A Global Ransomware Attack and the Lessons for the Board for a Strong Cybersecurity Defense Strategy

By Jeff Schroeder • May 16, 2017

Last week’s global ransomware attack on unpatched computer systems, labeled a “cyber pandemic” by the Wall Street Journal, once again pointed out that basic cybersecurity defense is still being ignored. While not all breaches are preventable, most of the ones that make news headlines are. Below we’ll discuss what Board of Directors should be doing differently.

The current landscape of cyber defense is dominated by OEM’s pushing tools onto under-resourced security teams who don’t have a battle plan for success. It’s like going to Home Depot and buying all the tools and materials to build a house and architecting the build as you go. It’s expensive, inefficient and the ad-hoc nature of this approach is guaranteed to disappoint.

What is the Best Cybersecurity Defense Approach?

Cybersecurity defense should be approached like every other business problem where you develop a strategy that you can execute against and measure your success. Human Resources has a plan and supporting processes to manage and measure employee hiring, onboarding,  retention, and engagement. Finance has a plan and supporting processes to manage and measure revenue, profits, cash, orders and a host of business-relevant metrics. Cybersecurity should steal a page from these mature business supporting functions and develop the same. Pick a framework or control set (NIST 800-53, NIST Cybersecurity Framework, there are many to choose from, just pick one!) and identify, assess and manage your cybersecurity risk.

Why take this approach instead of following the marketing noise? For starters, organizations like the National Institute of Standards and Technology (NIST) have no profit interest in your implementation of their work. Their publications are the result of years-long collaboration between the government and private sector and are continuously being reviewed and updated. NIST accurately summarizes the benefits of the Cybersecurity Framework in saying:

“Utilizing the Framework as a cybersecurity risk management tool, an organization can determine activities that are most important to critical service delivery and prioritize expenditures to maximize the impact of the investment.”

Surely any company utilizing this framework would have identified unpatched systems as critical service delivery and a priority in the operational execution of cybersecurity. As last weeks “cyber pandemic” proved, this isn’t the case.

Cybersecurity Added Benefits

An added benefit of managing your cybersecurity program against a defined framework or set of controls is the ability to explain to your Board or Executives your priorities and resource requirements. This demystifies cybersecurity and enables them to make informed business decisions rather than a decision to fund a specific tool. In-time decision making is transformed from tactical to strategic and allows the organization to take a proactive, rather than reactive, approach to cybersecurity.

Compliance requirements like SOC Type 1 and 2 reporting, DFARS, Sarbanes Oxley, HIPAA, and others can be integrated into your chosen framework to align and simplify management of cybersecurity compliance and operations. As practitioners well know, the scope of these compliance audits is often so narrow by design that it becomes an exercise to just ‘get through’ rather than a data point for holistic risk management.

If you are on a Board don’t accept a compliance audit, penetration test or vulnerability scan as evidence of cybersecurity effectiveness. Push for the implementation of a framework and give the accountable teams the resources to succeed.

Contact us today for a FREE consultation and we’ll make sure you have a strong cybersecurity defense strategy!

CyberSheath Blog

CyberSheath Opens Registration For CMMC CON 2022

RESTON, Va. — June 8, 2022 — Federal contractors have been searching for direction after seeing a flood of messaging about the future of Cybersecurity Maturity Model Certification (CMMC). The nation’s largest CMMC conference has returned to help contractors navigate their course through the evolving compliance landscape.   Hosted by…

5 Reasons to Partner with CyberSheath

The threat landscape is only becoming more complex. Offload the responsibility of navigating cybersecurity issues for your customers by taking advantage of CyberSheath’s new Partner Program.   As a pioneer and industry leader in the managed security service provider space, our new offering helps you achieve rapid results and deliver…

CMMC Compliance Training: How to Earn Your Black Belt

Contractors in the Defense Industrial Base (DIB) are looking for direction as Cybersecurity Maturity Model Certification (CMMC) 2.0 nears. Compliance with CMMC and Defense Federal Acquisition Regulation Supplement (DFARS) is your key to doing business with the Department of Defense (DoD) and we can help you navigate those requirements and…

Our Trusted Partners

Tenable Microsoft Siemplify KnowBe4 ConnectWise DUO

CMMC CON 2022 is here! Save your spot to hear the latest on CMMC from our expert speakers across the government and Defense Industrial Base.