How businesses can make informed cybersecurity investment decisions

By Justin Malczewski
Oct 27, 2021
Photo credit: Natee Meepian/iStock/Getty Images

In our podcast episode, cybersecurity expert Justin Malczewski speaks with Anthony Green, CPABC's Manager of Security Operations and Compliance, about how leaders can best make informed decisions on the types of cybersecurity resources they invest in. Part of our Coffee Chats with CPABC podcast series.

Having a strong cybersecurity framework in place is more essential than ever. But with so many cybersecurity threats as well as protective services available these days, how can organizational leaders make informed decisions on the types of cybersecurity resources they should invest in?

We recently spoke with Justin Malczewski, cybersecurity expert and past president of the Vancouver chapter of ISACA, about how he advises organizations establish cybersecurity frameworks and prioritize spending, especially when working with small-to-medium-sized businesses with limited budgets. For the full interview, listen to our podcast episode.

Below are some highlights from the conversation.

What is your advice to organizations in the early stages of setting up cybersecurity measures?

Start with doing a risk analysis for your company to evaluate the possible risks to your organization. It’s going to vary from company to company, so it’s important for you to specifically focus on determining your own organization’s risk profile. This involves understanding what your company’s assets are, where they’re vulnerable, and the extent to which they’re under threat.

When we do a risk analysis, we want to know how likely it is for a type of risk to occur and the impact it might have on your organization. We want to focus our investments in areas of high impact and high likelihood.

What is Zero Trust and why is it so essential to cybersecurity?

The principle of Zero Trust is gaining traction as a key best practice in cybersecurity. It means not providing individuals with access to anything they don’t need access to, and it shouldn’t matter who you are within the organization. For example, your CFO probably should not have access to your organization’s Facebook account, unless they are directly involved with social media.

This doesn’t necessarily mean that we don’t trust certain individuals. What we’re worried about is that if the credentials of an individual falls into the wrong hands, then we have a security threat. It’s very important for organizations to adopt Zero Trust and create a strategy for how to leverage it to minimize security risks.

How can companies avoid gaps in their cybersecurity frameworks?

First of all, having a framework is critical, because it serves as a roadmap. Some of the more popular cybersecurity frameworks are the NIST Cybersecurity Framework, Centre for Internet Security, Critical Security Controls, and the Canadian Centre for Cybersecurity.

These frameworks take you through a range of topics, and ways in which controls can be implemented in these areas. This will help you identify risks to your organization and then enforce protection against them. Additionally, a framework informs how you can continually monitor for relevant risks, respond to them, and recover if needed.

I also recommend reaching out to your peers within your industry to get insight on the type of frameworks different organizations are using and why. You can also try to collaborate with your industry peers in determining some best practices that may work for your respective organizations.

Having a cybersecurity framework will allow you to do a gap analysis to identify where threats can sneak in. It’s important to note that even if you identify a gap, you don’t necessarily have to fill it. Most organizations have limited resources, so it is important to weigh the likelihood of the various possible cybersecurity threats to your organization and the impact they may cause to determine how best to dedicate your resources to the cybersecurity threats that are the highest priority.

If your organization happens to suffer a cybersecurity hit, it’s important to document the incident. After you’ve dealt with the situation, you need to go back to the beginning of your cybersecurity framework and identify the gaps that allowed for the incident, and put the necessary protection in place. Cybersecurity is a continual evolutionary cycle.

For organizations on very limited budgets, how can they ensure that their resources are going towards protecting them from the threats that they’re more likely in danger of?

Don’t try to do it alone. Unfortunately, you will have to spend some money on outsourcing. I understand that smaller organizations have tighter budgets, but at the same time, if your company is one of those types of organizations, you likely also have a sizeable skill gap in your cybersecurity talent.

Even if you’re able to get the internal talent you need, you’re always going to be at risk of losing that talent, because high quality cybersecurity expertise is worth a lot in the market. I’ve seen organizations making investments to attract and onboard strong cybersecurity talent, only to have that talent walk out the door in six months to pursue a more lucrative opportunity. Therefore, trying to exclusively manage cybersecurity with internal talent is not a recipe for success. I recommend reaching out to organizations that specialize in this type of work.

There are cybersecurity organizations that cater to small-to-medium-sized businesses, who do excellent work and provide 24/7 coverage. It’s important to understand that even if you’re able to secure a cybersecurity expert on your internal team, they will only be available a certain number of days and hours, and cyber attackers operate around the clock. By not having someone monitoring your cybersecurity 24/7, you already have a major gap. I encourage organizations to look for a third-party service provider that is able to deliver continual monitoring and protection.

What are some checks and balances that organizations can implement to continually ensure their cybersecurity frameworks are strong?

Every industry has compliance requirements, and at some point, your organization will likely be audited to ensure it is meeting its requirements. At my organization, we use internal auditors to ensure we’re always checking all the boxes, so that when the external auditors come in, we know we’re covered. This is one strategy to help implement checks and balances.

Your internal auditors should work very closely with the cybersecurity and IT infrastructure teams in your company, and leadership should understand and support the importance of this. If leaders don’t have a strong understanding of how cybersecurity fits into their business, and what investments should be made, a lot of resources can be wasted and harm done to the business. Guidance is needed to advise senior leadership on the seriousness of all this, and how to prioritize cybersecurity.

Plan to be attacked

Sadly, when it comes to cyber attacks, it’s not a question of if – it’s a question of when. At some point, most organizations will fall victim to cyber attack. What we can all do, is have a strong cybersecurity framework that includes response and recovery plans.

For example, if you have a way of limiting security access to different employees – for example, by using the Zero Trust principle – then if a cyber attacker gains an employee’s credentials, they’ll only have limited access to the company’s digital space. The organization will also have a way of detecting the attacker’s entrance and how to deal with the situation.

There are lot of wheels in motion when you’re running a business, and there are always competing priorities that threaten to take precedence over things like testing your response plan to cyber attacks. However, there isn't an executive within any organization that has been materially breached who wouldn't tell you that they wish they had prioritized their cyber attack response plan.

If your organization hasn’t started the process of implementing a cybersecurity framework, don't waste any time. Get on with it, do it. And one day, if that rainy day comes, you're going to thank yourself for it.

Justin Malczewski is a cybersecurity expert and past president of the Vancouver chapter of ISACA.