There Is No Finish Line for Cybersecurity

Companies can’t set up an antimalware patch and dust off their hands. An effective cybersecurity structure needs to evolve constantly.


Increased connectivity means increased vulnerability. People can easily be tracked from their mobile phone or Fitbit and have not only that device but also their car, watch and TV infected.

With cloud and Internet connectivity touching everything from light bulbs, alarm systems, appliances, planes and pacemakers, the attack surface can only expand.

Digital communication will add functionality and control but also create new vulnerabilities. Just think of your E-ZPass being used by law enforcement to give you speeding tickets. Or instead of deleting or releasing stolen data, the next wave will merely change digital data to compromise its integrity. Going even further, malware could be embedded in the chips of programmable logic controllers of a warehouse conveyor belts or carousels — see Stuxnet virus — that could disrupt an entire supply chain.

The increased connectivity means it’s time for a new approach to combating cyberthreats. It’s impossible to have central control over every connection. An analogy is the development that occurred in financial institutions in the late 1990s, when chief risk officers, faced with command-and-control structures that could not reach every employee or function, adopted a new paradigm in which everyone in the organization was responsible for his or her own steps. Cybersecurity is an ongoing risk that needs to be managed by everyone, so that when bad events happen, we are all better prepared to assess them and execute a response plan. A cyberwellness program that fosters a proactive collaboration with the firm and each employee and vendor should have four specific objectives:

The first objective of cyberwellness is to prepare and protect the firm. It starts with an adaptive defense similar to how predictive weather data enables coastal areas to initiate preventive measures in advance of a hurricane. Intelligence and threat assessment data should be used to create active learning scenarios to enhance employee cyberknowledge and training.

Also needed is an effective governance structure to ensure that the firm, affected employees and vendors implement a coordinated vulnerability management program that supports the business strategy. Employees and vendors need to understand that the continuity of operations is their responsibility, and that the onus of developing a response plan and safeguarding company assets falls on them.

The next objective is the ability to detect threats and defend the firm. And, last, the company needs to be able to respond and rebound from cybersecurity failures. This necessitates a predefined set of security incident response plans that can be implemented just after a security attack, rather than being developed on the fly.

Firms that really get it on cybersecurity have adaptive cultures. When firms make missteps on this front, they become textbook examples of what not to repeat. A cybersecurity program conducted in isolation from the day-to-day operating environment, which is the case at most firms today, will not work. A culture of cyberwellness needs to become a strategic focus embedded in day-to-day operations and the core values of the firm to deal effectively with the new threat environment.

David Martin is co–managing director of CybX, a cybersecurity consulting firm, in New York.

Get more on trading and technology.