The typical company significantly under invests in cyber security, a situation that is likely to be exacerbated as companies look to cut expenses during the current pandemic. Even worse, investments that are made are often made in the wrong place meaning the cybersecurity budget allocated is not maximized. Why do companies fall into this trap?
Mostly, I believe, it is because companies are making decisions based on incomplete or out-of-date information - if they are using data at all to make their decision! Many simply follow an external play book like the SANS top twenty regardless of the particular needs of their organization. Others focus disproportionately on compliance, which does not always improve security. Unfortunately, this results in organizations failing to prioritize their investments based on need, and more importantly failing to justify the need for adequate spend levels by using relevant data. These failures can lead to an economic disaster when, not if, a cybersecurity data breach happens. More than half of all small businesses faced a cybersecurity breach in the last year putting many out of business. One study suggests that over 60% of companies who suffer a cyberattack go out of businesses within 6 months.
Of course, part of this is because it is not always easy to track and manage information about the company's overall security posture in real-time. Businesses face hundreds, if not thousands, of risks across many artifacts (people, buildings, vendors, assets, processes etc.). This creates an exponential number of risk scenarios. This may be compounded even further if you are trying to score across multiple dimensions, for example the likelihood of something happening and then the impact it will have when it does happen. Using the right tool to understand your organization’s data and using it to benefit your organization will be an eye-opening experience. It will help you organizationally and clearly show you where you are in your cybersecurity journey. Ultimately, by showcasing your understanding of your company’s data and the cybersecurity landscape around you, you will be able to position yourself in your industry as a trusted provider.
Companies need to learn to track their data and to use it to keep their organization safe.
What should you be looking for in a data security and risk management tool?
Many companies don’t know where to start and wildly search the internet but there are a few key things you need to consider. You need a tool that shows your organization’s data real-time, in a ubiquitous/comprehensive manner and one that is easy to maintain. The Ostendio MyVCM collaborative, integrated risk management platform offers real-time data views across your organization with easy-to-read dashboards that show either an individual security score or an organizational security score. It is a simple to read graphic format which gives information at a glance plus the ability to dive in deeper to understand the exact data used to attain that score. When your employees have real-time data at their fingertips they will be able to act faster and use that data to benefit your security program.
Why do you need up-to-date data and why is it important?
There are 3 main reasons:
1. To make decisions
The only sound way to make good decisions for your business is to make informed decisions based on valid data. Organizations should look for a tool that helps them gather data about their business that is available real-time. If the information gathered is up-to-date, then decisions made can be timely. If you take 3 months to manually gather data using spreadsheets then it is out of date by the time you come to use it. If you have timely information that helps quantify risk you can focus investment decisions on the areas that give you the best return.
2. To build confidence
In order for data to be useful it needs to be shared with the right people at the right level. Not everyone in your organization needs to understand exact sales numbers, for example, but they do need to understand how to prevent a data breach. Look for a tool that helps your organization with different access to employees based on their role. Look for a tool that will generate reports about your data that is appropriate for the level required. By showcasing your data at an appropriate level with executives, management team, board of directors and employees you will provide them with the information they need to make decisions with confidence.
3. To pass audits
The need to comply with standards, regulations and laws has become more important than ever. Many companies are considering multiple standards as part of their basic cybersecurity program. The most common standards we see being used are SOC 2 and HITRUST, although in certain industries like healthcare, for example, HIPAA is essential. There are also state and regional regulations that businesses are waking up to realize are important such as CCPA, GDPR and the New York Shield Act. By selecting the right tool for an audit, your organization will find it easier to handle audit requirements. Being able to showcase up-to-date data will also help your organization with vendor assessments and other interested third parties who might want to see an aggregated report about the data your organization holds and how it is stored safely.
The bottom line is that access to real-time data is at the core of the future of data security and risk management.
Ostendio has over 7 years of experience helping organizations with their security and risk management programs. The Ostendio MyVCM platform helps organizations build, operate and showcase their compliance programs. The experts in our Professional Services team can provide additional assistance to companies who require help establishing a program or switching to a new framework. Ostendio also has an excellent Customer Success team who work individually with each customer to ensure they are properly trained in using the Ostendio MyVCM platform and making the most of their investment. If you want to learn more about how to use data to benefit your organization speak to an expert at Ostendio.
Not sure where to start?
The NIST Guide can help. We can also provide you with a free copy of Ostendio’s password policy, as an example. Just contact us at firstname.lastname@example.org.
Save Time and Money
At Ostendio we are happy to have transparent pricing available on our website. The pricing tool shows the three plans available, with a cost saving tool so you can see how much you can save. Check it out!