When you think cyber security, what comes to your mind first?
I’ve posed that question to many an audience over the years and most frequently the response is what folks see on the nightly news or through some new source. Recently people will respond with examples such as Home Depot, Target, Sony, JP Morgan and the European Central Bank which of course are just a few of the most notable instances of breaches we seen in the news over the last twelve months.
I point out to these same groups that in reality, there are only two forms of cyber security and its Proactive Cyber Security and Reactive Cyber Security. I’ll explain what that means and let’s see if you agree.
Reactive Cyber Security situations are going to be in the news because something bad has happened. Reactive security companies help you clean up the mess. When you become aware of a cyber security breach at some company, it’s probably because you are watching the business catastrophe unfolding through some syndication source. You eventually get a notification by the company, your bank or credit card provider informing you that your private and personal information has been stolen which leaves you to worry and watch hoping that nothing bad happens to you.
From a business standpoint, it has become painfully obvious at all levels including shareholders that cyber breaches have a really negative impact on business value not to mention careers of everyone involved especially at the highest levels of the company. We have all seen for the first time in 2014 CEOs, CIOs and CISOs losing their jobs as a direct result of culpability or negligence on their part.
No doubt about it, cyber security breaches have a hugely negative impact on the financial health and reputation of the victim company.
So this brings me to the second form of cyber security which is proactive cyber security. Proactive Cyber Security is all about keeping you out of the news by implementing the right controls and countermeasures. We know it’s not enough for the government or the private sector to have rules and regulations. PCI DSS certification did not save Target, Home Depot or other retailers. The FFIEC or the NIST Framework for Improving Critical Infrastructure Cybersecurity did not save JP Morgan or other financial institutions from their breaches.
You need qualified assistance to make it effective. It’s tough when there are not enough talented cyber security professionals to go around. Businesses are short-staffed. Academia is not training and educating enough to keep up with the demand.
The best possible course of action to avoid being the latest corporate cyber security breach is to take a proactive approach. I’m the CEO of Lazarus Alliance and we are a Proactive Cyber Security service firm.