5 Cybersecurity Approaches for Building More Resilient Companies
The Blackstone Portfolio Cybersecurity Team provides our portfolio companies with support to improve their cybersecurity practices. The team’s “Assess and Improve” strategy equips portfolio operations leaders with action-oriented reports that are current and easily understood by investment professionals. We are dedicated to helping our companies build resilience for the long-term and provide the insights and expertise to help them do so.
1. Focus on your highest-priority cyber defenses.
We get to know our portfolio companies to better understand who and what we’re up against when it comes to cyber-attacks. The recent uptick in ransomware attacks in the U.S. and abroad represents a substantial threat to businesses across the world, meaning proactive defenses are essential.
At Blackstone, we assess our portfolio companies and potential investments against a set of cyber practices that can help protect a company from an attack. Top priority needs vary by company, but our aim is to help companies mature their defenses with a phased approach. As a baseline, we recommend that companies compare their current security program to the recommended best practices in the 2021 White House Memo on Cybersecurity.
2. Actively use governance as part of your cybersecurity strategy.
Cybersecurity should be a priority at the highest level of the organization. We’ve found companies that regularly report on cybersecurity practices to their Board of Directors score better on our internal benchmarking metrics compared to those that do not, indicating better preparedness in the event of a cyber-attack. Our internal metrics are gathered through a standardized assessment intended to identify the extent to which a portfolio company is likely to have protections in place to prevent the most common cyber-attacks that result in financial losses.
3. Know your footprint.
We help our companies navigate cyber incidents and use lessons learned to educate others on the most common risks. A substantial number of incidents we observed in the past 18 months were driven by a single factor: a system without the latest security updates. Companies should continuously inventory their Internet-facing systems for misconfigurations or critical vulnerabilities and remediate those gaps quickly before they are found by an attacker.
4. Identify your lineup of outside experts.
Companies should identify key technical and legal experts and determine the response process before an incident happens. The first 24 hours after an incident are the most critical and can determine how quickly business operations can get back up and running. Getting the right experts on the scene as quickly as possible can help mitigate potential loss.
5. Benchmark your spend.
Getting the basics in place is rarely capital-intensive, and most protections can be put in place by properly configuring technologies companies already have. Executives should think about what parts of a security program to operate in-house and what to outsource. Smaller organizations, or those that are not technology-centric, can benefit from outsourcing to a managed security services provider. Organizations that are conducting M&A, have compliance requirements, or have a technology product that generates revenue should consider hiring for key roles in-house. In either case, companies should look for someone who is an accountable cyber expert and can set the strategy.
Mr. Mattina is the Deputy Chief Information Security Officer at Blackstone. Mr. Mattina leads Blackstone’s Portfolio Cybersecurity program, collaborating with investment professionals and Blackstone Portfolio Companies on cybersecurity matters. Prior to his current role, he managed operations, training and recruitment of a global team of the foremost information security experts within the United States Department of Defense. Mr. Mattina earned an MBA at George Washington University and graduated with honors from the Rochester Institute of Technology.