We must continue to develop & refine our approach to Cyber Risk Management, to keep pace with the ever-changing landscape of threat.
The ‘murky’ world of Cyber extortion is a lucrative business for the attackers… they are highly motivated.
What’s the headlight challenge for today CISO’s, or those responsible for Cyber?
- Improving overall business resilience?
- Scaling security to match business growth?
- Adapting to new cloud-based business initiatives?
- Transforming traditional service models to be more effective and cost-efficient?
Upgrade Your Security & Risk Perspective
Cyber Security professionals often focus on the threats and breaches that dominate the headlines: Equifax, Marriott, Capital One, O2, British Airways etc; and not necessarily on those most critical to the organisation?
A perfect example is when Cyber security teams hold back on cloud initiatives because of unsubstantiated cloud security worries. This exaggerated fear can result in lost opportunity and inappropriate spending.
These high-profile stories are full of doom-and-gloom scenarios. Yet, zero-day vulnerabilities accounted for approximately 0.4% of incidents (Gartner) in the past decade. The amount spent on trying to detect them is out of kilter with the actual risks they pose.
Being “reactive” will always be an inherent dynamic of the CISO role. But, CISO’s today need to make sure that there is a bias towards being proactive with their security programs and architecture.
CISO’s must strike a balance between what is needed in a Cyber security program and the risks to undertake for the business to move forward? Without this balance, opportunities are missed and the CISO becomes an expensive distraction in the minds of enterprise leaders.
That may be easier said than done. Digital disruption might be moving forward at increasing speed, but the core beliefs wired into our minds often are not. The first step is to reframe your mindset to succeed amid such disruption. This may involve changing the conceptual and/or emotional viewpoint with which you view a situation to place it in a new frame of reference, that fits the “facts” of your future market reality. Then you can create a new context for change.
Zero-day vulnerabilities accounted for approximately 0.4% of incidents in the past decade.
Build trust and resilience
Digital business has created a new ecosystem, one in which partners add new business capabilities and Cyber security complexities. The CISO’s vision for Risk and Cyber security must be based on an ecosystem that enables trust and resilience.
“The objective is to provide an ecosystem that balances the imperative to protect the enterprise with the resources, technology and budget; and remain competitive.”
Ninety-nine percent of the apparent vulnerabilities exploited by the end of 2020 will continue to be ones known by Cyber security and IT professionals, at the time of the incident.
This is dependent upon CISOs’ willingness to adopt a new set of trust and resilience principles:
- Shift to risk-based decision making, and away from checkbox compliance
- Begin supporting business outcomes rather than solely protecting infrastructure
- Become a facilitator, not a defender
- Determine how information flows: don’t try to control it
- Become people-centric, and accept the limits of technology
- Invest in detection and response, and stop trying to perfectly protect the organisation.
Move with the speed of digital business
Embracing these six principles calls for CISO’s to deviate from perceived Cyber security conventions and best practices
“We need Cyber security that is adaptive everywhere to embrace threats that were considered too risky in the past…”
Detect, Respond & Report
Scenario: A CISO of a large hospital system, works in a highly regulated industry. He is responsible for the data of hundreds of thousands of patients, and protecting that data and complying with regulations is his top priority.
The CISO discovers that his hospital was hit hard by a targeted phishing attack.
Systems are down and patient care is at a standstill. He is stunned. How, he wondered, could he and his team, all seasoned security professionals, be duped by the most common method of cyber-attack? And how could they let it paralyse their organisation?
The next morning, several members of the hospital’s senior leadership team ‘threw’ these questions and more at the CISO and the CIO. The CISO explains that his information security team was short-staffed and under pressure to introduce several new technologies with compressed deadlines.
In other words, the team didn’t have the resources or time to keep pace with ever-shifting threats and trends. This left them unable to identify and protect against known vulnerabilities: which are the threats most likely to put an organisation at risk.
Organisations are struggling to keep up with the current threat landscape. Too many manual processes are in place, and Cyber security and Risk managers must wrestle with a lack of resources, skills and budgets.
Threat Characteristics Are Changing
- Low and Slow
Apply lessons learned
- Address and patch known vulnerabilities
- Assess existing resources and ensure investment in an equal mix of detection and prevention solutions, such as the Edge Essential 8 and Black Swan for Keys & Certificate management
- Stay abreast of trends and understand their impact
- Utilise the widely available Cyber intelligence data available from several respected sources
- If attacked, don’t blame
- One of the most important stages of incident response is to focus on root causes. Pointing fingers does not solve the problem. Apportionment of responsibility/blame can be addressed afterward
- Use anti-phishing behaviour management (APBM)
- This is a critical element of a people-centric security strategy
- Protect the email gateway
- Secure email gateway (SEG) vendors are increasingly incorporating targeted phishing methods. The most effective are proxy and time-of-click analysis-filtering techniques
- Isolate vulnerable systems
- Systems not yet affected by malware may still be vulnerable, and are often the ones relied on most. A useful temporary fix: Limit network connectivity when a breach or attack occurs
- Reduce reliance on static personal data
- Instead, increase reliance on dynamic identity data when engaging in identity verification to limit exposure to Equifax-like data breaches.
Polish, Practice & Present
By 2020, 100% of large enterprises will be asked to report to their Board of Directors on Cyber security and technology risk, at least annually.
What should a good Board presentation deck look-like?
