Investing in all the people and processes that make up a sound cybersecurity framework is out of the reach of most mid-sized businesses
As threat vectors in the cybersecurity landscape continue to expand, there is one hard fact that most businesses, either large or small, have learned over the past decade; they neither have the manpower nor the budgets to address their in-house challenges. The premise that a magical one-point solution for firewalls, antivirus and endpoint protection would be a panacea has failed. Unfortunately, most companies have discovered that it just doesn’t work that way. Your organization must have a strategic framework of security that includes, people, processes and technology. But perhaps the most important approach for a holistic cybersecurity plan is considering business operations first and then aligning technology to complement the business mission.
For veteran cybersecurity expert Jeremy Rasmussen, a certified CISSP with more than 24 years of experience in developing secure communications systems and providing cybersecurity consulting services in both the private and military sectors throughout the world, creating a vendor-neutral solution that truly applied a holistic approach that turns cybersecurity challenges into business enablers and business differentiators is what drove the development of Abacode Cybersecurity, a Tampa-based cybersecurity and compliance consulting firm that provides risk-based solutions for growing organizations across all industries. Courtesy of Getty Images — Credit: gorodenkoff
“There are real pressures driving organizations to become more mature and sophisticated in their cybersecurity approach to address emerging threats like ransomware and very organized cybercriminal gangs. But beyond that, regulations that are emerging with privacy and cybersecurity laws and industry pressures for companies that are doing payment cards and must follow PCI standards that are driving compliance needs, there also supply chain pressures. It’s getting to be where you can’t even do business with another company anymore unless you fill out a security questionnaire saying that you’re going to protect their data to some certain standard,” says Rasmussen, citing a specific instance like a small auto parts company that is far down the food chain of one of the Big Three automakers, but must be cybersecurity savvy and privacy compliant to even compete for those multi-million-dollar contracts. “Previously, the question for this (small) company would have been, ‘How can I possibly spend $100,000, $200,000 on security?’ But now there is a simple answer to that question. They don’t get the $10 million contract unless they do spend the money.”
Cybersecurity as a Service
The reality that most small to mid-sized businesses simply don’t have the expertise in-house to ensure they meet many of the security and compliance standards it takes to partner with enterprise firms is driving another, more palatable solution offered by a Managed Cybersecurity & Compliance Provider (MCCP). One such company, Abacode, which Rasmussen is Chief Technology Officer and CISO, is a next-generation MCCP that leverages a unified platform that helps smaller organizations implement a holistic, framework-based cybersecurity program. The objective is to transform cybersecurity challenges into a competitive advantage and allowing a business to make objective and reasoned security investments. This turnkey certified solution provider can provide all the necessary disciplines needed to meet regulatory mandates and business cybersecurity standards. Working in collaboration with third-party audit, attestation and certification bodies, companies can now complete the gaps required to meet a compliance standard and the implementation and ongoing management of an entire cybersecurity program. It is a unified services platform designed for ongoing compliance changes and updates along with continuous cybersecurity monitoring and management.
In other words, the solution is a game-changer for mid-sized organizations looking to compete on a bigger stage and for more lucrative contracts. Taking cybersecurity to the next level where it is an integral part of business operations ensures that issues like compliance, privacy and security are addressed on a consistent basis.
“We would like to get somebody compliant and keep them compliant forever. You know, be their outsourced team partner. We know that it’s the right thing for a number of reasons. First of all, there’s a distinction between IT and IT security. Just like the body has a central nervous system, it also has an immune system — they’re two separate systems, but you need both of them to live. That’s how we see cybersecurity – it is a business’s immune system. We provide checks and balances and separation of duties between what IT is doing and what the cyber folks are doing. IT can’t check its own work, so sometimes you’ll have executive leadership not knowing even where to start with cybersecurity. They reach out to their IT folks, either internal or outsourced and ask if anybody is helping them develop software for something like cloud hosting, wondering what they should be doing. Usually, they’ll get a bunch of different answers, disparate answers, not necessarily the right answers for a number of reasons,” admits Rasmussen.
“But mainly it’s because those guys probably are not cybersecurity experts. It’s such a specialized field now. You need to stay on the cutting edge. You need to understand the TTP (Tactics, Techniques and Procedures) tools, techniques and practices of your adversaries. You need to understand the latest emerging technologies. If you are trying to be an IT person and wearing two hats, where one of them is just installing users and keeping the networks up and running, you are ill-equipped to be handling security issues.”
Because having a robust cybersecurity program has become a condition of doing business, outsourcing a portion of an organization’s cybersecurity that can implement a managed detection and response (MDR) strategy is operationally sound. An MDR provider can deliver round-the-clock network monitoring, including threat detection, incident analysis and providing a plan of action should a cybersecurity issue come up. Since almost half of all cybersecurity attacks are directed at small businesses, a Managed Detection and Response system is crucial for small businesses and by outsourcing MDR, small businesses can get reliable, 24/7/365 security from cyber specialists at a much lower cost than that of an in-house cybersecurity team.
How to Make the Business Case
For a non-enterprise organization, initiating a cybersecurity framework is not a normal process. Most businesses concentrate on network protection and call it a day thinking that they’ve done enough. Far from it. However, Rasmussen realizes like any security endeavor, success is based on buy-in and mitigating cyber risk is no different.
“It has to be an executive, top-down decision that we’re going to inculcate cybersecurity throughout the whole operation. But the nice thing is, I think we can provide some visibility, and we can give some quantitative analysis of reducing risk and return on investment for your cybersecurity program that the CFO can digest and that he hasn’t had in the past, we can help the organization get past the sense that you’re just pouring money into this problem; that it is this black hole, and you don’t where it stops,” Rasmussen says. “I feel as if we can give them this single pane of glass, so they understand they’re covering all the things they’re supposed to be doing for proper best-practices programs, and it’s costing them this much, you know, it’s a monthly OPEX cost now. Another huge issue I should mention is personnel. Where are you going to find the experts? Right now, there is about a four-million-person worldwide shortage of cybersecurity talent.”
Even if companies could find the cybersecurity talent, they couldn’t afford enough of them to properly man operations further contends Rasmussen.
“We know it takes something like nine to 12 months to even find one qualified resource. So, you’re not going to be able to find all those people on your own. And if you’re really going to run a program the right way, you’re going to need a minimum of eight people. You’re going to need two on operations around the clock, eyes on glass monitoring and doing instant response. You’re going to need at least two others that are going to do policies and procedures and monitoring a compliance portal. You’re also probably going to need more than that for pen testing and all these other things,” he adds. “There’s no way even a mid-sized enterprise can dedicate eight full-time resources to cybersecurity. It really makes sense from a financial standpoint to outsource that to a team that can just handle the whole thing for you.”