Published on January 25th, 2023 📆 | 3146 Views ⚑
0Diligent Cybersecurity Requires More Than A Month Of Our Attention
Rami Sass, cofounder and CEO at Mend.
Cybersecurity Awareness Month (CAM) marks a call to action from the government and private sector to raise awareness for both individuals and organizations to understand the risks of cybercrime and hacking. Through diverse programming and themes, CAM helps quantify the risks associated with laxâor nonexistentâdata or information security (InfoSec) practices among consumers and enterprises.
This past October, we saw leaders across the industry acknowledging the initiative, now in its eighteenth year. But unfortunately, highlighting cybersecurity during the month of October alone does a disservice to a lot of people and companies. Why? It suggests limiting these initiatives to one month of the yearâand leaves the door open for cybercriminals to prey on the organizations neglecting critical security measures for the remaining eleven months.
Cybersecurity awareness is important, but itâs just the first step of an impactful cybersecurity initiative. Enduring organizations understand the significance of a continuous, year-round program and make cybersecurity a topline priority through investment and culture.
Hereâs how the best-equipped companies think about cybersecurity and what leaders should consider going into the new year.
Awareness is step oneâbut action makes the difference.
Cybersecurity is an evolving industry, and attackers are constantly changing their techniques to stay one step aheadâitâs impossible to truly complete due diligence around cybersecurity within the span of one month.
As such, cybersecurity requires ongoing effort, investment, buy-in from executive leadership and security-aware cultures within organizations.
On the execution side, this requires significant legworkâespecially for software companies. Think about the vast amount of code that powers any given application or service. Itâs crucial for teams to be aware of where threats may crop up. But cybersecurity initiatives also must expand beyond the cybersecurity or IT teamâcybercriminals and hackers can gain access to critical data due to anything from weak employee passwords to poor data hygiene.
This is not to say that a formal time dedicated to cybersecurity awareness isnât importantâin fact, October is an excellent time for companies to spend time safeguarding their assets. Itâs right before the holiday season when cybercriminals hedge their bets on lax oversight and take advantage of skeleton security teams. But these threats donât just disappear when the holiday season is over. Cybercriminals are always looking for a way inâas such, companies should offer training and require stress testing throughout the year.
Invest in the right tools, protect against todayâs threat.
Implementing an effective security procedure starts with ensuring you have the right tools to tackle the current problem you are looking to address and to have a protocol in place for potential future issues.
Itâs important organizations review their current solutions and determine which need to be updated or replacedâa tool released a few years ago may have been great at the time, but it might not have had meaningful changes or updates made to stay current.
As part of this process, itâs important to consider what processes and manual work could potentially be replaced with automated solutions. Thanks to advancements in the industry, a number of mundane processes, such as identifying critical vulnerabilities, are automated to allow teams to focus on more important tasks.
Investing in these tools is especially important given the sprawling volume of applications that organizations rely on nowadays. Companies use hundreds of applications across departments, and this number continues to grow year over year. And according to Forrester Research, applications are also the top cause of external breaches, as cybercriminals view them as one of the easiest entry points to attack. As supply chain attacks increase, overlooking application security (AppSec) is not an option.
Cybersecurity is a factor in business planning, starting at the top.
As threats become more commonplace and sophisticated, the security function must span beyond the perimeters of the IT department, requiring attention from both the C-suite and Board. Yet a fifth of CISOs reports little contact with the CEOs at their respective companies.
Even if an organizationâs Board and CEO understand the value and necessity of infosec practices, experienced leadership that understands how to prioritize work around code inventory (or software bills of materials) and technical debtâas well as keeping appraised of known vulnerabilities and potential threats in the ecosystemâare crucial in helping organizations remain secure.
Put in the work: Comprehensive security means building a security-aware culture.
Building a security-aware culture and fostering a collaborative workflow between developers and security teams strengthens any organizationâs cybersecurity program.
Consistent training, phishing tests and multifactor authentication requirements are excellent tactics to help build a company culture that values security and encourages employees to better understand the role they play in security.
Companies that donât keep up with cybersecurity practices at the same rate as innovation and new product development across their organization risk losing millions of dollarsânot to mention tarnished reputations and potential liabilities around sensitive consumer data.
Key Takeaways
A serious shortcoming of CAM as it is now is that it positions cybersecurity as a one-and-done initiativeâbut this couldnât be further from the truth.
Safeguarding an organization means year-round, ongoing investment and effort. It also means a little bit of elbow grease and budget, but these efforts are bound to pay off in spades should another catastrophic vulnerability as Spring4Shell or Log4j come.
Donât be an easy target by limiting your cybersecurity tasks to surface-level awareness during just a month of the year. Put in the work: Secure executive-level buy-in, invest in the tools your team needs and work to weave security throughout your organizational culture.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
Gloss