A few months ago, during an Ask Me Anything segment, an MSP asked me a question that took me aback. It’s rare for a cybersecurity question to leave me speechless, but this one did. The business owner wasn’t uneasy about asking me the question; in fact, he was “matter of fact” in his approach. And it got me thinking. Because while the answer was clear to me, I realized that others might be approaching the security conversation from a similar place. His question? “How do I deliver bulletproof security?”
Like many things in business, you must begin with the end in mind. But the first step isn’t to begin; it is to decide on the proper destination. Otherwise, we turn on our business GPS and run in 100% the WRONG direction.
Should Bulletproof Security Be The Goal?
On the surface, providing “bulletproof” security seems like the correct approach. You’re aware of the growing security challenges. You want to keep your small business clients secure from threats, exploits, and hackers that are attacking them daily. And certainly a marketing campaign around “bulletproof security” has significant appeal. It checks the box for “sell the sizzle, not the steak.”
But before we decide that bulletproof is our end goal, let’s define the term. “Bulletproof” means invincible. Unbeatable. Not able to be defeated. Impenetrable.
Can you offer security that is unbeatable? Do you really want to promise that to your clients? When you factor in user error, an increasingly sophisticated enemy, and a growing threat landscape; is it completely unrealistic to believe that you can deliver bulletproof cybersecurity.
Further, when you examine the NIST framework, you can see clear evidence that “invincible” cybersecurity isn’t realistic and shouldn’t be the goal. Otherwise, there would be no need to Detect (alert you when a cybersecurity event happens), Respond (which involves mitigation) or Recover (improving security as a result of the event that was detected.) Based on this analysis, “bulletproof cybersecurity” isn’t the answer.
What Is A Better Goal?
If it’s unrealistic and likely impossible to build and deliver a solution that is bulletproof, then what should your goal be? Risk mitigation. You must develop a strategy around mitigating risk. In order to do this, you must identify what risks your clients’ networks are exposed to. You’ll likely perform a risk assessment in order to understand the various threats that your clients could face, the chances of those threats being successful, and how a successful attack would impact your clients. You’ll also want to understand their business, workflow, and value of data within different departments. Then you build a solution stack to minimize the most obvious risks. To be clear, you cannot stop every threat. The goal is to reduce the risk to your clients’ networks. You must reduce the chances that a threat can be successful. In other words, you Identify (NIST again) the risks and then address those risks to reduce the severity of, or seriousness of, the cyber attack or cyber incident.
Be aware that risk mitigation is fluid. The number (and type) of risks will change over time, and the implications of those threats will also vary. This means that a security stack you roll out today will likely need to change in a year. This doesn’t mean that today’s plan is flawed, but simply that you will become more mature (and that threat actors will also continue to evolve in their efficiency.) Because you will likely deploy additional security measures in the years to come, you should prepare your clients for the possibility of increasing their security budget over time.
How Do I Reduce Risk?
Your solution stack will include several layers that fall under the NIST framework for “Protect.” You should include a managed firewall, email security, employee training, and an advanced endpoint solution. These are all designed to stop threats before they can do any damage. But, as we’ve already discussed, the protection layer alone is not enough. You must also include the “Detect” and “Respond” components too. This means you’ll want to include a threat hunting tool or the more comprehensive option of Managed Detection and Response (MDR), and likely a SIEM and a SOC. You’ll also want to make sure your network (and your clients’ networks) don’t have undiscovered security breaches or evidence of unauthorized access by performing compromise assessments. This provides you with some peace of mind, as you can demonstrate that, at least as of today, you have not been compromised.
This is a challenging topic. There are few simple answers. But one answer is clear: you cannot approach security with a fictitious plan to provide something that is bulletproof. That isn’t a realistic goal. What is more accurate is building something with multiple layers in place, including a plan to detect and respond to threats that eluded your other layers. The goal? Mitigating risk as much as possible.