There is no Magic Bullet for your Cyber Security Risks

by Eddie, on 31/05/2019 11:30:00 AM

It seems that every other week, someone is touting a new solution to cyber security. They tell you that all we need to do is install our boldly coloured box which leverages algorithms and machine learning. The best part is that YOU don’t have to do any hard work at all! Once it’s installed, you will be secure!

The magic cyber security productUnfortunately, like most things in life, there are no real shortcuts. Making your organisation secure isn’t something you can simply buy. At the very least, it certainly doesn’t start with buying a product.

Although playing with new toys can be fun, businesses need to focus on getting the basics right which begins with identifying risk. Cyber security at a high level is just a never-ending exercise of risk management.


Identify and understand the risks

To act appropriately, an organisation needs to be well informed about what risks they face.

Depending on the context, this visibility can be gained through a wide variety of exercises such as, penetration testing, vulnerability assessments, threat modelling, policy reviews etc.

The important thing to remember is risk stems from:

a) People;

b) Process; and

c) Technology

Ignoring any of these creates blind spots in your ability to identify threats.


Decide what you want to do with that risk

Cyber security risk mapped to business objectives

Standard risk management methodology defines four options to treat risk: 

  • avoidance;
  • mitigation;
  • transfer; and
  • acceptance.

Depending on the severity and specific context of the risk, you might choose to mitigate the risk. Mitigation measures may be people, process or technology focussed. If it is technology based, the most effective mitigation often involves more appropriate use of existing technology by implementing configuration changes or similar hardening.

However, whilst less often a requirement, a common approach is to try to solve the problem with a new product. The temptation for a new technological toy, coupled with the convincing brochure, website and demo, are often too much for IT to resist.

Technological solutions form an important part of every organisation’s cyber toolkit. However, it is important that key decision makers ensure risk identification and solution evaluations stages are performed correctly to realise the full value of their decision.

Topics:FundamentalsRisk Assessmentrisk profile


Finally, an actionable blog

The purpose of this blog is to make available the real-world lessons, experience, observations and mistakes that are part of the daily life of a group of cyber security professionals.

Read about:

  • What mistakes organisations are making (anonymously of course!)
  • What effective actions are available to quickly and economically achieve effective protection (without buying new kit)
  • Trends we're seeing, via our incident response and forensic investigation capabilities
  • And sometimes, just frustrations about what is wrong with cyber :|

Subscribe to Updates