We are a culture of “likes”, numbers and ratings. In today’s age, we have easy access to any public information on the internet, and thanks to the explosion of big data, we also have the ability to view, manipulate and compare numbers in a variety of ways. We’ve been conditioned to ask for the numbers in order to analyze them and tell a story, and this conditioning applies to everything from our personal Instagram accounts to our FICO credit scores. Ratings and the data behind them are important to our society, and nowhere is this more evident than in the business world.
Every business leverages data to evaluate their strengths and weaknesses. Whether you run a Fortune 100 financial institution or a smaller regional bank, your numbers tell the story of your organization’s appeal and economic health. Numbers inform not just the direction of your company, but they also explain its current standing. So, what if we started using a unified rating system for evaluating cybersecurity like we do in all other aspects of business?
This system is already underway. The U.S. Chamber of Commerce recently announced that finance titans like Goldman Sachs, Morgan Stanley and JPMorgan Chase, as well as retail giants like Starbucks and Home Depot, are combining efforts to establish shared principles for cybersecurity ratings. Meanwhile, the U.S. Chamber of Commerce has stated that a central security ratings system would allow organizations to review their own scores to identify weaknesses and seek the ratings of their partners, vendors or acquisition targets to evaluate risks.
There is no one-size-fits-all prescription for evaluating cybersecurity, and based on each organization’s size, industry or needs, developing these standards will require a tailored approach. From my perspective, having an offensive strategy and becoming more attacker-resistant are some of the most important aspects of cybersecurity — and they should play a major role in defining these new ratings. With this approach in mind, here are the top areas I think every organization needs to consider when assessing their security posture, regardless of size or industry:
Know Where Your Risk Is Coming From And Have A Clear Understanding Of Your Data
To protect your business from hackers, you need to have an idea of where your risk is and the areas of your business you’ve accounted for. Penetration testing (or pen testing) is the standard for organizations to proactively secure computer systems, networks, web applications and other vulnerabilities that criminal hackers/attackers may try to leverage to gain access. Implementing pen testing is important, but understanding the output and value of a security assessment is key; you need auditability, clear-cut metrics and actionable data to understand what’s been tested and how and what’s been fixed versus what hasn’t.
Think Like A Hacker: Always Be On The Offensive
We believe that offense is your best defense — thinking like a hacker will help point to your company’s security vulnerabilities. Point-in-time security is not the ideal model, as IT teams are constantly dealing with changes in their environments. Therefore, an annual security check-up will leave you vulnerable. As technology constantly changes, so does the threat landscape. Security approaches need to evolve with the times. Malicious hackers take a 24/7 approach to breaching you, and they only need to be right once to take down your site or worse. Security teams need to constantly monitor and keep up to date with new hacking methods, which makes continuity key.
Leverage Resources Outside Of Your Own Company
Security is no longer just an IT issue — it’s a key C-suite and board-level topic that needs to be integrated into every business decision today. While it’s a top priority for many companies to hire the best cybersecurity professionals, the talent gap is outpacing demand, and there could be as many as 3.5 million unfilled cybersecurity jobs by 2021, according to Cybersecurity Ventures. Security organizations are realizing that their internal teams can’t do it all in-house, but with over 1,200 cybersecurity vendors on the market today, deciding which services and solutions to use can feel like playing darts blindfolded. It’s important to individually test vendors and scrutinize the ones you’re already using to achieve your security goals. It’s also essential to incorporate elements of crowdsourcing into your security strategy in order to mimic the activity of real-world malicious hackers and ensure that you’re attacker-resistant.
Investment in cybersecurity tends to come after a breach instead of before it. The natural cycle I’ve seen over the years is that a company not prioritizing proper security defenses gets blindsided by a major data leak or hack, loses customer/investor loyalty, pays millions in fines, faces additional fallout (like the Verizon-Yahoo merger being cut by $350 million over data breaches) and then finally increases its security budget so that it doesn’t have to experience this nightmare again.
While Goldman Sachs’ global security protocol may not apply to a local insurance agency in Montana, it’s clear that everyone needs to have a plan in place regardless of their current security rating. Start with these three focus areas, and your rating will be sure to rise no matter what industry your organization is in.
This article was originally published by Forbes Technology Council; you can find it here.