Danny is Co-Founder & CEO of TerraScale, Inc., a clean infrastructure design and development firm shaping digital infrastructures globally.
Getty
As we hurtle toward a future in which data is at the center of everything we do, much fanfare has been made about the incredible capacity, complexity and sophistication of modern data centers. Data centers are the backbone of our social and commercial realities, and they’re becoming more indispensable by the day. Despite their incredible functionality, however, data centers aren’t invincible. Like any complex system, they can fall prey to an unexpected outage or attack, cyber or otherwise.
As we continue to migrate many aspects of our lives to the public cloud, hybrid cloud and even hosted private cloud architectures, the aggregation of so much data in one or several connected facilities becomes an appealing target for a bad actor. For this reason, it’s essential a thorough end-to-end risk assessment is conducted, information security architectures are appropriately “re-tuned” to address new known risks, and a plan for cyber resiliency is implemented. This helps protect data and minimize damages in the event of an incident.
But what does “cyber resiliency” mean? Vanderbilt’s School of Engineering defines “cyber resiliency” as “the ability to anticipate, withstand, recover from and adapt to adverse conditions, stresses, attacks or compromises on cyber resources.” In other words, cyber resiliency measures how well an entity can continue functioning in the event of a disturbance.
Common Cyber Resiliency And Security Mistakes
There are three mistakes companies make when it comes to cyber resiliency and security that decision-makers should be cognizant of, three of which include: cyber complacency, assessment shortfalls and failing to make resource updates.
1. Being cyber complacent: “If it’s not broken, don’t fix it” remains the mentality of most decision-makers when it comes to increasing their cybersecurity posture. Although that way of “old school” thinking might work to prevent routine attacks, it has allowed sophisticated adversaries the opportunity to drill down deep into networks without being detected.
Information theft has become a common and recurring event to which many people have fallen victim, are becoming complacent about and are consciously numb. In my experience, this situation is no different in the corporate world (except that certain types of institutions are required by law to directly inform individuals whose information has been compromised).
The lack of vulnerability awareness has become the corporate norm, and, therefore, policies are written in a way that’s only reactive to known incidents. This philosophy puts most organizations in a purely defensive mode when it comes to their cybersecurity posture — something I’ve found most decision-makers are unaware of, which also puts the organization at risk.
Tip: Conduct an end-to-end security vulnerability assessment of your network, and create a plan for implementing a continuous monitoring concept initially focused on key cyber terrain. The small cost associated with conducting security vulnerability testing and assessment is far outweighed by the benefits of knowing how exposed your network truly is and in what functional business areas you’re most at risk.
2. Overlooking the value of security vulnerability assessments: Now that we know the importance of conducting a security vulnerability assessment of a company’s network, it’s imperative to note a common follow-on mistake many companies make is seeing risk assessments as a sunk cost.
However, as data centers continue to evolve, so does the threat of a damaging cyberattack. Risk assessments are key to understanding where technology is today, not tomorrow. Cybercriminals don’t have rules and can leverage technology as they wish. We’ll always be fighting adversaries who don’t operate under the restrictions we do and can deploy technologies in ways that are unanticipated, undocumented or even illegal. This makes it even more difficult to engage in a reactionary fight. That said, companies need to stop seeing cybersecurity as a sunk cost, as it could easily be a lifeboat for their organization if (or when) it comes under cyber distress.
Tip: When conducting a security vulnerability assessment, I highly recommend penetration testing (also known as “pentest”) to find vulnerabilities or inconsistencies throughout a network. It’s important to ensure you select an experienced pentest team, as a pentest not done properly can cause a host of adverse effects associated with mimicking a criminal attack. For more critical environments, there are solutions that offer continual pentesting and simulated attacks, which can allow for even more confidence in the protections in place and early warnings for unknown vulnerabilities.
3. Failing to make needed updates: A key element in keeping a hardened cybersecurity posture that many companies overlook is keeping cyber resources updated to properly and effectively react to and mitigate new cyber incidents. This doesn’t only apply to personnel but also to all IT equipment that touches the network. Unfortunately, some organizations don’t see IT infrastructure components as critical assets in meeting their corporate mission, and they, therefore, only get addressed at the end of their technical lifecycle when replacement costs are surfaced.
Tip: If conditions seem stable, that doesn’t mean they are. To no one’s surprise, leadership understands that technology is advancing faster than any company can financially keep up with. However, does that leadership also realize the impact of not keeping up with technology? Doing nothing puts a company at high risk, and keeping pace with technology isn’t financially feasible, so a solution somewhere in the middle must be determined by company leadership.
It’s most important that leadership teams truly understand their end-to-end business processes in a way that they can easily convey that understanding to their security professionals. Every company needs a cyber champion on its staff who isn’t afraid to question current IT policies and expose what might be “bad news” to leadership. It’s time to ask the questions: Where’s my information stored, what’s my company’s cyber resiliency posture and are we at risk?
Forbes Business Council is the foremost growth and networking organization for business owners and leaders. Do I qualify?
