By
Steven
Minsky
You can ensure you’re providing a
holistic solution by working with the
individual or team responsible for a
customer’s security operations. They
can implement the security advice you
give, preventing breaches and ensur-
ing your status as a trusted advisor.
Cyber threats are constant and
pervasive, but they’re preventable
with strong governance. Sixty-three
percent of data breaches are caused
by “weak, default or stolen pass-
words,” according to Verizon’s
2016
Data Breach Investigations Report
.
Customers are turning less and less
to new hardware or other technology
solutions, such as firewalls or end-
point detection and response (EDR)
systems. Most breaches result from
a governance problem, not a technol-
ogy problem. That 63 percent subset
can be eliminated with enterprise-
wide governance of passwords, asset
management and access rights.
Enterprise risk management, also
referred to as eGRC or integrated risk
management, provides a standardized
approach to all governance activities.
Since effective security involves more
than identifying specific threats, improv-
ing passwords or controlling access rights
(it’s about all of these things together),
an integrated approach is the best way to
make sure they are executed in sync.
New Awareness,
Same Results
In response to this vulnerability, many
security teams turn to increased em-
ployee training. If a majority of breaches
are caused by password issues – vul-
nerabilities that can easily be shored up
– shouldn’t a simple change in behavior,
such as a conscious choice by employees
to choose strong passwords, solve most
of the issue?
In theory, yes, but in practice, no. Cy-
bersecurity training is effective at increas-
ing employee awareness of the types of
threats that exist, how they’re dangerous,
and how to minimize the organization’s
exposure. The unfortunate reality is that
although training increases awareness,
it’s ineffective at changing behavior. It
should therefore be only a component of
your customers’ security solutions.
As mentioned, the root cause of
breaches is not poor technological de-
fenses, it’s insufficient governance. Ac-
cordingly, indiscriminate monitoring and
control implementation without gover-
nance can mean either of the following:
More red flags are raised without priori-
tization, resulting in a greater expendi-
ture of time and resources for evaluating
potential problems, or the root cause is
not mitigated, leaving the organization
vulnerable.
Use ERM to
Operationalize Security
The fact that many weaknesses in
security programs result from poor gov-
ernance might sound bad at first, but
Fully Armed
with ERM
Security solutions are only as strong as their
governance
T
o offer customers a scalable security solution
rather than a temporary fix, solution providers
need to align with their customers’ goals.
Retaining customers – and expanding within existing
accounts – means being the go-to source for identify-
ing issues before they become problems.
Cyber Patrol
Channel
Vision
|
May - June, 2017
72