Technology
What Can We Learn From Highly Mature Cybersecurity Programs?
This article reflects on the gulf between the amount spent on cybersecurity by large banks and the long tail of smaller organizations, including family offices.
Tim Schnurr, CRISC, CFA discusses his experience advising mature cybersecurity clients. This is the eighth in a series of articles that also appear in a 24-page publication by Family Wealth Report: Family Office Cybersecurity and AI Summit. The document contains a range of authors who examine topics covering AI, security, cyber threats and more. The editors of this news service are pleased to share this material; the usual editorial disclaimers apply. Email tom.burroughes@wealthbriefing.com if you wish to respond.
The five largest banks and federal agencies
Huge cybersecurity investment: Small businesses only spend a
fraction (about 10 per cent) of what mature cyber programs
spend. The largest five banks spend considerably for
cybersecurity at more than $400 a month per employee. Small
businesses typically spend $40 to $80 per month per seat or
employee.
Mature organizations are proactive vs
reactive
In 2023, Deloitte provided a survey and breakdown of the average
areas of cybersecurity spend.
Two large takeaways: Mature companies are more proactive, and they spend on the people and process aspects (governance) of cybersecurity (vs only focusing on tools).
Governance involves delegation, risk identification, policy making, measurement, and evidencing security.
Smaller attack surface area
“Least trust lean function” is about making yourself small and
mature cyber companies have a relatively small attack surface
area. The overall strategy of mature programs can be summarized
as least trust lean function.
Least trust (also known as zero trust or least privilege), is providing the minimum of access to data on a “need to know” basis. The “right access” to the “right person” at the “right time.” This silo/segmentation technique provides resilience to a company just as a ship with compartments does. An attacker compromising one person's credentials can't access then do the same to all data and systems. For example, flooding one compartment in the ship does not result in a sink. Lean function focuses on giving employees only the necessary tools to do their job and no more. All other software and applications are banned. This limits the amount of vulnerabilities attackers can use in an attack. It also limits third-party due diligence and monitoring spend.
Don't forget insider threat: Mature programs are keenly focused on stopping both external and internal threats. Protecting against external attacks is only 50 per cent of the strategy. Insiders are the greatest source of data leaks or data theft. A disgruntled employee walking out with a family office customer list or confidential information is an example of insider threat. Reinforce intended behavior in your employee contracts, employee handbooks, awareness training, and enforcement tools.
Family office recommendations:
How can small businesses and family offices take the next step to
mature?
1. It’s recommended to do a risk and gap assessment vs a common framework like NIST or CIS Controls. The gaps will identify risks and drive efficient investment including spending more in line with mature company allocations.
2. Governance is necessary. There are no silver bullet tools.
3. Delegate, empower, and compensate a leader/employee at your family office. This person will champion awareness, assume accountability, as well as measure progress.
4. “Make yourself small” by siloing data access and eliminating Shadow/Unsanctioned IT.
5. Update employee contracts, handbooks, and training to account for insider risk.
About the author
TIm Schnurr, CRISC, CFA is a founding partner at Inquisitive
IT, a company that is striving to protect retirees with cyber
awareness and managed devices. Previously he co-founded
FortMesa, a governance, risk, compliance (GRC) and vulnerability
management workflow platform. Schnurr had a long career at
Deloitte in cybersecurity, product development, and data
analytics. He also spent some time at MIT in a Deloitte
collaboration to scout, validate, and commercialize new
technologies. Schnurr frequently speaks about insider threat and
the nexus of cybersecurity and intellectual property (IP)
protection.
About Inquisitive IT
Inquisitive IT serves individuals, retirees, and independent
investors by providing personalized cybersecurity programs.
Inquisitive IT's managed services include custom policies,
in-depth training, and managed devices. Inquisitive IT also
provides cybersecurity advisory (Virtual CISO) to small
businesses and family offices.