Asset management: Find value in cyber spending

One of the most pressing priorities today for asset management firms is finding ways to capitalize on artificial intelligence capabilities, including generative AI, to streamline business processes, provide more customized information to investors and even to inform more successful investment strategies.

There’s pressure to implement AI quickly, as competitors are also racing to take advantage of the technology.

“Everyone’s at different stages, but relatively few have actually done the full data assessment and integration,” Sheehan said. “You need to understand that this can impact your data privacy as well, especially if you're subject to data privacy regulations.”

Organizations need to understand where data resides, what restrictions should apply and what the priorities are for the business. This is important not only for security, but also for programmatic efficiency. Sheehan recalled one organization that chose not to do a data assessment because it deemed the assessment would be too expensive at the time. “I watched them spend about 10 times that amount over the next few years, protecting everything instead of putting things into categories and protecting the right information. It’s actually a huge way to save money — to know what you have, know where it is, know where those data points come together.”

Manage your system assets

Effective management of your system assets can enable quicker cybersecurity incident analysis and response, while helping to reduce costs.

“Asset management, while not a cyber function, is key to cyber success. Not everything that improves your cybersecurity has to come from your cyber dollars,” Sheehan said. Asset management tools provide insight into your number of users, assets and other accounts. “It makes sense to reduce the unused accounts, assets and devices, which can reduce your software licensing costs — and your attack surface.”

The more assets and accounts you have live, the more targets for a cybersecurity attack. Unused accounts can be especially dangerous, since new activity might go unnoticed. It’s also important to know where you have old systems or software. “Fairly often, teams will find a threat and release a fix that works for recent versions, like Windows Server 2019 and newer,” Sheehan said. “But what about Windows 2016 servers? How many of those do you have? Or, how many iPhones have access to your environment that are on Version 16 or lower? What system would you have to figure that out?”

Most organizations ultimately need to track a range of various assets and platforms, including various versions — and Sheehan said this diversity can be a good thing. “One answer for asset management is to try to deploy the same device to everybody. But nature usually don’t like a monoculture, and bad things can happen when there’s no diversity. If you have only one operating system, and ransomware or other malware infects that, you may not be able to get into your other SaaS-based tools at all. You may not be able to manage it.”

Sheehan said that a diversity of roles can help improve your cybersecurity, too. “Having different people looking at cybersecurity from different perspectives, seeing different aspects, is fantastic.”

People management

Since everyone plays a role in cybersecurity, it’s important to manage those roles.

“Almost everybody in an organization deals with some relatively sensitive information, to one degree or another,” Sheehan said, including:

• End users: The vast majority of employees interact with sensitive information on a daily basis.
• Executives: Leaders are at a higher risk for phishing, since they are often considered  the most likely targets (“MLT”).
• Developers/clinicians/sales/HR/Finance/Internal audit: These teams are outside of cybersecurity but have a special duty to protect sensitive information.
• IT staff: IT admins have privileged-access accounts that can potentially halt business operations.
• Cybersecurity teams: Apart from operations, these teams also include architecture, policy/governance, identity/access management, privacy, and third-party risk.

It’s important to understand the full scope of an employee’s access, because with access comes the potential for mistakes. In a recent Grant Thornton webinar, attendees indicated that accidental employee actions are actually their top cybersecurity concern.

Insights on this issue from other industries

ARTICLE

Asset management: Find value in cyber spending-->

ARTICLE

How hospitality can protect both data and value-->

ARTICLE

Get efficient cybersecurity in professional services-->

ARTICLE

Cybersecurity that drives value for tech companies-->

Providing information to investors about their accounts and returns is one of the most important duties that an asset management firm performs, and it can be a real differentiator. By presenting data in a visually pleasing way or providing the opportunity for deep dives on performance and possibilities, a firm can stand out from its competitors.

But if a cyber incident disrupts access to that information or permits nefarious actors to view that information, your firm may stand out in the wrong way.

Process alignment

A cybersecurity program can help drive business value by centralizing and coordinating processes.

“You need to have everything in the right place, everything coming together so you can see the big picture, have context for what's going on, and make good analyses of what's going on with what is risky and what is not,” Sheehan said. That might sound like an expensive endeavor, but it usually means coordinating existing activities both inside and outside of typical operations:

• Solution development: “We reduce risk by designing secure systems. You reduce cost by designing secure systems. You reduce both by considering security up front,” Sheehan said. Solution development and IT architecture and engineering typically approach solutions from the perspective of making sure they’re available, stable and providing service. Cybersecurity priorities are typically confidentiality, integrity and availability. These overlap, but they are not entirely the same, and it’s important to integrate security into the early stages of solution design and development.

