I cannot tell you how many board meetings I’ve been in and heard “I am just not technical.” Not being “tech savvy” is no longer a valid excuse for not understanding the threats your organization faces, nor what needs to be done to provide protection. If you’re in the budgeting, decision making or approval process for technology investments, you have no choice. You need to be plugged into the technical aspects business operations.
You don’t have to understand the technical ins and outs of malware development or vulnerability exploitation to recognize the effects it can have on your organization. We are well into the digital age, so you must educate yourself in order to be a part of the solution. After all, the future of your organization could depend on it. While you might not be a certified technologist, here are two things you can do to hedge your bets:
Acknowledge that investing in a partnership with experts, needs to be discussed. When it comes to securing your organization, it’s not about whether your internal team has the aptitude, it’s about the time. It’s not uncommon to hear that IT departments have roles that “wear many hats.” So you need to consider whether they have the time and resources to dedicate to maturing the cybersecurity posture of your organization? Be warned though: you get what you pay for from a partnership with a cybersecurity firm. This should not be the same team that is selling you hardware and/or assisting in the configuration and implementation process.
Make sure your team has the proper tools and processes in place. Systems change and new exploits are identified after systems are implemented. Having worked in network administration, I have felt the pressure to meet tight deadlines—especially when those deadlines involve deploying the latest and greatest platform that’s going to drive revenue, enhance client interaction, and make the systems faster. Typically, systems get put into production with the focus on stability, and lack the advanced level of security that they need. I am talking about the level of security—a higher level that many system administrators and technicians simply don’t have the time to focus on or have just not had exposure to.
Think about it like this: you build a platform with nails and wood. Once it’s built, you walk onto the platform, jump up and down to ensure that it can withstand the pressure. After all that’s what the platform was designed to do. Hacking revolves around using systems and software code in ways for ways in which they are not intended to be used. It’s the equivalent of “jumping up and down” on a technology system as a malicious attacker. This requires advanced knowledge of how attackers leverage software bugs and misconfigurations to their advantage. Most of the time, organizations have teams or consultants with the skill sets to “jump up and down” on a platform by running automated tools to check if its working properly. Still, they may lack the expertise to test their platform in ways they are not intended to be used (meaning malicious use).
If you are serious about understanding and identifying the weaknesses that lie under the obvious attack surface, it’s imperative to partner with experts that specialize in testing systems just like a group of real, well-funded malicious attackers. Experts in this field can supplement the work your IT department by providing added expertise and freeing up their time to focus on other IT initiatives.
The attack landscape is changing rapidly. Business executives and IT departments need to have all the cards on the table when dealing with cybersecurity. As leaders you must ensure that you have proper coverage. Making sure your team has the proper tools and access to experts is crucial to protecting your organization.