I cannot tell you how many board presentations and meetings I have been in and heard "I am just not technical". Not being “tech savvy” is no longer a valid excuse to not understanding the threats your organization faces and what needs to be done to provide protection. If you are in the budgeting, decision making or approval process of technology in your organization, you have no choice.
You don’t have to understand the technical details of malware development or vulnerability exploitation to understand the effects it can have on your organization. We are well into the digital age, so you must educate yourself in order to be a part of the solution. After all, the future of your organization could depend on it. While you might lack in your technological understanding, here are two things you can do:
Go ahead and acknowledge that investing in a partnership with experts, needs to be discussed. (Be warned, you get what you pay for when it comes to investing in a partnership with a cybersecurity firm. This should not be the same team that is selling you hardware and/or assisting in the configuration and implementation process). It’s not uncommon to hear that IT departments have roles that “wear many hats”. When it comes to securing your organization, it’s not about if your internal team has the aptitude, it’s about the time. Do they have the time and resources to dedicate to maturing the cybersecurity posture of your organization?
Make sure your team has the proper tools and processes in place. Systems change and new exploits are identified after systems are implemented. Having worked in network administration, I have felt the pressure to meet tight deadlines to deploy the latest and greatest platform that’s going to drive revenue, enhance client interaction, and make the systems faster. Typically what happens is that systems get put into production with the focus on stability, and lack the advanced level of security that they need. I am talking about the level of security that a lot of system administrators and technicians simply don’t have the time to focus on or have just not had exposure to.
Think about it like this: lets say you build a platform with nails and wood. Once it’s built, you walk onto the platform, jump up and down, and ensure that it can withstand the pressure, after all that’s what the platform was designed to do. Hacking revolves around using systems and software code in ways they are not intended to be used. The equivalent of "jumping up and down" on a technology system as a malicious attacker requires advanced knowledge of how attackers leverage software bugs and misconfigurations to their advantage. Most of the time, organizations have teams or consultants with the skill sets to "jump up and down" on a platform by running automated tools to check if its working properly, but lack the expertise to test their platform in ways they are not intended to be used in order to gain access for malicious use.
If you are serious about knowing the weaknesses that lie under the obvious attack surface, partnering with experts that specialize in testing systems just like a group of real, well-funded malicious attackers would, is imperative. Experts in this field can supplement the work your IT department is doing by providing added expertise and freeing up their time to focus on other IT initiatives.
The attack landscape is changing rapidly. Business executives and IT departments need to have all the cards on the table when dealing with cybersecurity. As leaders you must ensure that you have proper coverage. Making sure your team has the proper tools and access to experts is crucial to protecting your organization.
This article was originally published in the Mississippi Business Journal.