One of the most common questions I get as the President & CEO of The Penn Group is: What is cybersecurity?
Most would be apt to regulate these questions to the trash bin or kindly direct people to Wikipedia for some light reading. Recently I had an epiphany. If most of the people around me didn’t know what cybersecurity is, then how would my customers know? Everyone knows about hackers, but what about complex risk? What about identity theft? What about the consequences?
Cybersecurity Non-profit to Help SME's Fight Against Cybercrime | Data Driven Investor
A non-profit organization called Global Cyber Alliance (GCA) has vowed to improve one of the weakest links in…
Allow me to give you an analogy: You have a beautiful, large home that is susceptible to catching fire. The bigger the home, the greater the likelihood that at least some part of the home could catch on fire. The longer the fire burns, the more of your stuff that gets destroyed. If you don’t react within a reasonable amount of time, the fire will consume your home, all of your belongings, and potentially impact the lives of everyone inside. In this example, the large home is your organization, your belongings inside the home is your personal information, and the fire is a cybercriminal or “hacker”. There is a distinction between the terms “cybercriminal” and “hacker” because hackers can actually be good or bad, depending on their motives. In our case, cybersecurity is a bit like home insurance. We know that something could happen, and therefore we spend a lot of time attempting to protect the belongings within the home (data). We put security controls, which are countermeasures designed to thwart criminals, in place to control the blaze, or even prevent it from occurring in most circumstances. We then keep an eye on stuff, so that if a fire (breach) breaks out, we can work really hard to put the fire out (mitigate damage).
In essence, cybersecurity is a battle against the management risk, which is the likelihood that an event will occur, multiplied times its impact. Cybersecurity professionals balance our actions based on the perceived risk to the organization we are tasked with protecting. If you’re a large bank, your risk will be significantly higher than that of a library with only a few computers. Cybersecurity, and security in general, must be implemented to the level of risk that the organization is willing to accept. To put in simple terms: You won’t spend $5000 a month on home insurance for a $40,000 house. Beyond managing risk, cybersecurity professionals are tasked with the assurance of what security folk refers to as the “security triad”. The security triad is the confidentiality, integrity, and availability of systems. Let me break this down:
The confidentiality of information is the assurance that the information in question will remain confidential, or secret. A great example of this is the United States Department of Defense. The US Military holds some of the most closely guarded secrets in the world. From a cybersecurity context, those secrets would be meaningless if they were not protected. A core pillar of cybersecurity is the assurance of confidentiality of the information being protected.
The integrity of information is the assurance that the information you are receiving Is the information that you intended to receive. For example: If you entered your credit card number into a website to make a purchase, and the number was sent to your bank. Once it arrived at the bank, the card number was a few digits off, because a cybercriminal intercepted the card number and modified it. This would be a loss of integrity of the information in transit.
The availability of information is the assurance that the information you are trying to access is able to be accessed. Many cyber criminals simply want to make a wave rather than pull off a real-life Oceans 11. They can do this by performing targeted attacks against systems to bring them down. Think about how upset you would be if Netflix went down, and it was a cybercriminals fault. This is a loss of availability.
Now that you understand the basics of the security triad, you can get a clear picture of the main goal of cybersecurity professionals: to manage risk, and assure the confidentiality, integrity, and availability of systems. Unfortunately, the role of a cybersecurity professional isn’t easy. Cybercriminals from around the world, every single day, try and penetrate the defenses of organizations. Well-funded organizations, governments, script kiddies, and even insiders within companies all are threats that must be contended with. As an additional headache, there is no system in the world that is 100% secure. If a criminal wanted to get in, they could; given enough time. It then becomes imperative to ensure that organizations are ready if a criminal does breach their defenses.
What is troubling to me, however, is how many organizations are really unprepared. Today, the security posture of the United States is miserably unsecured. We have experienced breach after breach, our elections have been tampered with, and their frequency continues to escalate. It isn’t unreasonable to compare our position back to the house analogy. Our organizations are like houses built in a desert prone to wildfires. We have little water to put fires out, and it is only a matter of time before the fire consumes everything. There is hope, however! Each day, we can all make strides to improve our security and keep our data and customers safe. Security really is everyone’s responsibility.
Austin Harman is the President & CEO of The Penn Group. He currently holds the coveted CISSP certification, in conjunction with the CCSP, CAP, and Security+ certifications from ISC2 and CompTIA respectively. He resides in Columbus, Ohio.