While conducting new business development and educating people on the field of cybersecurity, a predictable pattern has emerged. This pattern is a preconception about the size and complexity of cybersecurity. From the outside, people tend to view cybersecurity as a narrow field. It seems fair to say that people don’t realize the magnitude of what’s involved, namely:
- how many different things need to be done,
- how long it takes to adopt and institutionalize security,
- associated costs and risks,
- accountability and responsibility.
It’s Easy, Fast and Cheap, Right?
Cybersecurity is not unlike other complex fields, such as legal and accounting. Often times it seems like you can do most it yourself if you can learn just enough about it. No need to engage with a good lawyer or accountant to do it all. A little bit of Google. You know a guy or gal who knows a thing or two. You say things like:
- “How hard could it be?”
- “It shouldn’t cost that much.”
- “We’ll seek a bit of help to get started, and then we can do the rest.”
- “Once we enter into a steady state, this will be easy.”
Wrong.
Despite this belief, most individuals and businesses learn the hard way that there is a lot more to these fields than they realize. “No wonder people get advanced degrees and study these fields for life — they are deep and complex!” And… you do not want to get it wrong. The consequences could be dire.
We’re here to tell you that cybersecurity is the same way. If you think it’s easy, fast, and cheap, well, that’s a pipe dream. If that were true, everyone would be on the secure side!
How Big is the Cybersecurity Iceberg?
Really big, and growing bigger every day. With the entire world becoming connected by the Internet, today we have billions of people and tens of billion of devices in play. Technology is moving so fast that it’s hard to keep pace.
Who is going to protect it all? How are we going to do it? Billion dollar questions. Solutions wanted.
The tip of the iceberg that most people see consists of things like anti-virus, email and browser security, encrypted laptops, and passwords. I’d be willing to bet that the average person could name about 10-15 security controls off the top of their head. The average IT or security practitioner could probably name 50 without issue. Top security gurus will fire off a hundred or so before you kindly tell them, “Okay, that’s enough.” In fact, there’s arguably about 1000 security controls out there. Most people probably don’t know that.
But surely, you might wonder, no one needs to perform that many security controls to be safe. Well, that’s the misconception. Most businesses need to be performing 100-200 controls as part of normal diligence. And therein lies the problem. It doesn’t matter which one hundred things need to be done; that’s a lot of things, and they take significant time and effort.
The Big Catch
Business leaders pay special attention.
Though you might get away with poor security for a while, eventually it catches up to you. An organization who has put off security may have accumulated “security debt”, which means that they are so far behind, the only way to get current is to spend significant money. Now it’s even harder to believe that security is “so expensive.” And if you try to cheap your way into some good ol’ security, it could be your undoing. I’ll tell you why.
You might think I’m going to talk about getting hacked and how bad that will be. Well I’m not. We are all aware that if you get hacked, then your nightmare is just beginning, or your business could already be in jeopardy of going under.
Instead, let me call your attention to a more subtle, yet everyday scenario. One that is far more frequent and involves a critical pillar of business success – making your clients and customers happy. I am talking your client’s third party risk management putting your business under a microscope to determine if they want to be doing business with you.
Overcoming the Third Party Risk Management Challenge
Large or regulated companies are crushing their vendors with heavy security, privacy, and compliance scrutiny. These money tree companies cannot afford to engage vendors with crappy security. It’s too risky!
When it comes to demonstrating your security posture to a key client or that game-changer prospective client with big pockets, you must show up ready to play the cybersecurity game.
What happens if you don’t? It puts you in the worst possible position. You find yourself unable to give good answers about your security program. Don’t even think about lying. Not only is it unethical, you don’t want to end up in court after you’ve been hacked, lost your client’s data, and lied about your security. You will be shown no mercy!
Here’s the scenario:
Your key client (or prospect) sends you a security questionnaire, hops on the phone, or comes out for multi-day audit of your security program. You are unprepared. Allow me to give you the quick and dirty results of the assessment as interpreted by your client:
- No accountable cybersecurity person. No defined roles.
- No security policies (your drafts are too ugly to share). No evidence of process.
- No defense strategy. No data protection strategy.
- No business continuity or disaster recovery.
- No security awareness training or incident response capabilities.
- Oh but you do have anti-virus installed and a guest WiFi network.
- Yet you think O365 or Gsuite automatically protects you from data loss. Hmm…
They know you’ve got nothing. Maybe they are generous and score you at 10% compliant. You are now considered High Risk.
Here are two likely outcomes of your relationship with the client. They’ll say to you:
- If you want to do business with us, you need to commit to remediating everything within 6-12 months. Deal?
- It’s too risky to do business with you. Let’s re-engage later or never. Good-bye.
It’s not a fun experience. You think, “If only we started doing security earlier!” And that’s the right thought. If you had been putting off cybersecurity, it is in this moment you realize that your business needs reasonable cybersecurity to survive.
The Honest Truth
People are simply unaware that cybersecurity requires significant effort. This is particularly true for younger businesses, start ups, and established organizations that are getting their feet wet for the first time in cybersecurity. It’s a problem that they don’t know “so much” security is necessary, or fail to see the strategic value of the investment. The reality is that cybersecurity has grown so large that even a small portion of it is still “a lot” of work.
Aiming for the pinnacle of cybersecurity requires astonishing investment dollars. Doing so is usually reserved for the giants of the world, such as Amazon and Microsoft. Or highly regulated organizations that have no choice.
For the rest of the business leaders out there, take note: if you have not started down the path of cybersecurity, or think that a paltry investment reduces your risk significantly, it’s time to wake up. With the recent passing of privacy laws and your key clients requiring you to be secure, it’s only a matter of time before you will need cybersecurity, and you will need it quickly!
We’re here to help!
When it comes to cybersecurity most businesses need expert advice to navigate the waters. By engaging with a company like Secureside, you get it exactly that.
Please reach out to us directly or visit our website:
