Despite innumerable cybersecurity measures, the cybercrime economy is thriving, and the list of losses due to breaches is even getting lengthier. There must be something which the cybersecurity industry is doing wrong.
Improvement is required in the customers’ security posture: Vendors must take it seriously
The CEO of eCISO, a cybersecurity consultancy providing virtual CISO services and leadership mentoring for startups, Jeff Kohrman, shed light on the matter. He said the solution of these cybercrimes is the same, “better tools”.
He elaborated his view by saying, “Practitioners are swamped with alert fatigue and changing priorities, mixed signals and inconsistent support from the business. They don’t need more tools to be more productive – they need processes that work in the context of their business, and relationships that enable those processes to be successful, and then tools can be of help.”
Investment and partnership both play a significant role in a company. Vendors must invest and partner with their customers to develop an easy and accessible security system. This will help them to create a manageable and secure system for themselves.
In addition, he said, “Learning to communicate risk without invoking fear, uncertainty and doubt is a technique that I’ve seen some vendors wield with enormous success. It’s amazing how impactful you can be when you’re open, honest, and realistic with people about your needs and what we are able to achieve today.”
The above approach requires a willingness to aware and educate one’s target market. Vendors must create and thrive a community of companies that played efficient roles in dealing with risk factors. Subsequently, customers will automatically trust those vendors and approach them for their businesses.
One-sided efforts always let down
In order to protect themselves, organisations must stop using vendors as a crutch and demand accurate levels of partnership from those vendors. Kohrman negated the common thought which enterprises always keep while stepping up. He said opting-out an easier and risk-proofed route is not going to help you. Companies must realise that this is not the way we cope up with massive security issues.
While explaining the facts, he stated, “It’s the difference between doing the right things and doing things right. If, for example, you want to pass a SOC 2 audit, you can certainly do the right things by purchasing services or products to meet a big portion of your compliance requirements. But just because you are SOC 2 compliant does not guarantee that your business is secure.”
“If, on the other hand, you want your SOC 2 compliance to mean something, you’ll need to do things right by investing time into security to create more mature business processes around those requirements before your new products can be effective.”
Preparation of future challenges
He expressed his predictions regarding future complex breaches. The attackers will keep up their agenda of hacking the small companies. Especially those that are going through their initial developmental stage and do not have the resources to manage their security posture. Furthermore, the breaches will sweep up the legislation and data security regulation that impose strict cybersecurity practices and penalties for non-complaints. Although this will not intercept the route of innovation and future generations and entrepreneurs.
He mentioned that “As a security community, we can help by approaching security pragmatically in our organisations to teach people how to put security to use for themselves.”
Kohrman concluded by saying
His motivation was to make security accessible to organisations and support people to foster more efficacious security measures. That was the reason he moved from a multi-billion dollar DevOps company to eCISO. He wanted to focus more and more, over the excellent manufacturing security and make it accessible to companies.
He noted, “I recently spoke with someone who had been laid off earlier this year and decided to pivot into security. They had taken training and even taught weekend classes on what they’ve learned, but no one would hire them for even an entry-level position. Their resume listed only a few months of security experience, but they had nearly 12 years of experience in sales, engineering, and public relations. Talking through what they did beyond security, they easily fit the requirements for a more senior role.”
“We need more creative thinkers, more smart people to solve these hard problems, and your experience in business intelligence, or sales, or even janitorial services can help you see these problems from a different perspective. Don’t sell yourself or your experience short. Security is not just a technical field anymore – it’s a business enabler, and we need all sorts to run a successful company.”