
Why Your Firm Needs Defense-in-Depth (DiD) Cybersecurity in 2023
The list of companies that experienced cyber breaches in 2022 reads like a Who’s Who of global brands: Apple, DoorDash, Facebook, Marriot, North Face, Toyota, Twitter, Uber, Verizon – the list goes on and on. These days, no business is immune to cyberattacks.
The leading indicators of cybercrime evolve over time, but right now the top three, according to Gartner, are:
Each of these threats calls for a multi-pronged response. Taken together, they involve such complexity that they require renewed focus on a proven but often-overlooked strategy: defense-in-depth (DiD) cybersecurity. Here’s why you need DiD in 2023 – and how to make DiD work for your firm.
Defense in Depth (DiD) for Your Cyber Team
DiD is an approach to cybersecurity that applies a portfolio of policies, practices, and technologies to optimize the integrity of your networks, the availability of your systems, and the confidentiality of your data.
DiD acknowledges that there’s no single solution to cybersecurity – and that complete elimination of cyber incidents isn’t realistic. Instead, layers of protection work together to meaningfully reduce cyber risk. In the face of cyberattacks, what one layer fails to deflect, another blocks, ensuring that your data remains protected.
For your IT department and cyber team, that means deploying the most effective cybersecurity technology. But simply throwing technology at the problem can become an expensive and ultimately ineffective tactic. Instead, start with a cybersecurity framework that dictates the policies, procedures, and technologies your firm requires to meet your unique needs.
The Center for Internet Security (CIS) offers a set of critical security controls that can help you prioritize your cyber defenses. That includes proper configuration of existing systems and protections to help you get the most from current investments. Crucially, the CIS controls enable you to score protections for a quantitative approach to security.
From a technical perspective, virtually every firm requires these DiD layers:
Cybersecurity training – An incredible 82% of data breaches involve human error, misuse, or social engineering, according to the Verizon 2022 Data Breach Investigations Report. That makes training an essential part of your DiD strategy. In particular, phishing training, testing, and reporting can significantly reduce the risk of social-engineering attacks.
DiD for Business Decision-makers
Business decision-makers should approach DiD somewhat differently than their IT counterparts. If you’re setting strategy for how cybersecurity will drive business continuity, enable regulatory compliance, safeguard customer information, and sustain your firm’s reputation, think about DiD in terms of overall risk management. With these factors in mind, your DiD layers should involve:
Risk assessment and management – You need a clear understanding of external threats and internal weaknesses to understand how cyber risk affects your firm. Perform regular vulnerability scanning, cyber-control reviews, and other cyber risk assessments, and then prioritize remediations based on your risk profile.
Policy reviews and updates – You can’t protect sensitive data, comply with regulations, and ensure business continuity without first establishing clear policies. And because cyber threats and business goals change, you need to review and update those policies regularly.
Vendor risk management – Suppliers and business partners can be a source of cyber risk. Conduct regular assessments of vendor risk, categorize vendors accordingly, and work with partners to address weaknesses.
Incident response planning – No matter how strong your cyber defenses, attacks can get through. You need a plan for responding to incidents and minimizing the fallout. Conduct real-world tabletop exercises so that you’re prepared to respond to events such as malware attacks, network breaches, or data theft.
Ultimately, DiD helps you approach cybersecurity in a holistic way. Prioritize your DiD efforts by identifying your most crucial IT resources and your biggest security gaps. You can then strengthen protections incrementally, maintaining metrics to prove to regulators, customers, and yourself that you’re making progress.
Smaller firms can find DiD daunting, and even large, mature firms recognize the value of expert guidance. A growing number achieve DiD through managed security services – including outsourcing the chief information security officer (CISO) role. CISO as a service can enable your firm to consistently and cost-effectively achieve DiD cybersecurity – while focusing your resources on serving customers and achieving business growth.