Minus the white lab coats, cybersecurity professionals look a lot like healthcare professionals. Both are passionate about helping others recover from serious threats to their well-being. Both rely on diagnostics, triage and testing. And both believe in the power of prevention.
When forced to deliver bad news, medical doctors often see patients respond with seven stages of grief as they come to terms with their ailments. Cybersecurity professionals witness the same reactions to difficult diagnoses. Some people refuse to believe cyber incidents could affect them; others become angry. Still, others are ready to accept the reality's risk.
In my years of working with organizations to help identify and mitigate risk, I have identified a continuum of responses, or what I like to call the Seven Stages of Cybersecurity Grief. At the end of the day, anyone responsible for securing their company’s assets will likely need to walk their leadership through each of these stages on the road to maturity.
Shock – “The SolarWinds and Microsoft Exchange hacks prove nation-states are out to get you.”
In this initial stage, people feel nothing is sacred anymore. They gravitate toward sensational news articles about enterprise-level breaches, nation-state attacks or someone’s pacemaker being manipulated from across the world. While such stories may be true, their tremendous shock value leads people to believe they are rare occurrences against a select tier of victims.
These attacks should be taken seriously, but the reality of how to respond is far less exciting than secret agents hovering over laptops in a high-tech basement. You just need to build a program that takes care of cyber issues as part of your daily operations.
Denial – “I’m too small to matter to cybercriminals.”
Since headlines about cybersecurity incidents with high-value targets are intended to shock, most people do a quick mental comparison. For example, compared with an IoMT (internet of medical things) vendor, smaller regulated technology providers often assume they are low-value targets for attackers and auditors. The thinking goes that cybercriminals target larger organizations because they are more lucrative, and that HIPAA, CMMC, or PCI auditors only target major players for compliance audits. Leaders in such organizations consider their own businesses too insignificant to be in real danger.
Attackers and auditors don’t discriminate by size.
This is quite contrary to the way cyber-attacks work, especially when it comes to malware or ransomware attacks. Midmarket and small businesses are actually far more lucrative for hackers because they tend to have fewer security controls to navigate. As for audits, some may be surprised to learn that oversight bodies like the Office for Civil Rights (OCR) often use fines from the previous year to fund larger audit teams for the next year. The OCR is expanding its capacity to audit everyone under HIPAA compliance regardless of size, and have that as a stated goal. Organizations who have been “checking the box” on their cyber insurance forms or signing BAAs without internal follow-through may find themselves disorganized, frustrated, and burdened by heavy fines when the audit inevitably arrives.
My advice for anyone who thinks they’re too small to be a target? Educate yourself by reading and talking to people with cybersecurity and compliance experience. This may give you more understanding of why organizations like yours should be building strong programs (though it also may have the effect of moving you into stage 3, anger).
Anger – “How dare you ask me for my cybersecurity policies or compliance attestations. This is an invasion of my rights.”
This kind of response is commonly known as shooting the messenger. People in the anger stage of cybersecurity grief are upset about regulatory requirements, which they think are a racket. When PCI 4.0 is released, these will be the people who grouse about how requirements are unfair and require too much work. Perhaps they’ll also criticize the CMMC board as a profiteering endeavor that hurts small guys, rather than approaching the new framework as a necessary way to standardize security for companies who want to do business with the US Government.
They might even balk when a would-be client or partner requests copies of their cybersecurity policies and attestations. In the vendor reviews we perform at TRUE, we raise a red flag when such requests are met with refusals, run-arounds or indignation. This signals an organization’s need to grow in its understanding of what it means to have a cybersecurity and compliance program. As cybersecurity professionals, it is incumbent upon us to expect some anger. Our job is to ferry clients across that river of wasted emotional energy and address the issue at hand.
Bargaining – “We have a security problem. Just put everything in the cloud and let the cloud provider handle it.”
These organizations are willing to invest in a solution here and there, which I refer to as the “blinky box” scenario. They want a silver bullet that will solve problems or shore up gaps with a single technology or added team member, but never really invest in building an internal security program that embeds security into the fabric of their systems and culture.
