Cybersecurity is an ever-evolving industry. Because of the fast-paced nature of the internet, more of us are susceptible to attacks, and new waves of cybercriminals are becoming more sophisticated. In fact, according to Verizon’s 2022 DBIR report, ransomware has continued its upward trend with an almost 13% increase—a rise as big as the last five years combined.
With this surge, many organizations look toward better security to help protect their data. However, these organizations are also running into problems when starting and maintaining a cybersecurity program. From the saturation of tools to confusing regulations to a lack of guidance, the problem in cybersecurity can keep you from achieving your security and compliance goals.
Let’s take a look at some questions surrounding the cybersecurity problem, how BARR uses our expertise to mitigate these issues for our clients, and what you can do to create a successful roadmap for a more secure future.
What is the cybersecurity problem?
Brad Thies, founder and president of BARR Advisory said, “The general problem with cybersecurity is everything seems to be working fine until it doesn’t, whether that is a hack, friction in doing business with government, customers, or fear of the unknown.”
This problem, specifically, affects small to medium-sized businesses who don’t have clear guidance on creating a cybersecurity roadmap that fits their needs.
“Often the cybersecurity roadmap is either too confusing to know what to do next or worse, it does not add any value to the business,” said Thies. Too much dependency is placed on disjointed compliance standards, complex and vague regulation, ‘silver-bullet’ tooling, and misguided audits.”
And it’s this confusion that ultimately leads to greater vulnerability within your organization.
Why is the cybersecurity problem important?
With an increase in technical debt—which is the result of taking shortcuts to meet short-term objectives at the expense of long-term flexibility and security—organizations run the risk of accumulating encroachments to their time and budget that they must pay off in the future, or worse, a data breach.
A 2020 McKinsey survey found “CIOs estimated that tech debt amounts to 20 to 40 percent of the value of their entire technology estate before depreciation,” and that survey only took into account the integrity and availability part of technical debt.
“The cybersecurity problem is extremely inefficient and creates a significant amount of technical debt, especially in small to medium sized businesses,” said Thies.
“The most common mistake I see business leaders make is assuming a disruption can’t happen to you and failing to plan for one. It’s not expensive to develop a plan in advance, but it is extremely expensive and challenging to come up with a plan on the fly when a real issue does arise. Start small and, at the very least, define accountability, so it’s clear who’s in charge when there is a problem.
What to Do When Getting Started
While there’s a lot of resources to consider when starting your security roadmap, there are specific steps to take that create a clear path toward security and compliance. Here are a few factors BARR believes you should take into account when getting started.
- Alignment: Clear cybersecurity vision includes alignment with strategic objectives, understanding of core values, and short and long-term goals. This also includes the scope of your security management system and prioritizing measuring risk to develop your security roadmap.
- People: The people are at the heart of your security program. Prioritizing who is accountable, how people are recruited and evaluated, as well as partnering with external experts can set you up for success.
- Data: Use cybersecurity scorecards and key performance indicators (KPIs) to help ensure visibility for risks and threats. Create a plan for who owns this data and how often it’s checked.
- Process and automation: Do more with less by using a platform to automate your primary security domains.
- Continuous improvement: When improving your cybersecurity program, consider how to gain traction, prioritize security issues, and strive for continuous security and compliance.
“The next most common mistake is assuming that a tool or third party is going to adequately address your issues,” said Thies. “Tools are critical, but you have to know how to fine-tune and use them. Otherwise, you might be creating more risk. Third parties are great as well, but there must be a partnership.”
BARR’s Perspective on the Cybersecurity Problem
When it comes to solving the cybersecurity problem, BARR provides a unique perspective. Managers of BARR’s Cyber Risk Advisory practice, Julie Mungai and Dan Mathewson, share how BARR works with customers to not only respond, but anticipate these problems from our experience.
Prior to the engagement period, clients have the opportunity to work with BARR during a readiness assessment, which prepares you for your audit.
“As soon as clients come in our door, we’re having high-level roadmap discussions,” said Dan Mathewson.
During the readiness assessment, BARR consultants will help you identify the controls that are in place and identify gaps you might be missing. As quickly as within a week, BARR can provide you with a value-added gap assessment which ultimately gets you ready for your audit and prepares you for future risks.
Mathewson added, “The readiness process helps to make sure you have everything in place prior to your audit. At BARR, we have excellent tooling and deliverables that make sense and are adjustable to your specific needs. We help set expectations through transparent and simple conversations and provide a clear timeline to ensure the roadmap between the readiness assessment and the upcoming audit are clear and defined.”
When it comes to controls, there is no one-size-fits-all approach. BARR helps our clients hone into what is the most critical data while targeting and bringing controls closer to that data.
“BARR can help with control protection,” said Mungai. “Rather than focusing on blanket controls, we hone in on your most critical and sensitive data, assess existing controls, and provide recommendations on right-sized protections which help make better investment decisions by having a targeted focus.”
At BARR, we believe that people are at the center of cybersecurity. That’s why consulting is our main focus. BARR provides unparalleled support and transparency through various consultation practices that set us apart.
Mungai said, “Our goal is to help businesses scale-up to their potential by integrating security and designing a framework from the get-go as opposed to simply reacting to problems as they arise.”
Here’s a few ways in which BARR provides continuous consultation for our clients:
- Collaboration: When working with BARR, you have the opportunity to provide feedback in real time with your auditor. We use shared documents to communicate with you and work with transparency in everything that we do.
- Communication: Additionally, BARR offers the option to join one of our client Slack channels, where you can talk to an auditor and ask questions that we can answer quickly and efficiently. While most everyone has email, the back-and-forth of sending emails can create significant wait time. With Slack, our clients can get the answer they need in a time-frame that matters.
- Awareness: BARR consultants are here to remain current with cybersecurity trends and communicate those trends to clients.
“When we identify a new trend, we discuss it with our clients,” said Mathewson. “We have open conversations with them on their stance about newer risks and come up with a solution together that works best for them.”
Are you interested in working with our consulting team to create a security framework for your organization? Contact us today.