Imagine: You receive a call from local law enforcement explaining that your organization has been compromised — a scenario much more common than anyone cares to admit. In 2017, 38 percent of compromised organizations, who engaged with Mandiant for incident response, learned about their breach from an external source.1 While internal notifications are slowly rising, the rate is far too low — therefore it’s time for more organizations to rethink their security program.
“When companies are notified that they have been victimized by malicious cyber actors, it should be a wake- up call,” White House cyber security coordinator Michael Daniel told The Washington Post in a 2014 statement. “U.S. businesses must improve their cyber security.”2
This can be a daunting task, given the wide range of risks, solutions, budget limitations and unknowns. With many competing priorities for budget and resources, every security leader must ask the all-important question: “How secure do we want our organization to be?”
It’s the same question we ask when first meeting with a board in our security engagements, usually after a breach. “The best!” someone invariably answers, fist pounding on the table. “We want to be the best in the world!”
But when an organization learns what the “best” looks like — and the level of investment in technology and people it takes to deliver it — they quickly ask what the second- or third-best level of security entails.
Ultimately, the scope of your security program depends on what level of risk you are willing to accept. As boards consider that question, the proliferation of high-profile attacks is making that calculation much more tangible.
Executives are increasingly getting in front of the issue. We advise them to ensure their IT security and operations managers are in sync regarding the level of risk tolerance. From there they can evaluate their security program and identify what changes are required to evolve their organization’s security posture and ultimately address those risks.
