Aberdeen’s Derek Brink is a renowned cybersecurity analyst and Harvard adjunct professor who specializes in assessing and communicating risks in information security. As an experienced cybersecurity professional, Brink has observed that many organizations are allocating significant resources to cybersecurity. However, the results of their efforts are often unclear. In this Research Meets Reality video, Peter Tsai, Head of Technology Insights for Spiceworks Ziff Davis takes a deep dive with Brink into his teachings at Harvard, his work with Aberdeen, and the overall cybersecurity landscape today.

This article will:

  • Recap conversation highlights from the Research Meets Reality episode
  • Share Brink’s insights on the challenges facing the cybersecurity industry
  • Provide recommendations on how organizations can improve their security posture

The Challenges Facing the Cybersecurity Industry

Brink notes that while there are numerous regulatory compliance requirements for data security and privacy, attackers are still outperforming defenders. Data breaches continue unabated, with over 9,000 public disclosures between 2015-2019. Brink believes that to get a passing grade in cybersecurity, organizations should demonstrate that their increased investments and compliance requirements have resulted in fewer incidents.

The Language, Measurement, and Communication Problems

Brink’s class attracts professionals from around the world, most of whom are in technical roles and want to expand their knowledge and advance their careers. However, Brink notes that most of his students enter the course with some professional relationship with risk, but they quickly realize that they do not think about risk properly. This realization is due to a language problem, a measurement problem, and a communication problem. Brink believes that organizations need to learn how to bridge the gap between subject-matter expertise on technical matters and senior business leaders who generally own the risks and control the budgets.

The Effects of Security Failures and Their Causes

As an analyst, Brink studies the effects of security failures and their causes. The industry has greatly benefited from information-sharing, including the annual Verizon Data Breach Investigation Report (DBIR), which has taught us that the majority of data breaches begin with phishing attacks and compromised user credentials, leading to unauthorized access to sensitive data. Brink notes that the industry still has a measurement problem with respect to the cost of a data breach, as the “cost of a data breach” study is not very helpful beyond click-bait for B2B marketing. Brink cites a study by Cyentia as the best work he has seen in this regard.

When asked about which specific technologies make the biggest difference in reducing the risk profile of an organization, Brink says that this question has been somewhat of a Holy Grail for the cybersecurity industry. He cites the “Top 20 Critical Security Controls” list, managed by the Center for Internet Security (CIS), which is currently at version 8. Brink takes a slightly more abstract view, in terms of higher-level “capabilities” as opposed to specific technical controls. In his view, organizations need to focus on knowing their assets, understanding the threats and vulnerabilities, reducing the attack surface, securing their networks and endpoints, detecting and responding to attacks, and educating their workforce.

The Importance of a Holistic Approach to Cybersecurity

Brink’s expertise in cybersecurity has helped organizations bridge the gap between technical expertise and business leadership. He believes that organizations need to learn how to measure risk properly and communicate effectively to demonstrate the value of their cybersecurity investments. Brink’s insights on the language, measurement, and communication problems facing the industry provide a blueprint for improving the cybersecurity posture of any organization. By focusing on higher-level capabilities and implementing the top 20 critical security controls, organizations can effectively reduce their risk profile and prevent cyberattacks.