Articles
>
What are the costs of poor cyber management?

What are the costs of poor cyber management?

Faced with increasingly numerous and sophisticated cyber threats, CISOs must add multiple layers of security in order to protect information systems from the risk of compromise.

A proliferation of technological tools that adds operational complexity to the daily challenges of cyber risk management.

Add to this a regulatory framework that is becoming increasingly dense, with ever stricter compliance requirements such as DORA, the Cyber Resilience Act, the GDPR, and soon NIS 2. All of these texts now impose obligations that are no longer limited to the implementation of security measures, but also concern aspects of documentation and traceability.

In this context, managing cybersecurity can be complicated for the CISO, and poor management can result in additional costs for the company. What are these costs? How can they be anticipated and avoided?

March 13, 2024
Table of Contents
Discover how Tenacy structures your cybersecurity
Schedule a demo

CYBER STEERING BECOMING INCREASINGLY COMPLEX AND EXPENSIVE

New requirements

Whereas in the past, system protection often boiled down to simple preventive measures, today's diverse and sophisticated threats require more elaborate strategies.

A trend observed in the choice of targets for cyber attackers, as explained by Baptiste David, Head of Market Strategy at Tenacy: " Not only do cybercriminals demonstrate a strong capacity for innovation, but they also seem to have fewer and fewer ethical boundaries. This is particularly evident when we see institutions such as the Red Cross and hospitals being attacked in the midst of the COVID-19 crisis. "

This paradigm shift requires companies to adapt. Ten to 15 years ago, companies took a minimalist approach, for example by installing antivirus software without any follow-up action, but this is no longer sufficient today. Antivirus software, among many other tools, now requires documentation and monitoring, and must be part of a broader cybersecurity strategy. Baptiste David emphasizes this point: " Compliance means doing, but it also means communicating, tracking, and documenting ."

In a context of labor shortages and under the weight of these regulatory constraints, managing cybersecurity seems to be a perilous task. At best, we get a fragmented view of the information system, and at worst, an increase in risks for the company.

An unnecessary accumulation of solutions

The first effect of poor management is to lead to significant investments in security solutions that, instead of providing adequate protection, are simply piled on top of each other.

A common scenario is investing in multiple anti-malware protection solutions in order to benefit from a double barrier, when in reality these tools could conflict with each other and reduce detection effectiveness.

Risks of non-compliance

Compliance requires documenting and maintaining the cybersecurity solutions used in the company. Without effective cyber governance, it is difficult to assess where an organization stands in terms of regulatory compliance.

This is particularly the case for operators of vital importance (OIVs), who are required to comply with the Military Programming Law (LPM) or face penalties. To this end, ANSSI and other government agencies may carry out security checks to verify that the rules are being properly applied. In the event of non-compliance, the operator concerned will receive an injunction to comply. If the breaches persist, this may result in financial penalties ranging from €150,000 to €750,000.

The prospect of losing business

In more extreme cases, non-compliance can lead to loss of certification and, by extension, loss of business partners. The ISO 27001 standard, for example, is required in the context of calls for tenders. Loss of such approvals can make it more difficult to acquire new customers while compromising existing business relationships.

Damage to reputation

Public fines or penalties also damage the company's reputation. Negative press coverage of cybersecurity issues can lead to a loss of trust among customers, partners, and investors. This is particularly true after a major data breach.

Excessive dependence on a single person

Companies tend to rely heavily on their CISO to manage the cybersecurity of their information systems. However, this dependence can be problematic if no monitoring mechanism is in place, leaving the company vulnerable when the CISO is absent or unavailable.

The importance of good management therefore lies in the implementation of a centralized monitoring tool such as Tenacy: since it does not depend on a single individual, it allows information to be shared within teams. This can translate into action plans, indicators, and a roadmap providing clear direction. If a CISO leaves the company or new members join the team, structured management facilitates the transfer of skills and the integration of these new resources.

HOW CAN YOU ANTICIPATE AND LIMIT PILOTING COSTS?

Define your goals and priorities

Each company, depending on its structure, mission, and priorities, has specific cybersecurity needs. For some, the priority may be focused on protecting workstations, while for others, it may be more about identity and access management.

Accurate identification of the organization's needs makes it possible to determine priority areas and allocate resources. Therefore, it is necessary for a CISO to ask themselves several questions.

  • What are the risks associated with current information systems?
  • How can the effectiveness of security measures be measured?
  • What tools and indicators are available to monitor, detect, and respond to security incidents?
  • Are employees sufficiently trained and aware of potential threats?
  • How do security objectives align with the company's overall objectives?

Once the objectives have been established, they must be validated by management and the roles and responsibilities of each individual must be specified in an ISSP (Information Security Statement Policy).

Basing cyber management on facts

An information system is a constantly evolving environment that requires the CISO to adapt continuously.

As Baptiste David points out, " A CISO should not rely solely on instinct or conviction. While lessons learned from past experiences are important, it is essential to remember that what worked in the past in a given context may not always be transferable to another company."

It is therefore important to prioritize an approach based on facts and data.

If we take the example of an antivirus solution, simply purchasing it is not enough. You need to:

  • ensure its deployment;
  • monitor its effectiveness in real time;
  • Establish clear indicators to assess functional coverage and the level of protection within the company, such as the number of attacks recorded or the number of malware programs blocked.

CSOs therefore need more than ever to use tools to manage cybersecurity actions within their companies. To this end, the Tenacy solution offers a set of features that enable security objectives and actions to be monitored in real time via dedicated dashboards.

‍

Contact us to learn more
Other articles

You may be interested in

6 acronyms for cyber compliance
Life as a CISO
ISO 27001, NIS, LPM, NIST CSF, PCI-DSS, NC: compliance in 6 acronyms

The cybersecurity industry, and particularly the field of incident response, is an environment where all kinds of acronyms flourish. It's so easy to get lost. Standards, directives, laws, processes... Let's take a look at the definitions of six acronyms commonly used in compliance that no one should be unaware of.

November 15, 2022
SSI dashboards: should we abandon them? - Tenacy
Life as a CISO
SSI dashboards: should we abandon them?

From design to formatting, not to mention the thorny issue of data collection, SSI dashboards make life difficult for CISOs. A complex environment, difficulties in engaging contributors, unsuitable tools... there are many reasons for the time wasted and frustration generated, to the point that some CISOs are almost tempted to give up. They therefore sometimes turn to predefined, technical dashboards provided by the multitude of technological solutions available on corporate networks.

What if the solution was to continue creating dashboards, but in a different way?

November 3, 2020
The challenges of cyber awareness
Life as a CISO
Cyber awareness: how to rise to the challenge?

While the ANSSI hygiene guide recommends raising user awareness of basic IT security best practices, the reality is enough to make CISOs tremble. According to the CESIN cybersecurity barometer established in January 2020, employees remain difficult to mobilize. 45% of companies believe that their employees do not follow the recommendations! So what solutions are available to CISOs to raise awareness and engage teams?

October 27, 2020