Cyber risk reduction is everything
As the epidemic of data breaches continues to affect organisations worldwide, so does the importance of the CISO role – and the ability to manage or overcome unacceptable levels of cyber risk.
High-profile breaches this year alone include file transfer tool MOVEit (and many of their equally high-profile clients), Yum! Brands (KFC, Taco Bell, & Pizza Hut), ChatGPT, Google, and MailChimp. Closer to home, over 14 million Latitude customers in Australia and New Zealand were impacted by a data breach.
In a 2019 survey by Deloitte, they reported that 99% of organisations have outsourced some parts or the entire process of cybersecurity operations to third-party service providers. Deloitte noted: “…across the board, our survey respondents indicated that they turn to partners most often when it comes to security operations, vulnerability management, physical security, and training and awareness.”
And with good reason.
As CISO, the single biggest benefit of cybersecurity as a managed service is its ability to deliver to the standards and expectations laid out in your organisation’s risk management framework.
Cyber risk management has become an art unto itself as companies undergoing digital transformation are faced with simultaneously managing both traditional and modernised infrastructures. Few organisations can cope with the demands for expensive (and hard to find) specialised resources, 24/7 bandwidth, and the need for advanced cybersecurity technologies and tools.
So, what approach should you look for if you are going to outsource your cybersecurity?
With cybersecurity as a managed service, risk should be minimised from the outset with a full independent assessment of your environment to ensure all the basics are in place, fully operational and effective. Areas of risk need to be highlighted, and a baseline established to show where further cultural (training and awareness) and technological alignment is needed to meet or exceed the requirements of your risk management framework.
From here, expect the managed services cybersecurity team to apply quick win controls that are both easy and low risk to implement. This will address your degree of compliance with what are regarded as the four most instrumental aspects of any organisation's security strategy: Application whitelisting, patching applications, patching operating systems, and restricting administrative privileges. Next should be a review of where you sit in the Essential Eight Maturity Model, and, if needed, raising your compliance to level three, i.e., implementing a range of tools such as specific application controls, workstation logging and monitoring to ensure anomalous activity can be quickly detected and investigated, and rapid patching of known vulnerabilities.
Your managed services partner should also offer up other targeted risk reduction strategies. If you are a more mature customer, they should help you to fortify your information security management system.
As cyber threats grow in sophistication and frequency, cybersecurity as a managed service is the most affordable, proactive, effective, and low-risk option for CISOs determined to protect their organisation. But don’t hesitate to ask the hard questions when you shortlist potential managed services partners – experience, reputation, approach, and expertise are everything.