Many small and mid-sized defense contractors are concerned about the impending Cybersecurity Maturity Model Certification (CMMC) process, and more generally, about the ever-growing security requirements handed down by DoD.
While CMMC readiness is important, too little consideration goes to the bigger message that DoD is trying to send and that every defense contractor should by now have internalized: the defense industry needs to take security more seriously.
This was driven home in the Biden administration’s National Defense Strategy, released last month, which emphasized the criticality of defense industrial base security to DoD’s integrated deterrence strategy against China, Russia, and other adversaries. In other words, CMMC is just the beginning.
For defense contractors who want to break out of the reactive cycle of compliance-based security measures, there is a better way. Businesses should take security into their own hands by investing early in security risk management to grow their business, increase efficiency, and become secure and resilient.
What is Security Risk Management?
Security risk management is, in essence, a way of doing business. It means building the continual assessment of security risks (cyber, physical, insider, informational, etc.) and the mitigation of those risks into everyday operations.
In practice, this could be a very simple process, such as having a member of your executive team track the latest information on ransomware and ensure cyber insurance and backup plans are in place. It could also be as complex as employing entire teams to monitor dozens of cyber and physical threat intelligence feeds and managing large-scale programs to protect people, property, and information from any sort of harm.
The critical point is that security risk management, whether simple or complex, is different from security compliance. Compliance is about making sure certain security-related activities are completed so that the company can bid on government contracts. Self-attesting to NIST 800-171, getting ready for CMMC and ensuring you’re meeting National Industrial Security Program Operating Manual (NISPOM) requirements are examples of security compliance activities. They may make you more secure than you would be otherwise, but they’re not a substitute for security risk management because they’re fundamentally reactive, not proactive.
When companies already spend money on all these compliance activities, it may be difficult to understand why they should invest in instituting a security risk management process. Here are three good reasons:
Security risk management will facilitate your company’s growth and save money:
Many in the defense sector will be familiar with the software concept of DevSecOps. Short for Development-Security-Operations, DevSecOps is premised on introducing security earlier in the software development process. By building software with security in mind from the outset, developers avoid costly and ill-fitting security measures that must be “bolted on” to the software later in the process.
Defense executives can think of security risk management in a similar way. Most companies conduct the bare minimum of security activities through the early phases of their growth. As a result, they remain insecure for a substantial period and then must invest in costly and ill-fitting security risk management down the road.
For example, let’s imagine a hypothetical midmarket defense contractor: XYZ Defense. After five years in business, XYZ experiences a costly insider threat incident and decides to hire full-time security staff to prevent a recurrence. Once on board, the new team members find that security processes are in disarray, employees mishandle sensitive information, poor investments have been made in cybersecurity technology, and the executive team shows little interest in glaring security gaps. This situation will cost a lot of money and be very painful to remediate.
In an alternate universe, let’s say the XYZ Defense CEO decided in year one to invest a small amount of money and time in standing up a security risk management process led by the COO. By year five, this process has instilled in employees a sense of security responsibility, made security technology investment decisions easier, and fostered deep understanding and respect for security issues among the executive team. When XYZ eventually hires full-time security staff, the investment is made from a place of confidence rather than in response to an incident. The new employees find XYZ in good shape and only need to recommend small adjustments to keep the company on track.
Security risk management will ease compliance headaches and position you for more business:
We all know that winning prime contracts with the government or subcontracts with major defense firms requires security compliance. The challenge is that the government adds new requirements regularly and some primes are going even further – expecting their subs to meet security measures well in excess of compliance standards as a condition of onboarding.
This leaves small and mid-sized businesses in the defense sector in an endless cycle of compliance activities that eat into other resources or, even worse, freeze them out of potential business opportunities.
Building a security risk management process solves these problems. It will help your company anticipate new compliance requirements coming down the pike, make better decisions about when and how much to invest in services like CMMC compliance assessments, and avoid reactive investment decisions in response to a cold call or when you’re racing against the clock before a proposal deadline.
A security risk management process will instill prime contractor teaming partners with confidence that you are taking security seriously and won’t expose their assets to undue risk. It can also be used as a talking point in marketing and sales discussions to demonstrate to the government that your company takes your own security, and therefore national security, seriously.
Security risk management will reduce your risk of a breach when the threats are bad and getting worse:
If the prospect of reduced costs and more revenue isn’t enough to make you invest in security risk management, consider what your day might look like if your systems are locked down by a ransomware attack, one of your employees comes under FBI investigation for espionage, or your sensitive information ends up in the hands of criminals or foreign intelligence agencies.
ll, these scenarios are not only possible but increasingly common. 66% of organizations were hit by ransomware in the last year, according to Sophos. Bloomberg recently chronicled a major foreign espionage operation against GE and the resulting federal investigation. And U.S. counterintelligence officials claim that U.S. companies lose up to $600 billion every year in intellectual property theft to China.
These challenges are not resolved by being CMMC or NISPOM compliant and there isn’t a silver bullet technology to eliminate risk. As a reference point, look to the major primes. They don’t view corporate and cybersecurity through a compliance-first lens. They have security risk management programs in place to protect them from being hit by the Russians, Chinese, and other threat actors. These programs help them ensure compliance, but they also make them more secure and provide confidence to government buyers.
You don’t have to be at 5,000 employees or even at 50 employees to get started. Security risk management should be part of doing business on day one.
