If 2017 had anything to teach us it was how critical cyber security has become for organizations. For many executives cyber risk is an increasing top concern, which has downstream impacts on small and medium sized businesses as well. With cyber security increasing in relevance, a deluge of consultants offering IT security services has also come into the market. Thankfully, when it comes to cyber security the issues often stem from people and processes, not only technology. There is no one better suited to take advantage of this market opportunity than management consultants. While a cyber security expert often can discuss technology with ease, management and people tend to be vague and shallow subjects. Management consultants have the most experience when it comes to optimizing organizations to meet a developing need in the market. In this case it is cyber security and cyber risk mitigation. As a consultant you likely already have some form of digital or IT offering for clients, however there are always new opportunities that present themselves as the topic grows in relevance.
Properly Framing The Threat
Cyber security as a topic typically conjures up the image of a group of hackers who are trying to break past a companies defenses for the grand prize of data. This image is reasonable but outdated since cyber threats have never been solely an issue of how strong your perimeter is. Instead cyber threats continue to primarily be a result of negligent and malicious insiders, people with authorized access to sensitive data. Additionally processes that are optimized for efficiency while cutting corners for security are an issue that contributes to risk exposure.
When engaging potential clients to discuss cyber security the conversations should be framed around insider threats. Insiders are trusted people, but people often have their own agendas and motivations that can change over time. If financial difficulty becomes an issue then a once trusted person could turn to some activities to make more money. Those are called malicious insiders, there are also negligent insiders who may pose a threat by being reckless. If an employee opens up an email by an unknown address and it exposes a company network to malware, this is negligence that just cost the company a lot of money.
By discussing insider threats you open up many areas of discussion familiar to the client, such as: suspicious behaviors, fake emails, access issues, incident response, cyber risk, and a wealth of other issues. Insider threats is about human behavior and motivations, which is what managers are familiar with organizing for a specific end.
This brings us to the other side of cyber risk which is about processes. At times processes are developed under a specific set of conditions but then continued on after those conditions are no longer relevant. When those processes are consciously optimized managers often will skip corners when it comes to security for the sake of productivity. Decisions such as these increases an organization’s exposure to risk. If you can discuss vulnerabilities in processes with clients and how these vulnerabilities relate to further exposure to insider threats, you will have their interest.
Focus your framing on people and processes, these are things that your clients can have a full conversation with you about. If technology is discussed ensure that it is integrated into people and processes. Your goal here is to frame cyber security as an issue that management can be a part of solving.
Alignment & Integration
The paradigm for cyber security as a standard is very low right now, while the threats remain high. What often happens with cyber security consultants is that they take on the function of security for management without really understanding how to involve them in the process. It works to the benefit of the cyber security consultant who has clients who now depend more on them for their maintenance of security. This is not how organizations will remain secure and it entirely dependent on technology as the solution to cyber security. This is where management consultants can truly take the lead.
Cyber security is about resilience, and resilience requires security’s total integration into the company. Management should understand that cyber security starts with a company’s management and data governance. This means a critical examination of policies, controls, processes, data flows, and people throughout the organization. Security means that managers understand what is happening in their organization. When managers offload the function of security on to one department then nothing changes in the organization except for technology, security is put on the sidelines. As a consultant it is important that you understand frameworks for cyber security in organizations and help managers implement this. One of the most widely adopted in the United States is the NIST Framework.
Supply Chain & SMEs
In the last few years large organizations with a very generous amount of security investment still got attacked. Much of this can be attributed to vendors in the organizations supply chain or suppliers who they work with for services. Two of the most prominent cases, MeDoc and Target, are excellent examples of how small businesses poor cyber security can result in attacks on larger institutions. In 2013 the case for Target, it was their HVAC vendor based out of Pennsylvania, the vendors systems were vulnerable and exploited by cyber criminals. Those same cyber criminals then used the HVAC vendor’s privileged access to Target’s system to breach their systems, which resulted in the $202 million cost to recover from the data breach.
In the case of small data firm MeDoc, the cyber criminals hacked the updater that all their clients used. NotPetya spread through an update to each of the clients networks. This impacted large organizations such as FedEx and Maersk Line. One small cloud service provider who was hacked caused hundreds more organizations to be infected ransomware.
This two cases are examples of when a vendor in your client’s supply chain or service providers are able to cause your clients to have a severe data breach. Thankfully, you can work with clients to integrate cyber security controls and measures into a vendor management program. Management consultants should use this as an opportunity to work with not just a large organization but also their client’s suppliers. By working with small and medium sized enterprises management consultants can help provide a much more resilient environment for their larger clients.
Expanding on Known Tools
One of the largest opportunities for management consultants exist in developing new tools for others to use. Some well known tools, such as the Balanced Scorecard, are tools that can be modified for use in cyber security. Other tools and methodologies that can be modified include: benchmarking, Porter’s Five Forces, and core competency assessment. Each of these can be modified to include cyber security business alignment, framework maturity, and positioning. These tools are in need of an update to match the dramatic economic and technological shifts in today’s world. Why not be the consultancy to build on management tools that are commonly used. We will be discussing a few ideas to get you started in coming articles.
Management consultants have the opportunity of a lifetime when it comes to cyber security. The threats are always evolving but the methods of keeping a network secure have not changed that much. Many companies are in need of getting their cyber security in order due to pressure from stockholders, buyers, and policy. Here management consultants can ensure they play a role in making sure that cyber security is made integral to the entire firm, rather than an isolated job for IT to handle. Click below to learn more about Teramind.