Cybersecurity is a complex challenge for organizations that have outgrown their current approaches to managing and delivering secure business solutions
As organizations digitally transform and adopt new technologies, addressing security is critical to ensuring the integrity of IT systems, infrastructure, and sensitive business data. Technologies alone cannot address the everchanging risk an organization faces.
In order to be effective, companies need a holistic approach to risk management, that leverages specialized skillsets and knowledge of cyber program management. Most organizations, however, struggle to find the necessary talent to build a cybersecurity team. Moreover, security personnel are expensive, negatively impacting budgets. Lastly, cyber defense is a 24 x 7 operational responsibility that is difficult for many IT organizations to manage.
As an alternative, organizations should seriously consider professional services to rapidly implement effective cyber defense as well as manage the day-to-day governance and operations of a cyber program.
This white paper examines the challenges faced by organizations and how they can leverage the Pareto Cyber Method to assess, transform, and proactively protect business operations and critical data through a Managed Cyber Program (MCP).
Real & Present Dangers of Cyber Threats
Almost daily there is a new report of a data breach impacting a major enterprise. Beyond the loss of data, breaches have a significant impact on brand reputation, customer loyalty, and bottom-line revenue. Cyber criminals are relentlessly improving tactics leading to a daily barrage of attacks across all industries, regardless of size. Data breaches exposed 36 billion records in the first half of 2020. Data breaches are up 38 percent in Q2 2021 and it’s predicted a new all-time high by EOY. The ransomware attack on global foreign exchange company, Travelex, had a cost of $2.3 million to recover data. Small to mid-sized organizations are not immune to these attacks. According to Verizon Business 2021 DBIR report, SMBs are almost equal in number of breaches seen at large companies, showing a pronounced focus on SMBs from just the year before when they accounted for less than half. For such businesses, the results of an attack can be devastating.
Cybersecurity is particularly challenging for growing organizations where security responsibilities often fall on IT employees who have many other responsibilities. Typically, these companies are operating with security practices that were adequate at a smaller scale. These cyber programs, however, have not received the proper attention based on organizational growth and the explosion of threats. These organizations will attempt to catch up quickly with additional spend on technologies, managed services, and internal resources. Although additional spend is necessary to close the gap, it usually results in an incomplete and ineffective program. Enabling a comprehensive cyber defense requires more than additional spend and new technology. Without the development of a strategy based on current risk and posture, most CIOs will have a false sense of security leaving their organization vulnerable to cyber threats.
Technology Alone Is Not Enough
Many organizations that have fallen behind on the maturity of their cyber program have put their faith in technology. They have typically invested in perimeter, network, and endpoint solutions, believing these technologies alone are enough to secure the IT environment. While technology is a critical component of an effective defense, it only works when configured and deployed properly. Without constant care and feeding of technology, an organization can quickly become prone to cyber attack.
In addition, many of the traditional tactics for protecting an environment are not as effective as they once were. The firewall traditionally was the primary technology used to protect an organization. Today with the adoption of cloud services and remote workforces, endpoints can completely circumvent the firewall making them highly susceptible to attack.
Another problem related directly to technology is that many security issues extend beyond the realm of what’s normally considered security. A far too common example of this is a lack of consistent configuration across devices, notably servers. Poor or inconsistent configuration makes it easier for threat actors to infiltrate, control, and laterally move through the environment with ease. A strategy that focuses on technologies only becomes reactive in nature rather than both preventative and proactive.
Finally, technology, no matter how sophisticated, cannot protect a company unless the security culture is well defined. This involves training as well as constant vigilance of users to protect company data and credentials while performing all activities.
The Cost Factor
Fast-growing organizations have often accumulated a significant amount of technical debt in the form of infrastructure or applications that require patches, upgrades or replacement. The cost associated with addressing technical debt in most cases is already very high. Building and managing a cyber program just compounds the cost issue for many IT organizations.
Staffing a minimal cybersecurity team consisting of a Chief Information Security Officer (CISO), a security analyst, and a compliance manager can add several hundred thousand dollars to an IT budget, and that’s assuming that viable candidates can be found in today’s tight job market. There are over 300,000 unfilled security jobs in the United States, and the demand is rising every year.
