Issue Twenty

December 2023

The more things change, the more they stay the same. While the conversation regarding cybersecurity has evolved, the conventional approach remains: creating more questions than answers. Where does cybersecurity fit within an organization? What constitutes “basic duty of care,” and who should be responsible for ensuring that standard is being met? How do we position cybersecurity from a budgetary perspective?

The positive note is that we’re no longer talking about the necessity of protecting our organizations. We’re now working to understand the complexities of integrating into a world where cybersecurity is first principle thinking. A world in which we all play a critical role in protecting the relationships and reputations we’ve spent years building.

No longer are we standing idly by waiting to be told the questions are important. We are actively seeking out answers and participating in conversations. This month’s issue of Target Lock seeks to provide logical and practical solutions to this overarching challenge. Solutions that begin with changing perspectives and understanding we, as humans, play the most vital role in cybersecurity.

“Change is inevitable, change will always happen, but you have to apply direction to change, and that's when it's progress.” – Doug Baldwin

ZEROING IN

Fear Is Not the Answer

Silent Quadrant

Fearmongering and the blame game are ever present in an industry designed to serve. When we see these characteristics within social environments, we are quick to reject them – yet these tactics have been used to push cybersecurity products for years.

“There’s only two types of companies – those that have been breached and those that will be.” We hear this narrative ad nauseum, and its basis is lazy, unfounded, and intended to scare organizations into buying more. Do we need cybersecurity technologies to help protect our organizations? Yes. Are these technologies the solution? No.

The solution is in the approach, and the right approach addresses the nuances of human nature head on. You can’t “productize” it, and you can’t scale it. That’s where the industry falls short. When I first began studying cybersecurity statistics, nearly eight years ago, around 95% of breaches were attributed to some form of human error. Today, that dramatic statistic remains the same. We are busy, distracted, and multitasking more than ever - and threat actors are capitalizing via extremely clever social engineering techniques.

Innovations in security technologies will never outpace the sophistication of threats – nor will they account for every facet of human nature. Relegating security to the IT department is therefore illogical and unreasonable. If we are going to move the needle in the right direction, or at all for that matter, we must understand the importance of creating a culture of security. A culture in which security-minded behaviors are instinctual, habitual, and demonstrated throughout the entire organization.

On the journey to creating a security culture within our organizations, there are a handful of things we must understand:

1. Security Should Never Be Siloed 

   1. Your employees should understand the support they have throughout the entire organization, and feel confident taking action - such as:

      • Forwarding suspicious emails to the IT department or designated security team members for investigation.

      • Reaching out to coworkers through alternate means - like phone, text, or Slack - if they receive a suspicious communication.

      • Feeling comfortable reporting a potential incident, unusual activity, or a breach – without repercussion. 

2. Policies Support Purpose 

   1. Organizations need policies to address human resources, data retention/classification, third party management, and email security – to name several. There are templates available which you can leverage and tailor to your business. These can include everything you need for compliance with CMMC, PCI DSS, SOC 2, or other frameworks and regulations. 

3. Frameworks Are Foundational 

   1. Security frameworks are guides that can help you navigate everything from digital transformation to business differentiation. They provide guidance for which policies you need, give you a benchmark for compliance, and put you in a strong position when you need to answer vendor security questionnaires. 

4. Training Equals Resilience 

   1. During a crisis, you must have a clear plan of action to minimize disruption. Live-action training like simulations, table-top exercises, and monthly cybersecurity awareness training can help staff understand how and why a security incident unfolds and what to do about it. 

5. Teaching > Reprimanding 

   1. Fear of punishment causes employees to brush off suspicious activity or hide cybersecurity incidents rather than report them. Provide every opportunity for teaching and learning, without consequences. 

Cybersecurity is no longer an occasional conversation at a staff meeting. It has become the way we do business every day. From board members to interns, protecting the business must become a priority for everyone – and we must all do our part to ensure we’re leading with purpose and not fear. We move in a more positive direction when our return on investment is measured through transformation as opposed to transaction.

SQ Insight: Adam Brewer - CEO

Moving at the Speed of Trust – Cybersecurity as a Business Growth Enabler

Silent Quadrant

On the heels of the global pandemic and now strengthening economic headwinds, many organizations are giving careful examination to their centers of cost.  And while necessary, it's an exercise wrought with potential peril, particularly at times like this; cut too much - whether human capital, external expenses, or research and development, for example - and you risk endangering catalysts of growth.

One such area experiencing heightened scrutiny is cybersecurity.  Given the ongoing costs associated with ensuring organizational security, as well as the fact that it rarely makes an apparent difference to the bottom line, many view it as simply a cost center with no tangible, measurable upsides.  Indeed, the traditional narrative of cybersecurity has been centered around constraint and not business opportunity and an enabler of growth.

Yet, according to a recent paper, Prosper in the Cyber Economy, by IBM's Institute for Business Value (IBV), some organizations appear to be pushing back against long-held assumptions.

"Sixty-six percent of respondents now view cybersecurity primarily as a revenue enabler. This makes sense when you consider that organizations with advanced security capabilities are realizing better business outcomes."

Notable within the research is that the organizations with the most mature security program have seen a 43% higher revenue growth rate than the least mature enterprises.  Cybersecurity is a differentiator.  In short, security maturity fuels growth.

