Cyber Priorities: 6 Cybersecurity Investments You Should Consider in 2022

Bringing in cybersecurity competency – the capabilities provided by a chief information security officer (CISO) – should be your first investment, before you decide on or make other technology investments. In some cases, the recommendation to appoint a CISO comes directly from regulatory guidelines.⁴

Not to be confused with technology competencies, your CISO should have the knowledge to establish a foundational cybersecurity program, confirm compliance and adhere to regulatory guidance and industry best practices. Critical functions of the cybersecurity competency include conducting risk assessments, aligning your cybersecurity strategy to risk assessments, understanding and interpreting regulatory prescription, directing resources in the appropriate way and advising your executives on security matters.

Despite its importance, a full-time in-house CISO is not always possible or practical. Your organization may not have the financial resources — or the need — to source a full-time CISO, and if you do, you may find it difficult due to the cybersecurity workforce shortage and competitive staffing environment. When that happens, outsourcing in the form of a virtual CISO (vCISO), CISO as a service or a fractional CISO is a smart alternative.

Engaging a vCISO offers your company numerous benefits. It’s more cost-effective than a full-time in-house CISO, which can cost you an average of $227,000 per year.⁵ It provides geographic flexibility, a consumption-based model and a broad range of expertise and capabilities. And it allows you to dramatically accelerate security program maturity, improve compliance and reduce the risk of threats as well as the risk of fines and penalties.

A cyber risk assessment is a key investment, as it is the starting point in developing your cybersecurity framework. There are several types of assessments, such as NIST Cybersecurity Framework, NIST 800-53, NIST 800-171, Cybersecurity Maturity Model Certification (CMMC), New York State Department of Financial Services, (NYDFS) and more. These assessments are designed to identify your gaps for different types of risk exposure, providing answers to fundamental questions such as: 

• What assets do you have, including data, devices, cloud and on-premises infrastructure, software and networks?
• Who would want them?
• Where do the assets live, how do they interact within specific workflows and how do they move through the organization?
• What business processes depend on those assets?
• What threats could impact those assets and how likely are those threats?
• Who touches the assets, including third-party providers?
• What would the impact be if the assets were lost, unavailable or compromised?
• How are you protecting the assets?
• Where are the gaps in protection?
• What risks do your third-party vendors pose?

Conducting a comprehensive cyber risk assessment offers both immediate and long-term benefits. It enables risk-based prioritization and decision-making, ensuring the best use of your cybersecurity resources from the outset. It prevents over- or under-engineering your security solutions, and it can directly inform mitigation strategies and incident response planning. 

While timely execution of your risk assessment is critical, bear in mind that remediation doesn’t have to wait until the assessment is complete. Areas of high risk that are identified can and should be addressed along the way.

It’s hard to understand the true potential of a cyberattack until it happens to you, but today’s reality is that a small or midsize organization can be shut down by a single cybersecurity attack.⁶ Unfortunately, many small and midsize businesses lack the security expertise or budget to implement 24/7 monitoring and detection, and many lack the tools to monitor and detect malicious activity across their infrastructure. If this sounds like your organization, Managed Detection and Response (MDR) could be the answer. It’s an affordable and highly effective way to get access to the same security operations center (SOC) capabilities that large enterprises enjoy.

MDR services should include:

• High-fidelity, 24/7 monitoring, with 360-degree visibility into networks, logs, endpoints and cloud infrastructure
• Artificial intelligence, machine learning and global threat intelligence integrated with human threat hunting and intervention 
• The ability to immediately and seamlessly transition from monitoring to response, with the expertise and capabilities to quickly contain and eradicate threats

Augmenting the capabilities and capacity of your security team with MDR is a smart cybersecurity investment for small and midsize businesses. MDR enables you to: 

• Stop security incidents through proactive, around-the-clock detection and response
• Reduce the time it takes to respond to emerging cyber threats, helping minimize the business impact of an incident
• Decrease time spent on false positives while helping avoid the dangers of alert fatigue
• Protect data and assets and improve compliance across the organization

Incident response planning is a crucial investment because there’s simply no way to prepare for and prevent every possible attack. Successful incident response planning can help your organization identify, prevent and respond to business disruptions and avoid millions in losses. 

Effective incident response planning reflects specific scenarios that are relevant to your organization, including those identified during your risk assessments. It engages cross-functional teams in hands-on plan development, exercises and testing, including the executive team, technical teams, forensics, human resources, legal, finance, employee communications, public relations, suppliers, partners and customer service. The goal is to create a situation where you can get the right people in the right place at the right time to receive critical information and make the best decisions.

Your incident response plan should also prepare you to comply with the legal obligations that arise in the aftermath of a cyberattack, especially to individuals affected by the incident, state attorney generals and other regulatory bodies. If it sounds like a tall order, keep in mind that many small and midsize organizations often need outside help getting incident response planning off the ground. 

An experienced cybersecurity partner can help you simplify the process, leveraging their expertise in the development of an initial plan that covers these components and more: 

• Response preparation
• Incident detection and identification
• Threat containment 
• Threat eradication
• Operational recovery
• Learning and plan validation

You can quickly and dramatically reduce your attack surface by investing in a handful of tactical security solutions, including: 

• Multifactor authentication – an authentication method that research shows can protect against 99% of account attacks⁷
• Domain controller protection – a personalized mix of strategies such as remote desktop protocol controls and Server Message Block protection
• Mobile disk encryption – automatic hardware-based encryption that protects data on mobile devices
• Next-generation antivirus software – algorithm-based programs that use heuristics instead of relying only on threat signatures to provide protection from viruses

You can also quickly assess and address your vulnerabilities at any point in time by investing in penetration testing. Research shows that 1 in 3 cybersecurity breaches are caused by the exploitation of an unpatched vulnerability.⁸ But pen testing allows you to test for common configuration issues, identify flaws not easily discovered by automated tools and evaluate the effectiveness of your security controls. 

Just remember that relying on pen testing alone can leave you vulnerable during the time in between, but you can proactively mitigate risks between pen tests by investing in an ongoing vulnerability management program. Robust vulnerability management should include comprehensive vulnerability scanning and classification of vulnerabilities, detecting and prioritizing findings related to unpatched systems and misconfigurations, and verifying any misconfigurations and confirming there are no legitimate business reasons for them.

Employees are the first line of defense, and when it comes to sophisticated social engineering, phishing and ransomware attacks, sometimes they are the only line of defense. A recent study reveals that 88% of data breaches are caused by user error. Nearly half of the respondents surveyed said they are “very sure” or “pretty sure” they have made an error at work that could lead to a security issue.⁹

Add to that the fact that nearly 90% of organizations in a recent global survey were targeted with business email compromise and spear-phishing attacks in 2019, and you can see that employee security awareness training is no longer a “nice to have” in the security budget.¹⁰ It’s now mission-critical. 

Effective user awareness training is an investment that has been proven to help our clients prevent cybersecurity breaches and the downtime and costs associated with them. Security awareness training provider KnowBe4 has reported that, pretraining, 31.1% of users are prone to phishing attacks. After 90 days of ongoing training, that number comes down to 16.4%. After a year of ongoing training, the number comes down to 4.8%.¹¹

What makes user awareness training effective?

• It’s comprehensive, accessible, consistent, engaging and ongoing
• It measures security knowledge and awareness and tracks changes over time
• It provides real-world testing through routine simulated attacks