One of the greatest misconceptions about cybersecurity is that you can buy your way into it. It’s a misconception promoted by security software companies that make their money with a false promise: “Buy our stuff and you’ll be safe.”
It’s a huge lie. Sure, security software can play an important role in protecting your organization from cyberthreats. And, sure, some security software companies sell some pretty good products.
But you can’t make your organization safe from cyberthreats by simply buying some stuff. In fact, lots of organizations put themselves in even greater peril by buying stuff—and then getting lulled into a sense of complacency because they imagine that their purchase was sufficient to mitigate their business risk.
No, security is not something you can buy. Security is something you do. Actually, security is a lot of things that a lot of people have to do. And if everyone isn’t actively doing all those security things, you’re in trouble. Just ask any CEO whose company has been hacked—despite the fact that they bought all the stuff.
What software can and can’t provide
We all need security software. Security software watches our environments for anomalous events and behaviors. It gatekeeps access to critical resources unless the person trying to access those resources enters the right password and has the right second factor for authentication. Software filters the traffic passing through our firewalls. And it encrypts the high-value data that we want to protect from unauthorized eyes—and that the law may even require us to protect in specific ways.
It is, however, important to bear two key principles in mind when it comes to security software:
Security software can only be as effective as the security team deploying it. Your authentication systems, for example, won’t require a second identifying factor if no one on your security team makes that second factor a requirement. And all those software-based traffic filters and anomaly detectors need to be tuned by a human being as well. - AI and machine learning can help. But ultimately it takes a security professional to make a piece of security software work that way it needs to work for your particular organization and your particular threat surface. And it definitely takes a security pro to pick the right software at the right price—and properly install it.
Security software can’t do everything that needs doing. You need at least one human being who can download and install security patches every time you get yet another alert from a tech vendor about a security vulnerability in one of their products that needs to be patched ASAP. Yes, there’s software that can help that person track and manage their security patching tasks. But patching is a human activity. - Software also can’t prevent your employees from clicking on phishing emails. Again, there’s software that can filter a lot of those emails out. And there’s software that can help you run a training program that teaches your employees better cyberhygiene. But someone has to decide to run that training. Someone has to choose a training program and get everyone to buy into it. And if it’s not working, someone has to figure out why it’s not working—and take appropriate corrective action.
The need for security leadership
So how do you make sure your organization achieves its security objectives through the right combination of effective security software and effective human action? With the right leadership, of course.
Leadership—smart, engaged, passionate leadership—is absolutely essential for the effective, efficient mitigation of technology-related business risk. A qualified leader will:
Accurately assess your organization’s true exposure to cybersecurity risks of all kinds
Determine exactly what needs to be done in order to address those exposures
Determine exactly how those things need to be done—whether by software, by internal or external IT resources, by internal or external cybersecurity resources, by your non-technical workforce, or by your upper management.
Make sure everything actually gets done properly, on time, and within budget
Orchestrate all those actions to avoid duplication of effort and/or people working at cross-purposes
Determine whether anyone is doing anything that’s creating more risk, rather than mitigating it.
Continuously re-evaluate your organization’s security posture to assess progress, uncover new problems, and make changes wherever needed
Keep upper management in the loop so they can factor cybersecurity into the decisions they make about operations, growth, strategy, partnerships, and resource allocation
Build a culture of security so that you’re not constantly spending time and money fixing problems after the fact
And that’s just a partial list of what a true security leader does.
So, no, there’s no software you can buy that will make your company safe. But with the right leadership, you can do and buy the right stuff. Just as important, you can avoid buying stuff you don’t need—and stop doing stuff that unnecessarily exposes you to excessive business risk.
To learn more about how a virtual CSO can provide much-needed leadership of your organization’s security efforts, reach out to me at scott@csoscott.com.
Comments