Magazine article Industrial Management

The Right Cybersecurity Controls Mitigate Risks

Magazine article Industrial Management

The Right Cybersecurity Controls Mitigate Risks

Article excerpt

It is no secret that cybersecurity risks add complexities that often restrict the process of seamlessly carrying out business transactions. Companies and institutions in a multitude of sectors need solutions that ensure confidentiality, availability and integrity of sensitive data to avert significant damages to their business.

However, companies should never fall into the trap of thinking that a set of solutions today will deliver them safely from the cybersecurity threats of tomorrow.

Unfortunately, many managers are becoming tone-deaf to the constant narrative of "it's not a matter of ifyou'll be hacked - it is a matter ofwhen" and are being seduced by vendors that promise "peace of mind." These promises are dangerous and expensive fantasies that deliver a false sense of security.

That said, business must go on, and we are all responsible for taking pragmatic steps to mitigate cybersecurity risk. We do this by selecting and applying the right security controls for our businesses.

Identification is the first step

First things first, though: We need to recognize that there is no "one size fits all" solution. Each sector is different, and each business is different, even those within the same industry.

Moreover, each business has a different risk appetite from its peers. The right controls for one business will prove excessive for the next and not enough for the third. Therefore, the first thing that must be established is what your organization's risk appetite is. That is set either by the board or by the owner.

The next thing we need to do is get a grip on business assets. What, exactly, are the things of value we are trying to protect, and what are the threats against them? Is it a matter ofprotecting intellectual property? Customer data? Classified information? Reputation? Is it a question of physical security? Insider threats?

In short, what does your world look like, and where are the threats coming from?

It is no accident that the National Institute of Standards and Technology (NIST) framework for improving critical infrastructure cybersecurity leads with "identify" and not with "prevent."

There is no "prevent" in cybersecurity, and the sooner we get comfortable with that, the sooner we'll get to the real work of identifying, protecting, detecting, responding and recovering (the five NIST framework functions) from cybersecurity events.

Once you have identified what warrants protection, the real work begins. Accounting for your organization's risk appetite and armed with your asset valuation and threat assessments, you are now ready to apply the right controls.

Remember: Controls "do" things. They are not some abstract notion - they do the do. There are four kinds of controls: preventive, detective, corrective and compensatory.

The way to control

Now, some might argue, asking what's with the "preventive" controls when a few paragraphs back we claimed there is no "prevent" in cybersecurity?

You're right, but remember that controls "do things." A preventive control, therefore, acts like a barrier to an attack. It hasn't prevented the attack, but just like the barrier on the street that hopes to stop the runaway truck from hitting the building, it hopes to prevent an aspect of the attack.

Think of it as a locked door. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed


An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.