About a year and a half ago, as COVID-19 was still ramping up everywhere, we shared an article here on TechGenix about what it’s like being an IT consultant when businesses that are your clients are under tremendous stress and have urgent needs that need attending to, such as enabling their workers to rapidly transition to working from home. The story was an interview I conducted with Andrew S. Baker, the founder of BrainWave Consulting, a cybersecurity and IT operations consultancy for small and midsized businesses, who found several ways to help guide his clients as they transitioned their employees to remote work under the ongoing pressure of the pandemic. Andrew’s expertise and wide range of experience led me to ask him recently to share his thoughts with our readership on another subject, that of the value — and even necessity — of ensuring your company has local support for its cybersecurity and not just to outsource everything in this area. Let’s listen now and pay attention to the wise words that Andrew shares with us on this topic.
The basic premise of outsourcing is to hand off any functions — especially those not core to your business — to someone who can do it better or faster or at a lower price point than you can. This allows you to focus on (a) whatever is core to your business or (b) the area where you bring expertise to the market. As a general thing, this makes good business sense. It allows your business to focus on the areas where you can bring the most value while removing the difficult, tedious, or expensive functions to handle from your direct control.
I’m not against the concept of outsourcing in any sort of ideological way. (Disclaimer: I run a technology and cybersecurity consultancy that seeks to augment or offload strategic or tactical technology work to help businesses improve their effectiveness.) But I do have a concern that many organizations are convinced that their cybersecurity and compliance concerns are non-core aspects of their businesses, so they are willing to hand those responsibilities off to a third-party provider while still expecting to achieve great outcomes in doing so.
This is a mistake.
Today’s cybersecurity landscape
If you have been too busy with other concerns to notice it, cybersecurity-related concerns — particularly those pertaining to ransomware and CEO fraud (you know, tricking someone in your accounting department into sending money to the bad guys) — have been escalating rapidly over the past couple of years. Weekly breach notifications are now the norm.
While it is true that there are some valuable principles that can be applied to every business operation to help them improve their security posture, to get beyond these basics, it is necessary to possess a deeper knowledge of the following:
- The policies, processes, and procedures of the business
- The long-term objectives of the business
- Company culture
- The competitive landscape for the industry in question
Possessing this information is essential to ensure that the organization's security posture remains at a consistently high level. Outsourcing your cybersecurity operations to an external provider that does not have, or is not trying to have, this level of understanding of your business will not result in good cybersecurity outcomes — even if cost savings are involved.
Now, I’m not suggesting that cost control is not an important consideration. Nor am I saying that simply throwing money at cybersecurity issues will ensure good security. Many of the most prominent breach victims in the past year have been large and well-established entities. Some of them are even prominent players in the cybersecurity industry! So, it’s not just about budget. It’s not just about team size. It’s not just about experience.
Taking a holistic approach to business cybersecurity
Like human health, cybersecurity should be evaluated and managed in a holistic fashion – not in a superficial or cursory way. To maintain good physical health, it is not only important to have access to the right information; it is also vital to have access to someone that knows and understands your medical history and the goals you have for your health. There are basic rules of health that everyone can apply in a general way, but to go beyond that, your family medical history, personal health objectives, age, and activity level all come into play.
Similarly, given an ever-changing cybersecurity landscape, with attacks that are growing in frequency, scope, and sophistication, it is essential to have someone in (or very near) your organization that understands what you are currently doing, what you plan to do, what risks and threats you face, and what mitigations are reasonable for your specific circumstances. After all, cybersecurity and compliance are about managing risk, not eliminating it outright. And it is much harder for a total outsider to help you understand and manage risk than it is for someone familiar with your people, processes, technology, and business objectives.
Having a dedicated or semi-dedicated expert who is nearby (in whatever way this term makes sense for your business) can be a competitive advantage and will help you to maintain a better security posture than that of businesses that do not have access to such a key resource.
You might be tempted to overlook cybersecurity as a core element of your business, but for most organizations — even relatively small ones — the responsibility to manage the following should absolutely be deemed mission-critical:
Keeping the data pertaining to my ________ safe (data security and data privacy), where ___ is any of the following:
This is not a responsibility that should be relegated to secondary status for someone in your organization or a generic role at one of your vendors. Don’t give it to your IT director, or your chief technology officer, or your chief risk officer, or your chief legal officer, or your chief operating officer as a “second hat.” This responsibility has both strategic and tactical elements, and it requires the full attention of someone. And this someone needs to understand your business and its risks and needs to be able to communicate them to you in a way that you can make real decisions — timely decisions.
Don’t make the mistake of having this role be just one of many that is handled by the organization that manages the various alerts coming from your firewall or the organization you have hired to manage your overall information technology stack. This approach will almost certainly not add value to you or your organization.
It’s going to be bumpy for a while
According to a report by the Cybersecurity and Infrastructure Security Agency (CISA), there has been a significant increase in reported ransomware incidents through July 2021 compared with the same period in 2020:
As of July 31, the FBI’s Internet Crime Complaint Center has received 2,084 ransomware complaints, totaling over $16.8 million in losses year to date. That’s a 62% increase in reported incidents and a 20% increase in reported losses, compared with the same time frame in 2020.
To stay ahead of these escalating threats, organizations should begin to obtain or cultivate a local cybersecurity resource that will ensure that they can maintain consistency and focus on issues that will be increasingly relevant to their businesses.
I can still remember the early days of software development outsourcing. Companies were enjoying low, low prices but started to suffer from a lack of continuity as key outsourced resources went to work for other providers due to demand being greater than supply. We will almost certainly see the same thing play out in the near term for cybersecurity resources, as breaches ramp up, and cybersecurity professionals enjoy movement for economic advantage or to secure better working environments. All this will work against the customer organizations — at least for the short term.
Since early 2020, there has been a global shortage within the supply chain for parts and equipment. We also see some labor issues in various industries as the global health crisis continues. Meanwhile, bad actors continue to take advantage of cybersecurity weaknesses and flaws. We should expect that this will soon have an impact on access to qualified cybersecurity resources as well. Now is the time to begin implementing strategies to minimize the adverse impacts on your business. And one way to overcome this particular concern is to have a local or tightly integrated resource focused on your specific data security, data privacy, and compliance needs/challenges.
Local cybersecurity support for your business: Don’t put it off
Don’t wait until turmoil in the market creates an adverse situation for your business. Don’t wait until you realize that your cybersecurity provider can’t afford to get too deep into your business objectives but is instead trying to maximize economy of scale for his business to serve more customers.
Now is the time to begin to look for your own cybersecurity resource, embedded as close to your organization as you can get them, and ensure that they can understand the WHATs, the WHEREs, the WHENs, the WHYs, and the HOWs of your business, to provide you with earlier, better cybersecurity and compliance guidance.
They will also prove to be very effective as liaisons with any external providers your business needs to work with, and they will help you make better and more timely decisions pertaining to cybersecurity (both strategic and operational) and regulatory compliance.
Remember: There is more than enough uncertainty that you and your business already have to manage in 2021 and beyond. Make sure that cybersecurity doesn’t remain on that list.
Featured image: Shutterstock