Technology

What Can We Learn From Highly Mature Cybersecurity Programs?

Tim Schnurr September 13, 2024

What Can We Learn From Highly Mature Cybersecurity Programs?

This article reflects on the gulf between the amount spent on cybersecurity by large banks and the long tail of smaller organizations, including family offices.

Tim Schnurr, CRISC, CFA discusses his experience advising mature cybersecurity clients. This is the eighth in a series of articles that also appear in a 24-page publication by Family Wealth Report: Family Office Cybersecurity and AI Summit. The document contains a range of authors who examine topics covering AI, security, cyber threats and more. The editors of this news service are pleased to share this material; the usual editorial disclaimers apply. Email tom.burroughes@wealthbriefing.com if you wish to respond.

The five largest banks and federal agencies
Huge cybersecurity investment: Small businesses only spend a fraction (about 10 per cent) of what mature cyber programs spend. The largest five banks spend considerably for cybersecurity at more than $400 a month per employee. Small businesses typically spend $40 to $80 per month per seat or employee. 

Mature organizations are proactive vs reactive
In 2023, Deloitte provided a survey and breakdown of the average areas of cybersecurity spend.

Two large takeaways: Mature companies are more proactive, and they spend on the people and process aspects (governance) of cybersecurity (vs only focusing on tools).

Governance involves delegation, risk identification, policy making, measurement, and evidencing security.

Smaller attack surface area
“Least trust lean function” is about making yourself small and mature cyber companies have a relatively small attack surface area. The overall strategy of mature programs can be summarized as least trust lean function.

Least trust (also known as zero trust or least privilege), is providing the minimum of access to data on a “need to know” basis. The “right access” to the “right person” at the “right time.” This silo/segmentation technique provides resilience to a company just as a ship with compartments does. An attacker compromising one person's credentials can't access then do the same to all data and systems. For example, flooding one compartment in the ship does not result in a sink. Lean function focuses on giving employees only the necessary tools to do their job and no more. All other software and applications are banned. This limits the amount of vulnerabilities attackers can use in an attack. It also limits third-party due diligence and monitoring spend.

Don't forget insider threat: Mature programs are keenly focused on stopping both external and internal threats. Protecting against external attacks is only 50 per cent of the strategy. Insiders are the greatest source of data leaks or data theft. A disgruntled employee walking out with a family office customer list or confidential information is an example of insider threat. Reinforce intended behavior in your employee contracts, employee handbooks, awareness training, and enforcement tools.

Family office recommendations:
How can small businesses and family offices take the next step to mature?

1. It’s recommended to do a risk and gap assessment vs a common framework like NIST or CIS Controls. The gaps will identify risks and drive efficient investment including spending more in line with mature company allocations. 

2. Governance is necessary. There are no silver bullet tools.

3. Delegate, empower, and compensate a leader/employee at your family office. This person will champion awareness, assume accountability, as well as measure progress.

4. “Make yourself small” by siloing data access and eliminating Shadow/Unsanctioned IT.

5. Update employee contracts, handbooks, and training to account for insider risk.

About the author
TIm Schnurr, CRISC, CFA is a founding partner at Inquisitive IT, a company that is striving to protect retirees with cyber awareness and managed devices.  Previously he co-founded FortMesa, a governance, risk, compliance (GRC) and vulnerability management workflow platform. Schnurr had a long career at Deloitte in cybersecurity, product development, and data analytics. He also spent some time at MIT in a Deloitte collaboration to scout, validate, and commercialize new technologies. Schnurr frequently speaks about insider threat and the nexus of cybersecurity and intellectual property (IP) protection.

About Inquisitive IT
Inquisitive IT serves individuals, retirees, and independent investors by providing personalized cybersecurity programs. Inquisitive IT's managed services include custom policies, in-depth training, and managed devices. Inquisitive IT also provides cybersecurity advisory (Virtual CISO) to small businesses and family offices. 

Register for FamilyWealthReport today

Gain access to regular and exclusive research on the global wealth management sector along with the opportunity to attend industry events such as exclusive invites to Breakfast Briefings and Summits in the major wealth management centres and industry leading awards programmes