As we enter October’s Cyber Awareness Month, there will be no shortage of content promoting the latest in cyber defenses and scare tactics. These calls to action typically recommend another important task to do or an interesting tool to buy.
When it comes to making investments in cyber security (whether in time or dollars), it is essential to pay attention to whether this new investment will ultimately be “baked in” to your existing processes or simply be “bolted on.” The distinction between these two methods will significantly impact your organization's cyber readiness and resilience.
"Bolted On" Cyber Security Investments: A Reactive Approach
Band-aids on bullet wounds; bolted on cyber security involves adding security measures to existing systems and processes as an afterthought. This reactive method often results in solutions that have a limited, or worse—damaging, impact to the organization’s broader security landscape.
Examples of bolted on approaches include:
- Adding security features to a system after it has already been fully developed (too little, too late)
- Implementing security measures only in response to a breach or incident that just address the specific nuances of the event (locking the stable door after the horse has bolted)
- Viewing cyber security as a separate, isolated function within the organization (an expensive silo)
"Baked In" Cyber Security Investments: A Proactive Strategy
In contrast, a baked in approach integrates cyber risk management into all technology activities from the outset. This proactive strategy weaves security into the fabric of an organization's culture, processes, and products. It takes time, discipline, and leadership, but the baked in approach can promote security at every stage of a system’s lifecycle.
3 Steps to Evolve from "Bolted On" to "Baked In"
To transition from a bolted on to a baked in approach, organizations should aim to:
- Embed security considerations into all aspects of product development and technology implementation, including third party applications. Ask questions like:
- What confidential data is processed by the system?
- How well is it being protected?
- Do we have independent assurances that our defenses are fit for purpose?
- Foster a culture of cyber security awareness and responsibility across the organization.
- Do we have less than a five percent organizational click rate to simulated phishing tests?
- Are our employees being prevented from purchasing and/or installing unmanaged applications that could store confidential data?
- Does everyone know what role they would play in a cyber security incident?
- Adopt a proactive, risk-based approach to cyber security, rather than reacting to incidents after they occur.
- Have we had a risk assessment performed in the last two years?
- Were all findings from the assessment remediated?
- Are we accountable to report the current state of cyber risk to executives and/or the board on a regular basis?
- If we get stuck, do we have partners who can help?
Next Steps to Implementing a “Baked In” Approach to Cyber Security
By embracing a baked in approach to cyber security, organizations can significantly enhance their cyber readiness and resilience, ensuring that they are better equipped to face the evolving cyber threat landscape. This is really the only way to authentically, sustainably ensure digital resilience.
Anything less is just playing whack-a-mole.
If you would like to discuss how you can effectively implement a baked in approach to cyber security, please contact us.