A well-known company gets its cyber security breached by hackers and people ask, “How could a company like that let this happen?”
Simple question with no simple answers. But one thing we know for sure is that achieving consistent cyber security can be a Herculean task, especially in the industries CyLumena serves: life sciences, health care and financial services.
CyLumena is a cyber security consultancy and integrated partnership within the SDLC Partners family, headquartered in Pittsburgh. Carl Kriebel, Managing Director, comes to the position with more than 17 years’ experience as a leading cyber security strategist for Fortune 500 companies.
“Two dynamics are coinciding that make it difficult for companies large and small to assure cyber security—the force of corporate cultures and the check-list approach many companies use in meeting cyber security regulations,” said Kriebel.
He emphasized that many corporate cultures have yet to adjust to the myriad of 21st century, cyber security risks that companies face. Often, they may lack the manpower and the budgets to address the highly complex and ever-changing task of cyber security. Plus, they’re more given to spend in areas that produce profits, like business development or marketing activities, rather than to offset the burden of cyber risk.
Kriebel underscored that the check-list approach for dealing with cyber security barely gets below the surface of managing cyber risks. For example, a company may decide to meet certain regulations or frameworks such as the National Institute of Standards and Technology (NIST), but may not devote the manpower and spending needed to comprehensively cover how well and how pervasively it meets these obligations. The same company may have 1,000 apps that require multi-faceted, multi-layered levels of security, but may devote available resources to secure only a subset of the higher risk applications leaving much of the remaining system and related infrastructure exposed to a potential breach.
For good reason, regulations force organizations to meet control requirements, but can be costly and burdensome to implement. Regulations are voluminous, complicated, depend on limited skillsets and are expensive and time-consuming to meet. “Our focus at CyLumena,” said Kriebel, “is to simplify this situation for the organizations we serve.”
According to Kriebel, CyLumena comes to clients with solutions to identify and implement controls to maximize benefit while managing ongoing, operational costs. The goal is to offer a more focused approach with transparent outcomes that highlight an organization’s effectiveness at minimizing residual, cyber security risks.
“We bring solutions to mature an organization’s cyber security capabilities in a cost-effective manner. Our focus is to work with organizations to determine the most impactful, risk-based investments they should be making,” he said.
Cyber security controls need to be pervasive and layered throughout an organization’s operating infrastructure to make sure system vulnerabilities are identified, prioritized, remediated and monitored.
According to Kriebel, the key is to hold business owners and engineers accountable for the systems they manage by providing leadership and consistent visibility into an organization’s cyber-residual risks. For most organizations, this requires a significant cultural shift and may even mean redesigning the governance structure of the organization to avoid conflicts of interest.
The philosophy is that security experts must do better to build the trust of their organization’s leadership. In doing so, improved dialog can occur to assure that future security investments are directed to the areas of greatest concern and to decrease the likelihood of a major breach.
To surmount such risk deficits, CyLumena is developing a methodology that enables companies to prioritize controls to maximize an organization’s security posture. “Our methodology,” Kriebel said, “focuses on determining control effectiveness to identify residual risks and on applying a weighting score that incorporates considerations, such as impact, likelihood, dependencies, data sensitivity and the like. The lower a company’s residual-risk score at the end of a reporting period the better. The outcome may result in recommendations to shift investment from one tool or process to another to improve a risk posture.”
CyLumena plans to use its methodology to calculate a score so that clients can focus their investments on areas that yield the most cost-effective controls for their cyber-risk profiles.
As Kriebel sees it, ongoing changes in a business can serve as a catalyst for progress in a company’s risk-management system. CyLumena’s approach, combined with its use of lean principles, serves as a catalyst for responding in a timely way to ongoing changes that affect cyber security systems.