Managing regulatory compliance is just one important aspect of ensuring a strong security strategy.
Martin Riley, Director of Managed Security Services at Bridewell Consulting, discusses the issue of using compliance and regulation as drivers for cybersecurity strategies
Today, cybersecurity is one of the top five boardroom topics — and not just for companies operating in heavily regulated industries. Today, the consequences of a cyber attack go beyond disruption and lost revenue. Reputational damage, falling stock prices and the possibility of hefty fines for breaking the rules are very real threats. And depending on the seriousness of a violation, the position of CEO can even become untenable.
With the risks clear, many business leaders are turning to industry for support, using regulation to guide best practices. While regulations like the Network and Information Systems Directive (NIS) and the General Data Protection Regulation (GDPR) undoubtedly play a role in strengthening cybersecurity, too many organizations make the mistake of using them as a driver of cybersecurity strategy. Not only can this lead to huge investments in policies and controls that don’t always bring greater tangible benefit to the organization, but it can also encourage a myopic approach focused on ticking boxes.
The primary responsibility of business leaders is driving the cyber security strategy from the top down, and a short-term tactical approach is not the right thing. To remain cyber resilient in today’s landscape, organizations must shift the focus from prevention to detection, containment, and response, backed by the right services like managed detection and response (MDR) and recovery validation.
> See also: Home networking: how privacy and security responsibilities need to be shared
define goals
To drive real improvements in cybersecurity, business leaders need to consider whether their pursuit of compliance is guided by the right intentions. While compliance is a necessity, inconsistencies in enforcement by different regulatory agencies and interpretation of guidance by different organizations make using regulations as drivers for safety improvements an unreliable metric.
Instead, leaders must define their own cybersecurity goals, the transformations needed to achieve their business goals, and adopt a strategy of continuous improvement through intelligence and automation. To do this, they need to access external expertise to define the baseline of their security strategy today and determine the scope of what is possible.
Moving away from a compliance culture
Assuming that a security certificate alone provides a reasonable level of cyber integrity is also a risky move. A culture of compliance can foster a mindset of reactivity rather than proactivity; where security teams invest only time and effort in renewing their certifications. And when the focus is only on making sure the ink on the certifications is dry, employees feel less accountable or accountable for adhering to security best practices.
The focus should not be on simply adding more and more controls, but on implementing the right ones and using them effectively to understand and mitigate risk. This can be accomplished by adopting an MDR strategy that goes beyond the bare bones of simple regulatory compliance and is fine-tuned to keep organizations prepared against emerging threats.
>See also: Ensuring the security of data systems in the wake of rogue AI
The role of MDR
MDR is a 24-hour cybersecurity service that combines modern security technology with human analysis, artificial intelligence and automation to quickly detect, analyze, investigate and actively respond to threats instead of just generating alerts. And with the right solution, organizations can consolidate existing investments in proactive security to reduce detection to minutes.
An MDR solution also enables organizations to develop a reference security architecture that facilitates the protection of on-premise and legacy systems, SaaS solutions, and cloud-based infrastructure applications. It also helps security teams protect against and effectively respond to emerging security and user identity threats while shortening the dwell time of security breaches.
The best forms of MDR use Extended Detection and Response (XDR) technologies that enable detection and response across endpoints; Network; internet and email; Cloud and above all identity, together with a service package that goes beyond the possibilities of technology. This means all users, assets and data remain protected, regardless of where the attack is coming from.
Similarly, by choosing a solution that leverages existing investments in Microsoft 365 licensing, organizations can consolidate security vendors and reduce security technology budgets while increasing security coverage and transparency. Security Orchestration Automated Response (SOAR) solutions such as Microsoft Sentinel can also greatly improve the efficiency of implementing an early warning system.
Look beyond technology
While technology plays a critical role in an effective cyber security strategy, it alone does not provide a solution. Leaders must also consider the organization’s processes and people. When organizations don’t have the right processes or people in place to manage new technology, it can be easy to fall back into old habits.
Many organizations are opting for a hybrid Security Operations Center (SOC) to underpin their MDR strategy that combines the cyber capabilities of in-house engineers, cyber security teams and an MSSP to create a single facility. MSSPs fill in the gaps in defenses and qualify internal teams to stay on top of evolving threats and technologies. This approach can also free up internal staff to drive projects and internal improvements while the MSSP takes the lead on high value incidents.
>See also: How to promote internal cyber security training
Always one step ahead
When the goal is to improve cybersecurity while meeting your business goals, regulations will only go so far in addressing the problem. Attacks will continue to plague all sectors, and the right detection, response, and remediation will mean the difference between those that make headlines and those that don’t.
To improve cyber resilience, organizations need to implement a well thought out strategy that focuses on MDR. One that not only satisfies legal requirements, but also improves an organization’s overall security posture. This will lift organizations beyond the basic need to comply with emerging regulations and instead push them to better combat emerging cyber threats.
This often means a complete rethink in terms of technology, processes and people. Crucially, however, transformation itself is never the end goal. It is crucial to ensure that the organization has the right processes or people in place to manage the new technologies beyond project completion. For organizations that do not have their own dedicated and highly skilled security response team, managed security services combined with automation are proving to be a compelling proposition.
Related:
What the Liz Truss Cabinet can learn from the EU Cyber Resilience Act Proposal – xDesign CPTO Jeff Watkins discusses what the UK Government’s legislation under the Liz Truss Cabinet can learn from the EU Cyber Resilience Act Proposal can learn.
A Guide to IT Governance, Risk and Compliance – Information Age presents your complete business guide to IT Governance, Risk and Compliance.