Is a blinky box going to solve all your problems?
The solutions they purchase (or person they appoint) are likely to have unrealistic expectations placed on them. Often, they are expected to fix or prevent every attack or vulnerability single-handedly. Though this stage can be a good starting place because it elicits action, there is a tendency to simply see cybersecurity as a line item in a budget, and believe that by spending once or twice, one can attain instant maturity.
There are indeed some impressive solutions out there, but to truly mitigate risk, more effort needs to be undertaken in an ongoing way. Security needs to be architected into systems, and there is so much more to it than just purchasing a single solution. Cybersecurity professionals can help shepherd organizations past one-off solutions along their path toward acceptance.
Depression – “My security spend went up last year, and I still don’t have a definitive answer to our overall security posture. Where’s my ROI?”
This stage tends to surface when you submit a request for the next round of cybersecurity spending, and it becomes evident that you don’t have any security metrics to justify the spend. It could be that last year, you invested in network protection, but this year you realize you also need endpoint monitoring, and no one knows how much you moved the needle on your network security.
Leadership will want to understand how much of the problem has been solved, and how much is left to remediate. If part of your spend was mistakenly justified as the single solution that would fix everything, you’ll regret your bargaining in the previous stage. Additionally, both you and your leadership may be frustrated by the sheer number of vendors you now have to manage to mitigate risk...and the list is probably still growing.
Like bargaining, depression is a very workable stage. It generally means you have implemented some solid layers of security, and that your organization is beginning to take cyber risk seriously. As frustrating as it may be to have not fully “arrived,” you are well on your way. This is where you can begin looking at ways to streamline processes, simplify compliance documentation, ease audit burdens and consolidate vendors.
It’s a stage priming you for improvement.
A great resource for anyone in the depression stage is to go through the NACD Cyber Risk Oversight handbook and/or certification program. This will help you find ways to quantify your risk, quantify progress, and begin speaking the language your leadership needs when contextualizing your budgetary requirements. They want to see exactly how certain risks stand to impact the business, in numbers. Once you get on the same page about the data, you are likely to see quick progress and alignment of goals from the top down.
Testing – “Don’t promise me the moon. Just build me a program with realistic solutions.”
Now that you have a growing security program, you are critically evaluating solutions for efficacy, rather than just taking a vendor’s word for it. This is where you begin testing everything you have to seek validation for existing controls and identify gaps. This may look like a penetration test or a new vulnerability management program, but it could also look like a full-blown risk assessment or certification.
What you want to understand in the testing phase is what’s really working, what isn’t — and what steps to take to reach maturity.
You aren’t looking for a blinky box that will fix everything, because you recognize that security is not a technology issue – it’s a business issue.
Acceptance – “Cybersecurity is a risk to manage, not a problem to solve.”
Once your organization reaches the acceptance stage, you have a coordinated security and compliance program. You either have or are seeking to establish an internal or external 24/7 security operations center (SOC) to monitor and remediate the cyber events you now know are inevitable. These leaders aim to catch, stop and address attacks before they become breaches, because they have no misconceptions about being the one company in the world that will never experience a cyber-attack.
With internal managers in place to coordinate security and compliance strategies, these organizations are focused on improving communication across teams and moving the needle year over year. Additionally, they are prepared to regularly validate existing security controls, recognizing that from time to time they will uncover gaps, simply because businesses evolve and introduce new risks.
At this stage, you are making serious headway on the road to maturity and can confidently assure your leadership that the organization’s information and technology assets are under constant evaluation and protection according to the CIA triad–confidentiality, integrity, and availability.
If you aren’t there yet, it’s okay.
No matter where your organization falls along this continuum of cybersecurity maturity stages, or what we like to call the Cybersecurity Stages of Grief, take heart. There is always room for growth.
If you would like to talk with someone who can guide you through the most effective next steps and help you build a custom cybersecurity and compliance roadmap to get you there, feel free to request a consultation with one of our experts. We are always happy to help.