There is no question that businesses need a robust cybersecurity program — the ongoing attacks against businesses of all sizes, and even high-profile individuals like Facebook founder Mark Zuckerberg, make that clear. But do companies approach cybersecurity the right way?
In general, there are two basic ways to model a cybersecurity program: with a Pen or Pencil approach. Think of it this way — when something is recorded in ink, the decision is permanent. A choice is made and the decision is locked in. On the other hand, when a pencil is used, there is room for improvement even in a long-term commitment. If a business owner wishes to take the Pen approach and lock in the initial cybersecurity choice, that may be fine. But if they want the option of adjusting their cybersecurity decisions at some point in the future, the Pencil approach means that erasing their existing controls and making adjustments with proper change controls will be a fairly simple task.
The decision between the Pen or Pencil approach to cybersecurity carries profound consequences. It is the choice of whether you will lock yourself into a set of security practices and forget about long-term strategy or remain flexible and respond to new events. This issue is particularly important now as cyber threats become more sophisticated and attack a wider range of targets with a broader array of techniques.
Despite this growing danger, some business owners prefer the Pen approach. They believe it allows them to focus on growing their company instead of diverting valuable resources and their attention to IT issues. Expenses may also be an issue, since some business owners view cybersecurity as a cost center and do not want to pump in more than the bare minimum of funds. For that matter, it is not unusual for an internal IT department to adopt a kind of “lay low” mindset in the interest of self-preservation. If the IT department is not seen, it is less likely to be scrutinized during a round of budget cuts.
But before a company adopts the Pen approach and locks into a cyber-protection track, some implications should be considered. One issue is that communications with the IT service management or internal security team will be reduced, since the Pen approach removes opportunities to make changes to a security protocol. Consequently, the Pen approach constricts a business’ ability to adjust protocols to comply with evolving best practices and cybersecurity solutions. The Pen approach may align with a person’s personal risk profile, but is an issue when a business is subject to regulatory guidelines requiring updates.
Additionally, the Pen approach to cybersecurity cannot scale with the growth of a business. As a company grows more complex, the potential exposure to hackers and other bad actors increases — and the cybersecurity plan that lags behind a business’ growth will result in digital protection gaps.
In contrast, the Pencil strategy offers flexibility. It enables IT responses to adjust to the real-time environment as a business grows and as cyber threats evolve. An effective Pencil approach utilizes a combination of firmness — with a commitment to updating, reviewing and modifying security policies as needed — while remaining flexible enough to recognize, understand and respond to issues regarding new information, new or changed requirements, emerging threats, and updated solutions.
Instead of freezing cybersecurity or IT support services at a single point, the Pencil approach applies the best practices. It constantly processes improvements, ongoing system audits, and tests while also checking for patches and upgrades when necessary. The Pen proponent will remain happy for a time, ignorant of emerging cyber threats until something bad happens. But once a breach occurs, the cost to fix the damage under the Pen approach will cost a lot more than being prepared to begin with.
Carl Mazzanti is president of eMazzanti Technologies in Hoboken.