"...organizations with the greatest security maturity use their investments in security to enhance business outcomes. For organizations with the greatest security maturity, this takes the form of better risk awareness, greater visibility, deeper integration, more accountability, and more effective governance."

Additionally, shared responsibility - organizations working alongside partners to ensure a consistently strong security posture - reveals additional opportunities such as shared resilience and shared value.  This enables an organization's security program to disrupt silos, connect disparate units within the enterprise, and extend capabilities and opportunities further out into the broader partner ecosystem.  Accordingly, the biggest opportunities arise from security's unique position – one which spans the entire organization and partner ecosystem – and the tip of the spear for broader transformation benefits.

"...when leaders take a more proactive, collaborative, and integrative approach to cybersecurity, they not only reduce risk but increase profits. By expanding the aperture beyond the immediate threat environment — by focusing on risk exposure and IT/IS resilience — organizations can realize a more mature security posture that can power business transformation."

Ultimately, security maturity both builds and maintains the most profound catalyst for business growth: digital trust.  Trust, within our digital economy, is the new currency.  It is the experience and the aesthetic that drives impact, growth, and profit.

According to new research by DigitCert, digital trust is now a key driver of customer loyalty, with 84% of customers indicating that they would consider leaving a vendor that did not properly address and actively manage digital trust.

"…as customers become increasingly aware of the need for digital trust, and more than willing to switch vendors if they lose trust in an organization, companies that fail to strategically invest in digital trust will start to feel the impact on their bottom line…"

Conventional thinking has long defined security around operational constraints.  The world has changed.  We must shift our perspective and approach to re-envision cybersecurity as the seed of opportunity.

SQ Insight: Kenneth Holley - Chairman

New Trade Regulation Rules Necessary for Privacy and Data Security

Silent Quadrant

Expansive commercial surveillance practices, poor data security, and the absence of uniform and comprehensive privacy and date security protections led the Federal Trade Commission (FTC) to publish an advance notice of proposed rulemaking (ANPR). The FTC recently extended requests for public comment on the pervasiveness of commercial surveillance and data security practices that harm consumers.

New trade regulation rules or other regulatory alternatives would set standards on how companies (1) collect, aggregate, protect, use, analyze and retain consumer data, as well as (2) transfer, share, sell, or otherwise monetize that data in ways that are unfair or deceptive. It’s imperative to act in the face of evolving data privacy laws and questions related to data security, collection, use, retention, and transfer of consumer data and consent. 

Data Security

The U.S. woefully lags behind other countries (and several states) in protecting citizen data.  While some call for the FTC to wait until a federal privacy law passes, the time for public debate and action by the federal government is long overdue. Though rulemaking may not substitute for legislation, it can improve the current losing game in which neither individuals nor the law can keep up with the pace and scope of data collection.

New trade regulation rules would establish a baseline for business expectations and obligations to the benefit of U.S. consumers. Moreover, the FTC has authority to issue trade regulation rules, “which define with specificity acts or practices which are unfair or deceptive acts or practices in or affecting commerce.” It’s time to shift the perspective on privacy from what is most convenient for businesses to what offers the greatest consumer protection.

Data collection, retention, and poor internal controls leave personal information vulnerable to unauthorized access. While the FTC is justified in implementing security obligations and should require minimum data security measures, I urge caution against a new set of standards. The federal government has established Minimum Security Requirements for Federal Information and Information Systems as well as Standards for Security Categorization of Federal Information and Information Systems. These standards, while applicable to federal information systems, could be adapted for the private sector and the Commission could incentivize their adoption. Creating a new set of standards would confuse, complicate, and diminish data protection efforts.

The underscore here is to standardize a general trade regulation rule across sectors, while avoiding a sector-specific-only approach. Many sectoral laws emerged long before technology innovations and reacted to then relevant risks and threats, but do not adequately address evolving data privacy issues in today’s increasingly digital environment. There might be additional requirements for certain sectors, but a baseline across all sectors would prove quite valuable.

Existing privacy rules, such as HIPAA, place the burden on individuals to know what and how to manage their data, and navigate the plethora notices and obligations associated with each. Consumers simply ignore the notices without considering the privacy or security impact. Trained lawyers have a challenging time navigating the minefield, so why would we think the average consumer could or should do better? It is time to take a fresh look at appropriate safeguards that support consumer awareness through a privacy-first approach. Meaningful change is possible through this rulemaking. 

Collection, Use, Retention and Transfer of Consumer Data

Three concepts underpin data privacy and should be mandatory provisions. The first is data minimization, which provides the collection, processing and transfer of information should be limited to what is reasonably necessary, proportionate or required to provide the service requested by the consumer or individual.

Second, adopt tighter restrictions and prohibit data practices regarding sensitive information. If it’s not required, prohibit the collection, processing or transferring of social security numbers, biometric information, nonconsensual intimate images, and genetic information.

Third, require privacy (and security) by design. Rules should address implementation of reasonable data collection, processing, and transfer policies and practices that mitigate privacy risks (most certainly for minors, if applicable) related to the design, development, and implementation of business products and services.

Data protection requirements must account for the rights of the individual or consumer – the data subject. Placing the rights of an individual or consumer first is key to promoting privacy by default. If privacy by default is in fact a goal of this rulemaking, consumers must be empowered to make simple, universal choices regarding their personal information and to withdraw consent at any time without undertaking a complicated process to do so.

SQ Insight: Tony Ogden - President, GRC