A Trusted Security Partner
The combination of high cost and lack of security expertise puts growing organizations in a difficult dilemma. The harm a cyber attack can cause becomes greater and greater as the organization grows, but so does the cost of protection, which can seem prohibitive. For many organizations, the best solution is to abandon their do-it-yourself approach and instead engage a partner that can provide security services on an ongoing basis, including a team of experienced professionals lead by a virtual CISO.
A Cybersecurity Team at your Fingertips
As a trusted partner, the Pareto cybersecurity team works with the existing IT organization to identify business risk, develop an optimized cyber program, remediate security gaps, and manage business risk proactively. This approach has several benefits. Maintaining a virtual Security Operations Center with a virtual CISO provides all the benefits an internal team provides, but at a substantially lower cost. This benefit is magnified through the Pareto Cyber Method which focuses on developing an optimized and effective cyber program that is right sized to the organization’s size and external risk.
Another important benefit is on-demand access to security experts whose time, energy, and careers are devoted exclusively to cybersecurity. These individuals can help companies make cost-effective and value-based decisions related to spend on personnel, technologies, and services. Even more important, they can help determine the best approach, whether that is leveraging existing technologies, improving maturity through process, or adoption of new technologies to reduce risk.
It is important to note that, although expertise and technology are imperative, the most crucial factor for success with a service provider is a strong partnership and trusted relationship. The following case study is an example of how such a partnership can enable organizations to effectively manage business risk.
CASE STUDY | Wheel Pros
Wheel Pros is a rapidly growing organization that addressed its business risk through a commitment to improving IT maturity, implementing a proactive cyber program, and integrating security into its digital transformation.
Headquartered in Denver, Colorado, the company was founded in 1995 by Randy White and Jody Groce with a simple mission to create high-quality wheels for the automotive aftermarket. Through market growth and acquisition, the company quickly grew its revenues to roughly $800M in 2019 and are on track to reach $1B in 2021. With rapid growth, however, the IT environment did not keep pace and was not adequate for continued growth and future business strategies.
Recognizing this, executive leadership brought Rich Benner on board as Chief Information Officer to accelerate the transformation of the digital landscape. After initial assessment, Benner knew he had a difficult challenge in front of him. According to Benner, “Everything was at end-of-life or beyond – hardware, software, everything. Systems were put in place and never upgraded or patched, leaving most of them vulnerable and unsupported by vendors. Minimal effort had been made to harden and secure the environment. And administrator access to critical infrastructure was excessive. There was very little concern for security at all.”
Less than two months into his tenure, the organization was the victim of a cyber attack that it was not prepared to defend against or recover from. Recognizing that this could impact the overall transformation of the IT environment as well as ongoing operations, Benner engaged Pareto Cyber to assess the situation and develop a strategy to transform the security posture.
Cyber Transformation – Assess, Design, & Transform
Through the assessment, Pareto was able to identify the highest risk areas, propose a strategy to mature and transform the cyber program, and deliver critical improvements to the security posture within the existing environment. Additionally, since there was an ongoing transformation of the entire IT environment, Pareto was able to partner with both internal IT and technology service providers to ensure that new capabilities and systems were “Secure by Design” as they were enabled. “Ensuring that our digital transformation was addressing security from the beginning was critical to reducing our risk to business operations” says Benner. “By taking this approach we were able to transform the IT environment at a rapid pace, do so securely, and not impact our aggressive timelines.” Another huge benefit of the Secure by Design approach was that it leveraged existing capabilities. Rich recognized that, “We were already making large investments in new IT platforms and infrastructure. Having a partner that could help us securely configure those investments as well as enable built-in security capability maximizes the value of IT spend and reduces the need for additional technologies.”
Tom Westbrook, Pareto Cyber’s Chief Technology Officer, who led the charge within Wheel Pros says, “Through the use of our Transformation Methodology, the team was able to address the organization’s risk by implementing a broad set of improvements that in combination create a multi-layered defense to reduce the likelihood of future cyber attacks. In many cases we were able to leverage existing capabilities to better secure IT assets, reducing the need for additional technologies. Additionally, we enabled proactive threat detection to quickly contain and minimize the ‘blast radius’ of an attack.” Elaborating, Westbrook says, “It is unrealistic to believe you can stop 100% of attacks. The key is rapid containment to minimize spread and reduce impact to the business .”
