cybersecurityshield100659444orig
Security

Why cyber hygiene isn't enough

In numerous discussions and forums recently, the conversation about the need for a risk management approach to cybersecurity has quickly devolved into a discussion about cyber hygiene and, ultimately, a discussion about compliance (with perhaps some simple metrics thrown in).

+ Also on Network World: Match security plans to your company's 'risk appetite' +

This pattern of following a difficult, but business-oriented discussion of risk to a trivial oversimplification is common within government and industry circles—and even among the most sophisticated CISOs. What we really need, however, is a holistic risk framework and a solid commitment to risk-based measurements in order to accurately understand and defend against the most serious cybersecurity threats facing our country. Too often we focus solely on cyber hygiene, while important, doesn’t fully address the more severe risks organizations face with increasing frequency.

Consider the analogy to personal hygiene. Do we believe everyday tasks such as brushing our teeth, washing our hands and taking a shower will prevent serious illnesses, birth defects or cancer? No. We believe that although good hygiene will help prevent many common ailments and even life-threatening diseases—from periodontal disease to the flu—it fails to thwart those more complex ailments. Because of this, we know we need to continue funding cancer research to find a cure, taking antibiotics for serious or chronic infections and leveraging technology such as MRIs to identify internal maladies that don’t respond to simple hygiene changes.

Simple practices don't prevent serious risks

In a similar way, cyber hygiene lends itself to simple surveys, compliance scans and audits. But will those perfectly acceptable practices help prevent more serious risks? I’d argue not, as those real risks often require something much more analytically sound and scientifically grounded. It is certainly good to be able to report that an organization passed an audit on a required security compliance regime, but it is difficult or impossible to describe how much risk was reduced by that level of compliance (or how much remains).

What is needed is a truly analytical framework that enables executives to communicate in the language of risk and the language of the business. And while I like some aspects of NIST 800-30 (mainly the definitions), it’s certainly not helpful for implementing a risk approach. At the highest level, a risk analytic approach should answer these questions:

  • Which threats are most likely to occur?
  • What are our greatest vulnerabilities?
  • What would be the consequence if a threat event was successful?

Translating these into business terms is key, and measuring them so that risks and countermeasures can be prioritized is essential. Further, the approach needs to be analytically valid and automated, not just a once-in-a-while paper endeavor.

Like human hygiene, organizations must maintain regular cyber hygiene for healthy outcomes. But it’s critical they don’t neglect the tools and processes that mitigate cyber risk—the most serious threats to our security. Both are critical, and it’s essential we understand the differences.

Are you seeing good examples of risk programs? Please share! In subsequent posts, we’ll discuss analytical approaches and review some good examples.

IDG Insider

PREVIOUS ARTICLE

« Google's Nexus 6 gets an official end of life date, and it's mere months away

NEXT ARTICLE

Get ready: Mobile World Congress is coming to the US »
author_image
IDG News Service

The IDG News Service is the world's leading daily source of global IT news, commentary and editorial resources. The News Service distributes content to IDG's more than 300 IT publications in more than 60 countries.

  • Mail

Recommended for You

International Women's Day: We've come a long way, but there's still an awfully long way to go

Charlotte Trueman takes a diverse look at today’s tech landscape.

Trump's trade war and the FANG bubble: Good news for Latin America?

Lewis Page gets down to business across global tech

20 Red-Hot, Pre-IPO companies to watch in 2019 B2B tech - Part 1

Martin Veitch's inside track on today’s tech trends

Poll

Do you think your smartphone is making you a workaholic?