A Global Ransomware Attack and the Lessons for the Board for a Strong Cybersecurity Defense Strategy

By Jeff Schroeder • May 16, 2017

Last week’s global ransomware attack on unpatched computer systems, labeled a “cyber pandemic” by the Wall Street Journal, once again pointed out that basic cybersecurity defense is still being ignored. While not all breaches are preventable, most of the ones that make news headlines are. Below we’ll discuss what Board of Directors should be doing differently.

The current landscape of cyber defense is dominated by OEM’s pushing tools onto under-resourced security teams who don’t have a battle plan for success. It’s like going to Home Depot and buying all the tools and materials to build a house and architecting the build as you go. It’s expensive, inefficient and the ad-hoc nature of this approach is guaranteed to disappoint.

What is the Best Cybersecurity Defense Approach?

Cybersecurity defense should be approached like every other business problem where you develop a strategy that you can execute against and measure your success. Human Resources has a plan and supporting processes to manage and measure employee hiring, onboarding,  retention, and engagement. Finance has a plan and supporting processes to manage and measure revenue, profits, cash, orders and a host of business-relevant metrics. Cybersecurity should steal a page from these mature business supporting functions and develop the same. Pick a framework or control set (NIST 800-53, NIST Cybersecurity Framework, there are many to choose from, just pick one!) and identify, assess and manage your cybersecurity risk.

Why take this approach instead of following the marketing noise? For starters, organizations like the National Institute of Standards and Technology (NIST) have no profit interest in your implementation of their work. Their publications are the result of years-long collaboration between the government and private sector and are continuously being reviewed and updated. NIST accurately summarizes the benefits of the Cybersecurity Framework in saying:

“Utilizing the Framework as a cybersecurity risk management tool, an organization can determine activities that are most important to critical service delivery and prioritize expenditures to maximize the impact of the investment.”

Surely any company utilizing this framework would have identified unpatched systems as critical service delivery and a priority in the operational execution of cybersecurity. As last weeks “cyber pandemic” proved, this isn’t the case.

Cybersecurity Added Benefits

An added benefit of managing your cybersecurity program against a defined framework or set of controls is the ability to explain to your Board or Executives your priorities and resource requirements. This demystifies cybersecurity and enables them to make informed business decisions rather than a decision to fund a specific tool. In-time decision making is transformed from tactical to strategic and allows the organization to take a proactive, rather than reactive, approach to cybersecurity.

Compliance requirements like SOC Type 1 and 2 reporting, DFARS, Sarbanes Oxley, HIPAA, and others can be integrated into your chosen framework to align and simplify management of cybersecurity compliance and operations. As practitioners well know, the scope of these compliance audits is often so narrow by design that it becomes an exercise to just ‘get through’ rather than a data point for holistic risk management.

If you are on a Board don’t accept a compliance audit, penetration test or vulnerability scan as evidence of cybersecurity effectiveness. Push for the implementation of a framework and give the accountable teams the resources to succeed.

Contact us today for a FREE consultation and we’ll make sure you have a strong cybersecurity defense strategy!

CyberSheath Blog

Dr. Robert Spalding to Address Nation-State Attacks at CMMC Con 2021

Since the inaugural CMMC Con, we’ve seen some of the most malicious attacks on American infrastructure ever executed. The SolarWinds attack reverberated across the entire government as agencies scrambled to discover what nation-state attackers had accessed and stolen. The Colonial Pipeline, shut down by a ransomware attack, led to fuel…

CMMCEnclave: Add Versatility with a More Flexible Approach

The enclave approach to CMMC compliance is one of the most cost effective and least disruptive ways to safeguard CUI. You can maintain high-value custodial security of CUI without upending your existing processes, procedures, and people. That way, you can maintain the proper level of CMMC compliance and remain eligible…

CMMC Con 2021 Opens Registration, Reveals Theme and Speakers

CMMC compliance stands in the way of revenue for every defense contractor in the supply chain. Now that CMMC is a reality for the Defense Industrial Base (DIB), learn how contractors — primes and subs, large and small, foreign-owned — are handling the standards and requirements, as well as the…

Our Trusted Partners

Cyberark McAfee Thycotic RSA Tenable Alien Vault Alert Logic Microsoft

CMMC Con 2021 is here! Save your spot to hear the latest on CMMC from our expert speakers across the government and Defense Industrial Base.