The Butterfly Effect for Holistic Cyber Security

According to chaos theory, the butterfly effect simply states that a small change in one state of a system can result in large differences in a later state. A butterfly’s wings might create tiny changes in the atmosphere that may ultimately delay, accelerate or even prevent the occurrence of a tornado in another location.

When there is a cyber incident in any part of the world, it impacts the rest of the world. In the face of an immediate threat, the natural reaction is to strengthen defenses with all haste. This is exactly the approach that businesses are taking, and understandably so as they are most concerned with avoiding loss. 

Much of cybersecurity spending is framed within the scope of how much money the business would lose in the event of a potential cybersecurity attack. One of the most commonly-used practices for selling cybersecurity solutions is to make the fear real for the decision-maker. 

This fear-based approach helps sell solutions but leads to poor spending practices such as supplementing existing business systems with cybersecurity requirements, investing in focused, specialized solutions and spending budgets in a reactive, short-sighted manner.

This approach is the equivalent to treating each cybersecurity requirement that crops up as one tree in a vast forest of similar requirements. Businesses are dealing with each tree on its own when they should consider the whole forest to navigate it properly.

Many of today’s businesses function on systems and processes that were created before rapid digitization and were designed without taking those implications into account. The most common approach to addressing a businesses' cybersecurity needs is to supplement their existing systems and processes with cybersecurity solutions. Since the transplant of added security functions and requirements surpasses the original design of many of these established processes, enterprises end up with unintended and less efficient results.

Businesses tend to review their cybersecurity needs on an ad-hoc basis. This kind of implementation is not uncommon. It makes sense, is straightforward and there are clear results. There’s no need to fix something that isn’t broken, right? While it is easy to fall into the practice of addressing requirements as they arise, there are drawbacks. It’s difficult to gauge the effectiveness of these solutions based on the money spent.

Without an overarching strategy, spending occurs as the need arises and does not take priorities into account. Additionally, there is a risk of deploying overly-complex systems. An enterprise that builds a cybersecurity program in this manner will eventually have disparate solutions. Any deficiencies in the system become difficult to diagnose as well.

Enterprises need to deal with cybersecurity holistically, and not on an ad-hoc basis. Having a proper strategy in place means having the capability to deal with challenges as they crop up. The challenge in building an effective cybersecurity program is relatively new. Enterprises recognize the need for it but approach cybersecurity as a new business component to be added to existing business processes. This should not be the case. Cybersecurity changes the way business is done and affects all business processes. Cybersecurity is everything.

Businesses that hope to implement highly-effective cybersecurity strategies need to take a step back and consider their organization as a whole and how cybersecurity affects every part of it. The foundation of a cybersecurity strategy is built from a thorough assessment to identify an enterprise’s assets, critical business processes, and the threats to those assets and processes. A comprehensive accounting of these things will enable an accurate risk assessment to determine the priority in which those risks need to be addressed.

Armed with the knowledge gained from a comprehensive assessment, enterprises can begin to craft a strategy for their organization that takes into account the whole and not just its disparate parts. A holistic approach provides the ability to visualize how the enterprise is implementing security from end to end. 

A strategy formulated in this manner will capture potential risks and prioritize them by severity, impact to the organization, cost, opportunities for solution integration, and level of difficulty to implement. These decisions are complicated and involve serious consideration, but they could not even be considered without a full picture of an organization’s risk profile.

A holistic cyber security strategy contends that cybersecurity touches all facets of a business. Under this approach, business processes would generally need to be re-designed with cybersecurity considerations integrated at the foundational level. This means designing a cybersecurity strategy from the ground-up with the ability for integration into new business processes and scalability as opposed to deploying solutions that are to be grafted onto existing business processes.

An overarching, comprehensive cybersecurity strategy also allows for the design of platforms that consist of integrated solutions, instead of point solutions. This will provide an overview of cybersecurity requirements that will enable advanced, forward-thinking spending strategies.

With the adoption of a holistic method, enterprises become secure by design and not by necessity. Enterprises move from a fear-based approach to cybersecurity and instead begin an approach that is risk-based. Decisions are no longer tactical and short-sighted. They become strategic and insightful. Spending is no longer reactive. It becomes proactive and anticipatory.

With this way of thinking, enterprises can put the butterflies in formation!