The buzzword cyber security sets the pulse of security managers racing. Not out of joyful excitement, but rather out of a feeling of insecurity. Not only because establishing cyber security is time-consuming and no less expensive, but also because the measures to be taken are extremely varied and their effectiveness and interdependencies are difficult to assess. After several years of investment, some people realise that a lot has been done, but little has been achieved. The result: the maturity level of cyber security has barely increased.
Pareto meets Drucker (the good old 80/20 rule)
With 20% effort 80% result. The remaining 20% of the result (i.e. the fine-tuning) requires 80% of the effort. In his day (1848-1923), Pareto could not have imagined all the things to which his principle would be applied. Today, it is also applied to cyber security. Because here, too, it proves its validity time and again. Cybersecurity in organisations can be drastically increased with little effort. Provided you focus on the right measures. Namely those with a high degree of effectiveness. However, it is not uncommon for companies to implement measures that are particularly time-consuming and cost-intensive and ultimately have little effect. The roadmap for cyber security should not be characterised by actionism, but by informed and competent planning.
Leverage effect
The economist Peter Drucker (1909-2005) follows the same line with his often quoted management wisdom: ‘First things first. Second, not at all’. And ‘first’ should include those measures that can take effect quickly. The focus is therefore not on what companies do to increase the maturity level of their cyber security and thus the resilience of their organisation, but on what is effective (within a certain period of time). When it comes to cyber security, some measures are more effective than others. ‘Second not at all’ is not quite right when it comes to this topic. But…
Practicality comes first
Management systems – such as ISO/IEC 27001 – tempt us to put the question of the effectiveness of individual measures to the back of our minds. The standards provide us with a framework, the consultants with a roadmap. As a result, it often happens that companies spend months (…or longer) developing guidelines and directives before any measures are even tackled. This is a mistake. However right it may be to implement a management system.
Leak in the boat
If a boat has a leak through which water is seeping in, you shouldn’t spend too much time worrying about management structures and processes. Otherwise there will soon be no boat and no seamanship to manage. Of course, there is a difference between the ‘boat’ example and a company. In case of doubt, a company will not recognise such a ‘leak’ – i.e. a potential or even exploited vulnerability – or will not correctly assess the potential risk. On a boat – in the middle of the sea – there will hardly be anyone who says: ‘This is not a priority right now, we are working through our to-do list according to the management system.’ Instead, the seamanship will quickly agree: ‘First we have to close the leak!’.
Always one after the other
As companies do not know their ‘leaks’, they should look for them. And they should do so regularly: not annually, not weekly, but continuously and in real time. There are numerous technical solutions for this, which don’t even have to cost money. Keyword: open source. The key point is: finding and closing vulnerabilities in your IT/OT should be a higher priority than implementing a management system. And I say that as an ISO/IEC 27001 auditor. There is no ‘either/or’ here, but an ‘and’. The right sequence is essential for efficiently increasing the maturity level of your cyber security.
