How much cyber protection is enough?

Leaders face hard resource allocation decisions with growth, investment, and sustainment priorities—all urgent needs for long term mission and business viability.  

How much do we really need to spend on cyber security products, services, solutions, and staffing?

Here are a few ideas to consider, regardless of your business size, that will help you frame your decision making on cyber resources in a risk balanced manner.  Some will do the bare minimum to be compliant with industry or regulatory mandates. Others will want to cover all aspects of cybersecurity to build and maintain a global reputation for being a secure trusted institution.  

Regardless of size, capacity, or internal cyber expertise, all organizations must start with the basic facts, conduct assessments to fill information gaps, and execute continuous monitoring to identify future threats, exposures, and vulnerabilities.  Here are a few ideas to frame your cyber resource decision making in a risk balanced manner.

Identify your facts. 

How many computers do you have? Make sure you include laptops, desktops, tablets, and cloud hosted systems.  What critical cloud services do you rely on to conduct your mission or business?  How many mobile devices can access your company networks and sensitive information?  What types of data do you use in your organization? Some of us have sensitive Personally Identifiable Information (PII) for employees or clients, sensitive financial data, Controlled Unclassified Information (CUI), Electronic Health Information (EHI), highly valuable intellectual property, or even classified government data.  Categorize and label the data; apply appropriate access control and encryption for each type.

Trust but verify

Check your facts; trust but verify with technical scanning.  Does your inventory match what is discovered?  Did you inventory software?  Does that match your invoices?  Did you include cloud services in your inventory? 

Another part of trust but verify is to validate your internal and external security posture. Conduct an internal credentialed vulnerability scan to confirm that your computers and cloud hosted systems are properly configured for automatic patch updates and that applications are updated too. External penetration testing is critically important to find out if you have obvious gaps that require urgent action—remote admin or root exposures. What you don’t know CAN disrupt operations and result in data breaches. It’s much more cost effective to find and fix issues before adversaries exploit them; data breach costs easily run into the millions now. 

Run a Threat Model

What do you really need to worry about?  Threat modeling is a low-cost methodology to identify risks and help prioritize them enabling you to allocate limited resources to the most critical technical, process, and people issues mostly likely to disrupt operations or compromise data.  

Three potential Threat Models to consider:

For small businesses such as consulting firms or startups, you can complete a tabletop threat modeling exercise in a few hours.  For larger firms, a few days may be needed to pull in the appropriate stakeholders and get sufficient input for all organizational activities. The threat model output is critically important to help leaders make effective and informed resource decisions focusing on the most critical tasks and issues first.  Otherwise, you’re just guessing and throwing money at vendors and ideas; not knowing what your real issues are.  

The three Threat Models that LP3 likes to use are Stride (Microsoft), Security Cards (University of Washington), and Persona Non-Grata (DePaul University). A hybrid approach may be best in your organization if you have a global environment, unique data types, sensitive missions, or highly valuable assets.  The output of the Threat Model helps leaders make risk balanced decisions about which types of attacks are most likely to disrupt operations and what the impacts of those disruptions will be. Minor impacts warrant less resources than major impacts. Pay no attention to revenue percentages. They will vary from 3% to 20% or more depending on the type of work your organization performs. You need to decide internally what level of cyber protection is appropriate to your operation and acceptable business risk. In some cases, process or configuration changes can improve security posture more effectively than an expensive widget from a vendor.  Conversely, there are best of breed tools available for account hijacking prevention, end point security, and data loss prevention. Knowing your environment and running threat models helps you make more informed decisions about what protections are most critical for your operation.

In summary, find out your FACTS. Then, VERIFY the facts. Third, use a THREAT MODEL to prioritize what to focus limited resources on first.  Reach out to LP3 for advice, threat model coaching, and technical help as needed.  We will be glad to help you improve your small business or global enterprise security posture.

Scott

Scott A. Lawler, CISSP-ISSAP, ISSMP

CEO

Contact LP3: 

Butch Zachrel

VP, Cyber & Intelligence Analytics

703-342-8659 butch.zachrel@lp3.com