For those of you familiar with management theory, Elliott Jaques and his Requisite Organization may ring a bell. Generally speaking, Jaques posited that an organization can excel at structure when managers understand each direct report’s growth potential measured in time span & complexity.
Simply stated, when placed in the right roll level, can someone tasked with “boiling the ocean ” break down such a large initiative so they can manage the completion of complex work effort effectively and efficiently. Moreover, can they do so while using their ability to think into the future so as to avoid predictable barriers while exceeding expectations?
The answer, according to Jaques, is a resounding “no” for most everyone entering the work force on day one and a paltry “not likely” for most of your workforce.
So, how does Jaques and his theory relate to information security and cyber security risk management?
Well, most malicious actors (hackers) develop their exploits using automation coupled with massive compute power with malicious code and intent built at a very high stratum level allowing them to bypass most security controls easily.
The truth is, as good as the security tools and your Stratum I and Stratum II teams may be, your business may have already been compromised by a social network of hackers with Stratum III+ capabilities. So, compromise should be considered a matter of “when.”
Great, now we know the problem. What should we do about it?
Simple really, be prepared for when an attack happens by approaching cyber security as a holistic company risk management strategy. This approach does three things for you:
- Compliance – Make sure you know your compliance exposures, analyze those exposures carefully, and build a security program and follow it.
- Build a Thick File of Proof – Contrary to popular belief, continuous oversight & visibility of technical AND non-technical actions works great for auditors, cyber insurance claims, legal depositions, and negotiations when you can prove that you are doing what you were supposed to be doing.
- Risk Sharing – Spread around the risk of a cyber compromise by makings sure the whole company is prepared to protect, detect, respond, and be accountable when attacks or compromises occur; rolling out an information security assurance program and holding 3rd parties to contractual compliance requirements are a great way to share risk!
Now, I know many of you naturally respond to risk with, “It hasn’t happened to me yet and I’m not really a target so why spend the money?” Sadly, if you are connected to the internet and do business with companies that do have exposures, you most certainly are a target.
Furthermore, that cyber-insurance policy you purchased that you thought was “covering your assets” only works if you are meeting the subjectivities (fine print) of the policy and continuously keeping yourself self secure. Additionally, the leading insurance business master minds like Warren Buffett are certainly going to go out of their way to avoid being held accountable for a cyber insurance market that is likely to collapse.
Moreover, that cyber insurance application you filled out had a lot of questions about how you are handling your IT and my guess is that you guessed at a lot of the answers and have no proof that you are doing what you said you were doing. Result = claim denied. Make sure you are working with a reliable and knowledgeable broker, like Clinton Polley, who can help audit your policy with our help.
With that, I encourage you to accept the fact that more than half of all cyber security compromises originate from malicious attacks (ref: Ponemon Institute 2017 Cost of Data Breach Study) and recognize that compromise is now a matter of when. You can be prepared for “when” a compromise happens and SACTECH has the answer for you.
So, call us now at 916.484.1111 and ask for us to help you sort out your hot mess of cyber security risk management with our Omnistruct Cyber Security Maintenance Platform.