By

Steven

Minsky

You can ensure you’re providing a

holistic solution by working with the

individual or team responsible for a

customer’s security operations. They

can implement the security advice you

give, preventing breaches and ensur-

ing your status as a trusted advisor.

Cyber threats are constant and

pervasive, but they’re preventable

with strong governance. Sixty-three

percent of data breaches are caused

by “weak, default or stolen pass-

words,” according to Verizon’s

2016

Data Breach Investigations Report

.

Customers are turning less and less

to new hardware or other technology

solutions, such as firewalls or end-

point detection and response (EDR)

systems. Most breaches result from

a governance problem, not a technol-

ogy problem. That 63 percent subset

can be eliminated with enterprise-

wide governance of passwords, asset

management and access rights.

Enterprise risk management, also

referred to as eGRC or integrated risk

management, provides a standardized

approach to all governance activities.

Since effective security involves more

than identifying specific threats, improv-

ing passwords or controlling access rights

(it’s about all of these things together),

an integrated approach is the best way to

make sure they are executed in sync.

New Awareness,

Same Results

In response to this vulnerability, many

security teams turn to increased em-

ployee training. If a majority of breaches

are caused by password issues – vul-

nerabilities that can easily be shored up

– shouldn’t a simple change in behavior,

such as a conscious choice by employees

to choose strong passwords, solve most

of the issue?

In theory, yes, but in practice, no. Cy-

bersecurity training is effective at increas-

ing employee awareness of the types of

threats that exist, how they’re dangerous,

and how to minimize the organization’s

exposure. The unfortunate reality is that

although training increases awareness,

it’s ineffective at changing behavior. It

should therefore be only a component of

your customers’ security solutions.

As mentioned, the root cause of

breaches is not poor technological de-

fenses, it’s insufficient governance. Ac-

cordingly, indiscriminate monitoring and

control implementation without gover-

nance can mean either of the following:

More red flags are raised without priori-

tization, resulting in a greater expendi-

ture of time and resources for evaluating

potential problems, or the root cause is

not mitigated, leaving the organization

vulnerable.

Use ERM to

Operationalize Security

The fact that many weaknesses in

security programs result from poor gov-

ernance might sound bad at first, but

Fully Armed

with ERM

Security solutions are only as strong as their

governance

T

o offer customers a scalable security solution

rather than a temporary fix, solution providers

need to align with their customers’ goals.

Retaining customers – and expanding within existing

accounts – means being the go-to source for identify-

ing issues before they become problems.

Cyber Patrol

Channel

Vision

|

May - June, 2017

72