- Business Execution
- We have some bright spots
- Continued remedial work in several areas
- We will enhance business performance
- Material Risks
- Our recent acquisition/event, etc has had a minor change in our risk position
- All other material risks are stable
- External Environment
- External events require only minor tactical responses
- Security Strategy
- Execution of the current security strategy is largely on target
- Our process maturity continues to improve, and it exceeds peer benchmarks and approaching target
- Note current state and endorse action plan.
Performance and contribution to business execution
These slides should link Cyber security and risk, implicitly or explicitly, to business elements that Board members value. Use them to highlight metrics/scorecards and how the Cyber security team contributes to positive outcomes. Be prepared to explain potential problem areas and implications. Supply detailed documentation on how each metric was produced for Board members who ask.
- We will use Cyber security to help grow the business
- We will be efficient in our security management
- We will execute projects on time and to budget
- We will manage our suppliers cost-effectively
- We will provide a high level of service availability and continuity
- Customers will have confidence in our services and facilities
- We will comply with all applicable regulations
- The right people will have access to the right information
- Our tools will be fit for purpose
- We will execute change efficiently and reliably
- We will embed continuous improvement in our processes
- We will maintain our operational risk to within a defined risk appetite
- Learning and Growth
- Our people will be fully engaged
- Our people will make the right decisions
- We will invest in our people and develop their expertise
- We will protect our know-how as a competitive advantage.
The call to action
Wrap up the presentation with a closing slide to reiterate the main points and any action items. The key is to close strongly, leaving the Board confident in your plan and abilities. Summarise the points you’ve made and be clear about anything you are requesting. Take questions and thank the Board for their time.
- Action Plan; the Board to note current state:
- Business-as-usual (BAU) work programs that uplift business performance will continue
- No action is required for minor change in material risk position
- Execution of the current Cyber security strategy is largely on target. Our process maturity continues to improve, and it exceeds peer benchmarks and approaching target
- Note current state and endorse the action plan.
Rethink Your Approach to Security talent
The unemployment rate for IT security professionals is approximately zero.
While the demand for Cyber security professionals continues to grow, the number of people with the skills and experience required to fill these positions is not keeping pace.
The scarcity of skills is compounded by the fact that Cyber security teams are expected to play a larger, more strategic role, one that will drive company growth, help organisations take smart risks with new technologies and meet increasing firm-wide demands for information security support.
Simply put, it is more difficult to hire security professionals today than it was even three or four years ago.
- New Cyber security capabilities and roles
- Digitalisation is driving the need for a wider range of roles that entail new skills and knowledge. CISOs are expected to selectively add more than 30 such capabilities to their function over the next 24 months, such as security strategists responsible for setting the security strategy and informing the enterprise wide strategy
- It’s difficult to hire new security talent
- It takes an average of 130 days to fill open IT security positions; as a result, CISOs’ teams are often pulled into a continuous cycle of high turnover and slow hiring
- Demand for Cyber security exceeds capacity
- The increasing demand for Cyber security expertise places significant pressure on CISOs to exponentially scale their teams’ work. Demand is driven by massive investments in digital transformation, media reports of data breaches and Cyber-attacks, and widespread adoption of agile development methodologies, requiring CISOs to do more with existing staff while planning for shifts in future talent needs.
Take the lean team approach
While the solution to data breaches may appear to be a bigger, better Cyber security team, a lean approach to staffing can alleviate resource challenges without sacrificing reflectiveness. This calls for delegating a portion of the Cyber security functions to, e.g. Risk or quality management.
- Implementing lean Cyber security strategies
- It became clear that such an approach can be used effectively to optimise scarce security resources. The starting point is to move beyond the assumption that an ever-growing Cyber security team is the best way to respond to increasing Cyber risk.
To adopt a lean approach
- Challenge the status quo of your Cyber security organisation
- by questioning fundamental assumptions about accountability and the role of the information security team, which may have a material effect on the demands on the team and hence, the team’s effectiveness
- Assess your current Cyber security team for effectiveness
- to identify functions or capabilities (such as user awareness communication) that can be devolved elsewhere in the business or IT
- Identify alternative skills in the business or in IT
- for capabilities that are under-resourced or performing sub-optimally
- Identify and communicate
- the advantages, disadvantages and prerequisites of adopting a lean approach in your enterprise.
Prerequisites for adopting a lean Cyber security organisation
- Clear executive support. This is key. Ensure leadership is fully apprised of the reasons and objectives of the strategy, as well as any associated risks and complications
- Security teams experienced in managing distributed teams. Teams should also be experienced in instituting and managing governance functions such as steering committees, coordination and planning forums
- A cultural environment that encourages learning. It should also encourage personal growth and embracing new responsibilities, as this approach is largely based on the ability, capacity and willingness of nonsecurity employees to embrace new additional responsibilities
- Ability and budget to support employee education. Employees new to their Cyber security responsibilities need to be quickly trained.
This paper provides a series of common sense ‘tip & tricks’ to the owners of Cyber within an enterprise: large, medium or small. Some companies will have the capability and capacity to deliver Cyber services within their own ‘resource-pool’, but for most there will be a requirement to seek outside support to establish Cyber Posture definition, and a Cyber Risk Management strategy.
What all these organisations will have in common is the need to “…do the basics right!”
Amongst the numerous options to enable effective house-keeping companies must consider, computer-aided auditing tools, and utilising external expertise and core products such as Essential 8 and Black Swan.
Co-founder & CEO, Edge IT Group