Cyber Transformation – People, Process, & Prevention
Cyber transformation is more than just technologies. A great deal of effort was placed on establishing policies and standards, processes and procedures, and effective change management. According to Westbrook, “Ensuring that you have well-established policies with processes to back them up is critical to maintaining an effective cyber program. We put a lot of focus in these areas to ensure that the level and quality of the cyber defenses would be evergreen with a very high level of compliance.”
Although not directly a part of a traditional cyber program, Pareto also put a lot of focus on the IT programs that have direct impact on the organization’s security posture. “Addressing Identity & Access Management (IAM) is really key to ensuring threat actors cannot easily access the corporate IT environment,” says Westbrook. “Implementing IAM best practices, reducing privileged access, and enabling multi-factor authentication are all a part of ensuring a strong cyber defense.”
Being prepared to respond to an attack is as important as protecting against it. “We focused a lot of effort on how to respond to attacks’” says Westbrook. “Ensuring that IR processes could be enabled quickly and that IT systems were consistently backed up with a strong Disaster Recovery Plan ensures that if a breach occurs, it can be quickly contained and remediated, minimizing business impact.”
This broad and holistic approach to establishing a cyber program gives Wheel Pros a much stronger security posture. “We can now see network patterns,” says Benner. “If we had had that capability prior, we would have easily detected the attack we experienced in the early part of my tenure. Not only that, because of the changes to access management, there is a high likelihood that the cyber criminal would not have been able to access the environment in the first place.”
Managed Cyber Program – Proactive, Optimized, & Right-sized
The success of a cyber transformation is not measured in terms of the project deliverables, but in an organization’s ability to keep the cyber program evergreen and effective. Through Pareto’s Managed Cyber Program (MCP), Wheel Pros can ensure they stay secure now and into the future. “Having an engaged partner to assist us in maintaining our cyber defenses is huge for us as an IT organization. We have drastically changed our culture to be focused on enabling competitive advantage through digital capabilities and strong customer experience.” says Benner. “Having the Pareto team enables us to continue to deliver new business capabilities quickly. Pareto has been very helpful in ensuring that the IT team continues to implement using a Secure by Design approach. Pareto is not afraid to raise concerns when they see potential risk within any of our new capabilities.”
Pareto Cyber | Managed Cyber Program (MCP) – A Comprehensive Approach
The Managed Cyber Program focuses on four core areas to enable a comprehensive cyber defense. In combination, these services fully enable the necessary strategies to support Wheel Pros from prevention through remediation. Additionally, it enables a framework for continuous improvement and compliance. “Having a partner that is always looking over our shoulder to ensure we are operating securely has been a huge help to our ability to deliver new digital platforms,” says Benner. “We can operate securely now and in the future with minimal impact to our business transformation efforts. Instilling Secure by Design principles not only reduces our risk, it helps us lower our cost of operations over time.”
Manage Cyber Program (MCP) – Core Cyber Services
The Manage Cyber Program (MCP) core services are the key to successful risk management and enable operational maturity for an organization. By working in unison, they ensure all aspects of cyber defense are addressed as well as proactively managed on the client’s behalf:
Governance & Oversight (vCISO) – Overall program management led by a virtual CISO. This service focuses on ensuring that all aspects of the program are implemented properly, ongoing risk assessments, and future-focused strategies.
Cyber Hygiene & Continuous Compliance – Proactive management of cyber prevention to ensure that the IT environment is securely configured, prevention technologies are properly deployed, ongoing patching for critical updates and vulnerabilities is performed, and access is controlled and managed to least-privilege.
Threat Detection & Automated Response – Real-time anomaly detection leveraging Machine Learning (ML) to analyze all log sources to detect, contain, and remediate cyber threats. Additionally, this service enables automation and on-site action to immediately contain threats to minimize impact across the IT environment.
Security Culture & Awareness – Establishing a strong security culture focused on accountability and ownership of the organization’s business risk. This service implements a regimented schedule for awareness training, simulated phishing, and supplement learning opportunities to drive positive behaviors.
A New Approach to Cybersecurity
Organizations of all sizes will continue to face an unprecedented level of cyber threats. Cyber crime has become an industry that is managed much like a business. These criminal organizations are staffed with professional hackers leveraging advanced technologies including automation and (ML) to attack as many organizations as possible. IT teams with limited cybersecurity experience are no match for these threats. Leveraging a trusted partner and managed services to augment the IT organization is not only cost effective but establishes a strong cyber defense that can evolve and mature with business strategies and ever-changing threats.