• Solution procurement: The procurement and finance teams need to be coordinated with IT and cybersecurity, to help ensure that new purchases or contracts are aligned with an efficient cybersecurity strategy and support.

• Identity and access management (IAM): Your organization’s IAM might be managed by IT and audited by cybersecurity, or you might have another structure, but you need to centralize and monitor IAM information so that you can efficiently see if there are compromised accounts. You also need to reduce your attack surface by decommissioning accounts or systems when appropriate. “Please also remember, as you're reducing that number of users, to always have a break-glass function,” Sheehan said. “You need a way to get back in, in case other things happen with your IAM system. And your system should alert you if that account ever gets used.”

• Governance: The policy and governance teams have a risk management strategy that should be informed by, and coordinated with, cybersecurity needs. Data retention standards, for instance, need to be aligned with the right minimum and maximum timelines that allow for effective and efficient cybersecurity. Policies can also be important to help direct and authorize the organization’s actions. As your employees, contractors and other collaborators gain access to new technologies and solutions, make sure that you have policies in place to address any activities that put your organization at risk to authorize the appropriate action.

• Internal audit: Internal audit should play a central role in assessing your IT risks, including your cybersecurity risks. The internal auditors usually start by evaluating the organization’s policies but, even when policies exist, they need to go further to ensure that they are being followed.

• Training: Training can be at the center of driving cybersecurity hygiene, across the organization’s workforce, in an ongoing way. “That human firewall is important — make sure that people have an idea of what to do,” Sheehan said. “You won't stop every click, but you want to make sure they understand the threats and have an awareness.”

“You won't stop every click, but you want to make sure they understand the threats and have an awareness.”

Even with effective cybersecurity processes in place, a growing number of organizations continue to invest in cybersecurity insurance. These insurance providers typically require a number of cybersecurity controls to be in place. These controls can help identify issues that the organization might not have been monitoring, and compliance is usually tied to the cost of the insurance. So better cybersecurity can be directly tied to cost savings.

“One key piece is that whoever signs up for that insurance — the CFO or COO office — needs to communicate with the CIO, CISO, IT and cybersecurity teams about who has it, what it covers and the other details,” Sheehan said.

“Often, executives tell us that they have it, but others on the executive team don't know about it and have no idea what the coverages are.” It’s also important to note that policies might have preferred providers and might not cover work from other providers at the same level.

It can even be important to call your cybersecurity insurance provider in the midst of an attack. “They can often help negotiate with the attackers, especially if it's ransomware,” Sheehan said. “They can help negotiate that down because the insurer's paying it, so it's in their best interest.”

Effective process alignment can help you improve security while also saving costs. Plus, when a cybersecurity program can look at centralized processes, it can more effectively identify tasks that are standardized, repeatable and time-consuming. These can be excellent candidates for automation.

Automation

The growing complexity of cybersecurity for AI solutions and other evolving technologies has pushed some organizations to consider automation. Many have considered or implemented security orchestration, automation and response (SOAR) tools, but it’s important to recognize that these tools, or any automation, will still require some coordination and work from your teams.

“Be aware that automation is going to take some engineering resources,” Sheehan said. “That's not bad — it's just that you want to make sure you're doing a full cost/benefit analysis as you consider it.”

Well-planned automation can save significant cybersecurity costs over time. To analyze your opportunities for automation and plan the right approach, consider the following factors:

• Complexity: There will be process exceptions, architecture limitations, business requirements and other complexities that limit which processes are candidates for automation, so plan to analyze and understand those before you plan the areas to automate.
• Budget: Automation (especially an initial implementation) will typically require engineers, analysts or both. It’s important to budget for and allocate the right number and ratio of knowledgeable resources to achieve success.
• Customization: SOAR tools have significant potential, but they can require implementation or customization that you should anticipate in your planning. They also might require time to build a baseline of normal activities so that they can provide valuable feedback about anomalies.

The best opportunities for automation are often in the ongoing analysis of alerts or threats as they come in. From there, you can consider whether there are repeatable actions that are also candidates for automation.

“You can really make sure that the alerts which come up for humans to review are really the important things that are anomalous or take some fuzzy logic or complex correlations to evaluate,” Sheehan said. “That's what humans are good at doing. We can pick out and remember disparate things, and it can be hard to automate that.”