“Anything that can go wrong, does.”
Remember Murphy’s law? It is just as valid for your company’s exposure to hackers and cybersecurity risks.
Every company’s IT team acts the same way as the construction team that builds a factory… But builders should not be responsible for protecting the business from attackers, such as robbers or malicious competitors, that’s not their job. Neither is your IT equipped to fight hackers.
Just as in the image above – construction workers and defenders have entirely different skillsets and objectives.
To fight a tank, you need a tank.
Regardless of how great your IT team is, they will not create a secure factory. At best, it will just be productive.
Even with the fanciest firewall and the most expensive antivirus, you will experience a security breach. It happens, just as people get sick from time to time. If your immune system is robust, you will recover quickly, and if it is not, things may worsen soon.
We all invest in our personal security and those closest to us from sickness and other risks – that is why we have airbags in our cars, we wear masks during COVID-19 lockdowns, and we shield our children by closely monitoring them while they’re young. If we don’t, our children or our business may suffer.
Businesses like to feel safe and buy security solutions. You have probably already bought an antispam solution and a firewall, and you’re running some form of antivirus or even EDR to protect your computers. That’s alright.
But investing in security products before you have invested time and effort in the security configuration of every IT element in your business is like throwing money at the fire – your investment will disappear without providing you safety.
Imagine your house filled with money, gold bars, and valuable data stored on computers in every room. Wanting to protect your belongings, you call the most prominent physical security firm and purchase the best cameras, motion detectors, and alarms on the market.
A thief disables all of them and walks away with your gold, money, and data.
How did it happen?
Thieves know how to bypass commercial security systems. If they didn’t, the security companies would go bankrupt in a year.
In order to protect your gold, money, and data, you should focus not on the doors, alarms, and security systems. Focus on making the gold ‘unstealable’. Focus on making the data unreadable. Focus on making the money unspendable.
That is when your assets become secure. Commercial security products cannot solve this problem – as companies using them get breached all the time.
But security architects can!
It is the same with IT infrastructure defense. Instead of buying the most expensive antivirus, firewalls, and monitoring systems, focus on secure architecture and protecting every single IT element to the maximum extent possible, only with the available security configuration for it, and sprinkle some ‘secret voodoo’ on top.
Knowing which security settings to apply to your IT infrastructure is very different from the knowledge needed to build the same. That’s why it is easier to just slap a security product on top of it and call it secure, which is what most IT teams do to protect what they’ve built.
Hackers use malware, so let us use an antimalware product.
They hack our computers, let us install a firewall.
But Is the firewall easy to bypass? The sales guy told us it is ‘military-grade security’, so it must be so.
Organizations then rinse and repeat the same process for every new security problem they encounter: You buy antispam products to prevent hacking attacks coming through email, but ignore the ease with which hackers bypass this defense.
You buy the latest and greatest antivirus without checking if there are known ways in which hackers could bypass it.
I have seen a company spend more than a million dollars on promising, but non-functional security products. The company spent a year trying to make it work. It never did.
Have you seen a million dollars in cash? The Bureau of Engraving and Printing states that all US bills weigh a single gram. $1,000,000 in $100 bills weigh around 10 kilograms. Ever seen anyone flush that amount of cash down the toilet?
That’s what the company above did. And you will, too if you try to buy your way into security instead of doing the work of applying secure architecture principles to your IT.
Your job is to run the business.; If you need help protecting it, you may look into hiring a security manager, or a CISO.
Hiring a Chief Information Security Officer (CISO)
Can an employee, force to stare at a computer screen for 8 hours straight, be as efficient as a hired team?
A full-time CISO (Chief Information Security Officer) decides their own objectives and their own schedule. They might decide to play games all day, for all we know. If you are not a security expert, how are you going to control the quality of their work and their performance?
Who would you trust more, if your house was on fire: a bureaucrat on a monthly salary or a firefighting team who put out fires of various magnitudes every day?
Because most organizations end up hiring a bureaucrat to put out the fire in their company when it comes to security.
Years ago, when I worked as a CISO for a bank and before consulting banks on several continents, I used to think a full-time employee was the only option for any company.
After working with multiple large (up to 8000 people) and smaller organizations to improve their defenses, I found out that they can get the best of both worlds – avoid having to hire a full-time CISO and be safe from hacking attacks such as malware, ransomware, phishing over email or even human error.
Hiring a full-time CISO is expensive. And repetitive!
Searching for a full-time CISO is out of reach to most companies, as their salary ranges from $100 000 – $240 000 per year. Headhunters charge one monthly salary, at a minimum.
Such a salary is affordable to large organizations but is not an option for smaller companies. The average lifespan of a CISO in any organization is two years – after which time, you will have to repeat the process all over again.
Why would you compromise with quality and hire someone cheaper, just to have the emotional assurance of hiring a full-time CISO?
What level of compromise would you tolerate?
None. None is the correct answer!
The popularity of working with external teams of security experts taking over the CISO role is growing exponentially. You can easily verify that by googling “virtual ciso’ – just a few years ago, the term was new and unknown, now thousands of security companies are offering it as a service.
If you focus on applying secure operating principles on your IT infrastructure, you don’t have to buy security products:
- The security settings in your IT assets are FREE to apply.
- Secure design and implementation principles are FREE to use.
- Security hardening for operating systems and office suites, browsers, and other software, is FREE
- Secure software development principles are FREE to learn and apply.
A part-time CISO will work with your team daily, just like a full-time employee.
At the end of each month, instead of asking for a salary as an employee would, we ask you to review all the work done.
And ONLY if you are happy with the results you will be issued a Virtual CISO invoice.
And this repeats every month, for as long as you are happy.
Plus, your IT team will have a team of tanks to protect them, while they keep upgrading your factory. .
