Cyber: A Healthcare Must Have
How to Build a Cost Effective and Profitable Cyber Capability
Suzanne E. Kecmer Digisol, Inc Digisolinc.com firstname.lastname@example.org
There are a lot of valid reasons not to invest in a cyber security capability — for example, it is completely foreign to core expertise, the return on investment does not seem to justify the expense, attracting high quality talent is difficult and retention is almost impossible, and no matter what you do the defenses you deploy on your network will ultimately not be viable in the long run as attackers become more sophisticated.
On the other hand, a step up in federal and industry regulations, increased consumer awareness, and dramatic losses of intellectual property threatening inherent company value is making it almost impossible for Executives and Board members to look the other way.
This essay proposes some perspective on how to stand up a cost effective and profitable (yes,profitable) cyber capability to best match your enterprise needs and yet, balances the very credible concerns outlined above.
Hiring a Chief Information Security Officer (CISO) Is Not Your Only Silver Bullet
If your organization can afford it, establishing an internal Center of Excellence organized around a professional information security practice is a positive first step. If funding is limited, adherence to the SANS 20 Critical Controls and NIST Cybersecurity Framework is a good start.
However, there are three commonly overlooked capability areas that are just as vital independent of your Company’s investment profile:
Expand the scope of consideration—broaden the traditional definition of cyber security to establish a more
Prepare for the threat after next by evaluating your security needs through the lens of a projected threat environment. Also, consider the evolving complexity of regulations that are migrating toward an environment where certification that your solution is virus and malware free is becoming a reality.
Consider the entire ecosystem in which your Company and its solutions exist. You must have visibility into how your internal and external systems are connected across the enterprise. In doing so, it is critical to take into consideration the impact of distributed attacks across firmware, software, and hardware when considering your organization from this perspective. From here, you will be able to determine the highest value assets that initially need to be protected— aka your “crown jewels”.
Evaluate critical make/buy decisions. When you have prioritized your security needs (beginning by initially protecting the “crown jewels”), consider all sourcing possibilities. Given the changing pace of technologies and threat environments, partnering and subcontracting key security needs makes good sense. And, may be a more flexible and economical approach.
Adopt best technology practices. Lean on subcontracted technology providers that ake security a priority. Look for trusted foundries and those that have made investments in organic and non-organic security capability, as these will result in likely longer lasting partnerships.
Develop gap capability. As a last resort,invest either organically or inorganically (i.e. acquire) in capability specific to your solution that is not available on the open market. Repeat, this should be a last resort option.proactive stance. Effective cyber security is more than just preparing networkdefenses. The mind of the attacker needs to be evaluated—i.e. how would a bad actor assess your network architecture? How would they go about attacking the organization—including vectors such as company employees and stored data—where’s the low hanging fruit? Consider personnel, information technology and physical security aspects within a holistic approach. And, taken a step further, in evaluating defenses in conjunction with the above questions, what are the lessons learned? How can one then predict future threats off this baseline to evaluate how the organization would respond?
Look beyond corporate IT networks—think about impacts to live operations.Cyber security needs to be a priority concern throughout all the critical functional areas of your organization. For example, engineering and research/development networks, human resource networks, and financial systems are all vulnerable entry points into a Company.
Outreach to the offensive community to evaluate your product or service solution. The biggest lost opportunity Company’s commonly make is to only consider defensive measures. There is an entire private offensive community available for outreach. Performing vulnerability assessments by a third-party vendor on your product or service solution can be an invaluable exercise for validation and confidence building.
Where to Invest: First Look Inside
There are five critical “must-know” knowns you need to determine about your organization before considering investment:
Market a Must Have: Feature Cyber Security as a Selling Discriminator to Increase Your Return on Investment
The key to turning the internal investment made in developing a cyber capability into a profitable engagement is to use it as a selling discriminator. Some pitch cyber economics in terms of a loss analysis, but in fact by showcasing it as a discriminator can be far more compelling. Consider spreading the investment cost over multiple use cases that is also communicated to the marketplace:
Communicate the cyber advantages of this embedded capability within your solution beyond techno-speak. Showcase the tactical and strategic value in a way that consumers can easily understand. Finding the appropriate metrics are key here.
Your supply chain is a major vulnerability. Instead of considering it an Achilles heel, use it as an opportunity to partner with your industry peers, jointly invest to harden your integrated solutions (thereby lowering your own costs) and use it as a joint selling feature.
Training your employees and staying current on security requirements and the threat environment is a constant expense. Instead, use training as a revenue opportunity by engaging your customers, partners and regulators in an opportunity to exercise and educate your advanced solutions. This may also lead to driving next generation security requirements and putting your organization ahead of the curve.
Adopt a services model for your solution to achieve higher operating margins.Even if you are a hardware provider—your medical device is no longer static...in some fashion, it is connected to the internet and has the potential to be updated for today‘s and tomorrow’s
Top 25 Worst Passwords of 2016
1. 123456 2. password 3. 12345 4. 12345678 5. football 6. qwerty 7. 1234567890 8. 1234567 9. princess 10.1234 11.login 12.welcome 13.solo 14. abc123 15. admin 16.121212 17.flower 18.passw0rd 19.dragon 20.sunshine 21.master 22.hottie 23.loveme 24.zaq1zaq1 25.password1