As National Cybersecurity Awareness Month comes to an end, the last of the weekly themes is “Cybersecurity First”. That phrase raises some serious questions:
- Why wouldn’t it be these days?
- Do slogans like this matter?
- Is this an achievable goal?
With weekly news stories about cyber criminals attacking water treatment plants, taking oil pipelines offline, or exfiltrating sensitive business data, the growing threat and impacts of vulnerabilities being exploited is too severe to ignore. And at a cost of over $4M per cyber incident (according to a recent IBM study), the financial impact has also grown to be severe.
A main reason not all organizations are able to put “Cybersecurity First” is a combination of lack of staffing and the burnout of cybersecurity professionals. Unfilled cybersecurity positions in 2022 are expected to reach 1.8M people, both making it hard to focus more on cybersecurity than is currently boing done, and putting more stress onto existing professionals. The way to get there will be with a combination of automation, more efficient best practices, and visible success. Demonstrating that progress is being made with visible success examples can both motivate existing professionals, and ideally attract new cybersecurity professionals.
On the question of whether slogans matter, there is a ton of marketing research to show that for a brand a good slogan can both motivate people and instill a long-standing belief in it. To the point above about needing more people in the profession and uplifting the downtrodden current professionals, slogans can in fact matter. The key thing is they have to be believable and delivered upon. Cybersecurity First will be successful only to the extent that organizations genuinely act that way. A good test would be to look at a corporate governance policy around cyber, then see if it is being applied across the whole organization. For example, policy states critical firmware patches must be installed within one month – yet IP cameras often are never updated; either they got an explicit exemption or there is not a “Cybersecurity First” approach. If exemptions were given, it reflects well on; if not, the slogan is counterproductive.
Finally, is Cybersecurity First achievable? Reality is there is a war with cybercriminals, and they are constantly innovating and finding new means of attack. Organizations must equally so be focused on innovation, new methods, and finding new ways to secure data and systems. Staying with existing (often manual) methods while the types of attacks and overall attack surface grows is the greatest barrier to achieving this goal. Viakoo is a deep believer that Cybersecurity First is achievable with a focus on innovation and automation, and a combination of collaboration and regulation will help to spread efficiencies and best practices quickly.