the number of systems accessing that data to name a few. As company’s grow, so does their risk profile. Without a keen understanding of your cyber security framework, gaps that it may have, and a strategy of when (not if) there will be an attack, companies put themselves at risk.
Routh notes that the key to improving your risk profile is to leverage industry-standard risk frameworks as a starting point, but understanding threat actors and implementing non-conventional controls is critical.
“There is a difference between compliance-based security and risk-driven security. Risk driven security is studying threat attacks and tactics and non-conventional controls. Conventional controls are well established in risk frameworks and a great place to start but are insufficient and not enough,” he says.
When I was in sales, our VP always reminded us to “think like the customer.” Now, it seems that cyber security is “thinking like the attacker.” In the past, by only focusing on industry-standards that weren’t customized to company needs, organizations were ill prepared for cyber attacks. With a more focused approach, tailored for their needs and security framework gaps, companies can are better prepared.
If you haven’t yet, I highly recommend listening to Routh’s episode on ReimaginingCyber. He shares a few really great stories (including the one about how he had to meet with the OCC on his second day on the job as a newly-minted CISO!), how to get executive leadership onboard and shift their thinking regarding cyber security, and where and how CISO’s should focus in the ever-growing list of CISO’s “To Do” list.
You can find the latest episode of Reimagining Cyber on Apple, Soundcloud, Spotify, Stitcher and Google Podcast. Give it a listen and let me know what you think. Do you agree with Routh’s cyber security strategies? Log in or register to comment below.
CyberRes is a Micro Focus line of business, focused on helping companies protect, detect, and evolve their security framework and helping organizations become more cyber resilient. To learn more, visit CyberResilient.com.