It’s difficult for a big company to be highly secure, I get it.

Flavours of the month come and go: presidential elections, scandalous public figures, money laundering cases…

But not a week goes by without another major company being hit by a security breach, even as we hear companies promising to ‘ramp up on security’ after paying a hefty fine to the authorities for failing to secure their environments.

Being in the dark is highly advantageous. Threat actors sit around twiddling their fingers to find new ways to exploit enterprise vulnerabilities, hacking into systems.

In comparison, companies previously minding their own business (dealing with board of directors, fighting for market share, coming up with marketing campaigns, dealing with trade unions…) have to somehow cough up additional resources to deal with these black hat hackers. They always seem to be playing catch up.

As a company director, security is like that pesky but big fly that you need to deal.

When done well, nobody gives you a pat on the back for having no security breaches. Just like how nobody gives you a pat for being clean and attracting no flies around you, for the last 5 years.

This is because, well, no CEO rose to the top fuelled by the ambitions of protecting the company from security breaches. Even on the good end of the spectrum of motivations, they are (hopefully) propelled by the cause of their main business: airlines bringing people together from across the world, BI service firms helping companies piece their data together.

But there are housekeeping activities you need to do in order to achieve those objectives. Security is one of those critical tasks to keep the business going.

Unfortunately, security is often not at the top-of-mind for many C-suite executives. It is often factored in as an after-thought, or after a competitor got it, or worse, after they themselves got hit by a big breach.

So we see companies force-fitting security tools to their systems, checking off compliance checklists superficially.

But when you get hit, the impact goes beyond financial penalties. Most of the cases if not all, the CEO of the company takes ownership of failing to protect the business. The CEO has power over resource allocation and fostering security culture of the company, 2 most commonly cited factors for security lapses.

When 9 million customer records were stolen from Cathay Pacific, the chairman of the parent company of the airline was called in by the Legislative Council of the Hong Kong government to answer for the security breach. We also saw security officers getting publicly named and shamed in the event of a breach.

From a consequence-to-effort perspective, it makes little sense for C-suite to underestimate the importance of security to ensure business continuity.

But i get it, it’s tough.

It’s incredibly complex to know how to secure a business

Even if the leadership is motivated to secure the company, the complexity of security can be daunting.

Unless you graduated from a cybersecurity degree or had undertaken the CISSP, you probably need to start from scratch in learning how to secure your environment and systems.

Network architecture

You would need to understand hardware, software, networks, applications, and endpoints. Then how they all correlate and influence each other.

The more complex and proprietary your technology is, the more complex the security demands are. If it’s that “state-of-the-art”, even your product guys may not know how to secure their own designs.

Detection

Then you need to study detection software and how it works, such as normalizing telemetry, search functions, and alerting and correlation mechanism.

This requires your company to have a cohesive data collection and integration plan across different teams and products, so that these security telemetry can all be funnelled to a SIEM for your security team to monitor across the organisation’s network and systems.

Threat Intelligence

After collecting all those data, you will need to know what kinds of events you should be monitoring for.

What kind of malware? What are considered abnormal activities? Who’s attacking me? How are they coming at me?

Without those knowledge, you’d still be swimming in the dark.

Response

After (even if) you had done all that, you need to create security incident playbooks to equip your security team on the know-how to respond to a incident you detected.

Is this considered a sev 1 alert, or is this a false positive? AH, it looks dangerous, who should I notify?

How do companies even start?

Hire or Partner?

At this point, companies need to decide to hire a security vendor or partner to shed some light on their situation, educate their current team on these security knowledge, or hire a new team of security experts.

This decision will then impact who will be making decisions on what products to purchase from the market, from which company, or to build themselves.

Where to begin

Imagine going through all these learnings and researching and decision making, before realising that the hardest part is actually…convincing all business groups and stakeholders to incorporate security features into their everyday business.

This means perhaps requesting for a higher budget to create or purchase product with in-built security.

Or re-doing some of the product features and planning that doesn’t comply with security standards.

Or ensuring that the processes different teams adhere to follow security best practices.

Yes, if companies can see the importance of having security baked into their process from the beginning, we could’ve avoided many of the breaches.

Research shows that the lack of healthy security-minded culture across the teams is the most common reason for security lapses in big companies.

But I think it is not without effort. It’s because it’s incredibly complex and unsexy to do so.

Unfortunately, threat actors do not care what is the reason for your company’s haphazard security practices. Threat actors seek vulnerabilities in system and exploit them. This will continue until they get hit badly.