Security Posture: When and How to Reevaluate
Security posture isn’t a concern for organizations unless they’re trying to make compliance audits. After all, the perception has been that security is just a cost center and a hindrance to more productivity.
In this post, we’ll go over the following:
- Security posture: does it matter?
- When should an organization reevaluate their security posture?
- What should an organization keep in mind when reevaluating security posture?
Security Posture: Does It Matter?
Security is rapidly becoming the central focus for companies. Whether the company is catering to a remote-first workforce, part of the ongoing shift to cloud adoption, or just trying to avoid the rapid increase in regulatory fines and ransomware, companies can no longer afford to treat security as an afterthought. As the value of sensitive data and important infrastructure increases, companies not adapted for the modern threat landscape risk embarrassing their brand, losing contracts, and paying ever-increasing ransomware fees.
But decisionmakers care about cost and liability, so let’s make this more concrete with details from IBM’s Cost of a Data Breach report:
Cost
According to IBM, the global average cost of a data breach is $4.45 million USD in 2023. Don’t make the mistake of thinking this only affects large companies either; small and medium-sized companies saw cyber attacks and breach costs increase disproportionately in 2023 as hackers realized they’re easier pickings.
And yes, it impacts consumer activity. “A majority (59%) of consumers say they’ll avoid companies hit by a cyberattack in the past year.” Not only losing current customers, but future potential customers as well.
Liability
The government is starting to crackdown on companies with security incidents, holding C-levels responsible for poor risk management. This is on top of the usual lawsuits and payouts to affected parties if customer data was lost.
Other impacts
When more than 80% of firms have been successfully hacked, the above costs seem to be an eventual reality. But let’s say you haven’t been hacked yet (and don’t expect to be) so is the idea that none of these costs impact you?
Insurance companies are starting to charge higher premiums for having poor security hygiene and posture. Relying on insurance companies to pay for ransomware and cyber attacks has resulted in higher standards during security posture assessments, with some insurance policies requiring improved security posture before granting the policy.
Security posture is an ongoing problem
IBM estimates it takes an average of 277 days to identify and contain a data breach, which means over half of them take more than 9 months. Many companies won’t know they’ve been breached for almost a year! Even worse, only 1/3rd of breaches are identified by the company’s own teams and tools — that means 2/3rd of breaches are only discovered when the hackers or a 3rd party sends a notification.
And that is how a company lands on the news — poorly.
When Should An Organization Reevaluate Their Security Posture?
Every moment possible.
That sounds idealistic, but it’s true. Continuous reevaluation is integral for maintaining good security hygiene. As such, the ideal is often impossible and so compromise is equally inevitable.
A more pragmatic approach is to understand when an organization is best able to act upon the results of that reevaluation. After all, if a CTO or CISO reevaluates the organization’s security posture and comes up with good recommendations for action but the organization is not in a position to act, then time and resources have been wasted and nothing changes.
The best time to reevaluate the security posture is right before the organization itself undergoes significant change of some kind. Doing so maximizes your chances of adding your actionable recommendations to the transformation. Some examples include, but are not limited to:
- Shift to cloud or multi-cloud adoption
- Shift to enabling and embracing remote work
- A shift in leadership overseeing security
- Mergers and acquisitions
- Major changes to the internal infrastructure
- Changes in order to meet new or different auditing and compliance requirements
As a general rule of thumb, any changes that have a drastic increase in the organization’s exposure or introduces premeditated downtime should be leveraged by the organization. Treat these as opportunities to reevaluate the current and future security postures and make changes accordingly to minimize future disruptions to workflow.
What Should An Organization Keep In Mind When Reevaluating Security Posture?
Technical and behavioral shifts are critical to keep in mind. Technical in that your organization should be evaluated on whether the current digital infrastructure is well-positioned to stay secure against the ongoing threat landscape. Behavior shifts are equally important, such as how internal and external users are interacting with the security workflow in ways that create unnecessary security gaps.
For reevaluating your organization’s technical security posture, NIST’s five functions are probably the best guide to keep in mind:
We highly suggest reading NIST’s cybersecurity framework for more information on the practical purpose and intent of each of those functions and how it applies to your organization.
While that covers the technical portion of keeping an organization safe, it doesn’t consider the impact these five functions have on how the organization itself interacts within the functions of that framework. The technical underpinnings securing digital infrastructure and framework need to be designed with its primary interactors in mind: humans. This “return to the fundamentals” is a shift in mindset that security should be inclusive for both the principles behind the technology and the people.
The Human Element
It is important to remember that exploitable human behavior is often the weakest link in your organization’s overall security posture, and this is because security is often grafted into an organization’s workflow. A classic example is when internal users dislike a certain security workflow and come up with ways to circumvent it, causing the company’s security posture to be meaningless. If security is built from the ground-up to enable seamless workflow, your employees and users have less of an incentive to circumvent the security measures that keep your organization’s infrastructure safe.
Security should no longer be an afterthought. This should ring particularly true against the modern threat landscape, but how we implement security also needs to change. Larger companies have enough to deal with when securing their legacy applications in a modern world that no longer has a defined perimeter. Our implementation of security needs to be inclusive and complimentary to old approaches as “rip and replace” is not an easy option even for the most nimble organizations.
Ensure your security serves the users and stakeholders. Don’t foster an environment where users are encouraged to find “efficient workarounds” that defeat the purpose of setting up a secure environment in the first place. Security professionals should never lose sight of the basic human elements they are designing security for: resistance to change and a desire for efficiency at the cost of risk. Whether you’re implementing new workflows or installing a new tool, it should keep the users in mind.
Security Reimagined
It’s never too late to reevaluate the organization’s security posture and integrate security with all of the organization’s activities, and the value of having security built into the process is going to reward the organization in the long run.
“More than six out of seven organizations (85.3%) experienced a successful cyberattack within the last 12 months.” When your organization’s security posture is inadvertently put to the test, do you have confidence in it? Is it time to reevaluate your security posture?
