Cybersecurity expectations are vague, and that has to change if there is any chance of approaching a reasonable amount of cybersecurity.
An IT axiom, “Do you know where your data is?” has been eclipsed by something more accountable: “Is your data reasonably secure?” That’s what companies have to determine to protect themselves in the event of a cybersecurity attack.
“With data breaches making daily headlines and hackers developing innovative methods to penetrate cyber defenses, businesses must contemplate what ‘reasonable-security’ posture to implement for when—not if—a threat occurs,” said Rick Lazio, former member of the US House of Representatives and senior vice president of Alliantgroup, and Mike Davis, CISO of Alliantgroup, in their article Cybersecurity Risk: What does a ‘reasonable’ posture entail and who says so? in CIO Dive.
Laws are in place, but …
Lazio and Davis said lawmakers and regulators are responding to the escalating number of cyberattacks by requiring businesses to meet certain cybersecurity standards to achieve reasonable security. However, “Without a defined, coherent standard to use as a reference, companies are left wandering in the wilderness when it comes to compliance with these often ambiguous laws and regulations.”
Since cybersecurity and its regulation are moving targets, companies tend to copy what other organizations are doing to secure digital assets, hoping it will be seen as good enough. Lazio and Davis have real concerns about this approach, adding, “With data-breach litigation increasing, this practice is nothing short of risky as businesses are allowing a judge or jury to determine the reasonableness of its cybersecurity risk posture after an incident has occurred.”
SEE: Checklist: Security Risk Assessment (TechRepublic Premium)
The two authors cite the 2017 Equifax data breach as an example of why it’s a bad idea. After the dust settled, shareholders sued the…