Future Proof Your Cyber! 8 enduring principles followed by leading organisations

As published on Enterprise Innovation, on August 22, 2017

We have all seen the headlines and read the stories about how organizations fail to apply basic security practices-- and ‘somehow’ expose sensitive data, or suffer interrupted business causing chaos and a loss of confidence in their brand.

The industry reacts and in some cases fans the flames of these fears, consulting firms jump on the chance to rabble rouse and tech companies tweak the blinky boxes (technology focused solutions) to block the latest adversary tactics.

During my long career in this industry I have found that typically organizations will make correct cyber security investments if presented with a solid business case that carefully weighs benefits and costs.   Information and Communications Technology (ICT) ecosystems are complex and there are many ‘right’ decisions. It is important to identify the right decision for your organization.  This is doubly true for large multi-national enterprises or nation-states featuring tech driven societies such as Singapore, Malaysia, Thailand, and Indonesia.  To address this challenge, we must change our poor-cyber-habits which lead us down a path of reactionary measures and adopt future proof approaches.

This article will lay out a few guiding principles that leading organizations use to inform their plans, guide their architectures, enable risk management decisions and invest their limited budgets.

Our experience is rooted in the US Intelligence and Defence communities. We have seen at first hand the tools, tactics and tradecraft of well resourced ‘nation state’ level hackers and the mercenaries they train and employ.  We have developed cyber strategies, plans and programs for global companies, governments and critical infrastructure providers. We have seen what works and what fails. 

One commonality that we see is that effective cyber security leadership, starts with a well-informed board of directors and their management team who can quickly understand the risks, consequences, and cascade effects of a cyber threat.

These 8 guiding principles will inform leaders of organizations that operate critical infrastructures how to enhance their strategies, architectures, and culture to reduce potential impacts of undesired cyber events.  This a not full house view or a prescribed list of fixes. The adversaries we face, coupled with increasing connectivity and complexity of our ICT demand a more holistic and dynamic approach to cyber security.

Eight Guiding Principles for establishing an enduring Cyber Security Program:

1. Culture is crucial

Creating an environment that encourages others to follow is particularly challenging given how IT provides more conveniences in our daily lives.  We are used to having instant access to information when and where we want it.  As a result, we must trade security for convenience and develop a plan to carefully balance the risks with the benefits that expanded connectivity and easy access to company resources provides.  Creating a culture of safety and security takes a leadership team committed to empowering their staff to make decisions and realize the consequences that can have.  To assist in developing the right security culture, the workforce must be reminded of the advanced threats that the organization faces and have transparency for when something does go wrong and how it was corrected.  Having a strong disciplinary and reward process is also important.  Testing staff regularly through drills, or even simulated phishing or malware campaigns, is important to keep folks sharp and vigilant.  Finally, it is important for leaders to ‘practice what they preach’ and not exempt themselves from restrictive rules (e.g. 2-factor authentication or remote access policy that is waived for execs).  Your staff is the front line in the daily battle to safeguard your data and business operations, so it’s good to invest in raising their knowledge and establishing a collaborative culture for cyber security throughout your organization.

2. Be resilient, not secure

In the past we have focused on castle wall strategies that layer on defensive capabilities to keep the bad guys out.  This is a failing plan, because we simply cannot afford to protect everything. Our networks are more complex than ever and the adversary can easily develop an attack, while defence can cost more than 10 times that amount.  Look within your organization and first map your ecosystem to understand how your data and ICT support your most essential functions to keep the organisation running, and know where your information is at all times. We must shift our strategies to Cyber ‘Resilience’ and Cyber ‘Survivability’ to ensure that our most essential business functions can continue in a trusted way. This means having an effective “plan B” and/or battle hardening critical systems and applying a costly resilience engineering approach, designing essential systems to “fail gracefully” while under attack but continuing to support essential functions in a degraded mode.

3. Trust but verify

Recognizing that serious cyber issues can start with misplaced trust placed in others is an important first step in closing a significant gap we often find in large enterprises.  Trust is a broad term, but in this context we are focusing on Insider Threats, and 3rd Party Risk.  Insider Threats, could range from a bad apple (employee gone rogue) or a contractor with little loyalty to your brand.  Addressing insider threats takes teamwork from the folks who interface with your staff, typically Human Resources, Physical Security, and the IT Department.  These agents coordinate their approach on monitoring employee behaviour [e.g. is that employee logging in constantly while on vacation, in Brussels?  Why?] and creating the policy and legal frameworks to act on suspicion.  Finally, 3rd Party Risk is a growing concern as the notion of traditional business operations is replaced with outsourcing by cloud computing, managed services that carry your data and secrets along with it far from your doorstep. Shadow IT is a particular threat because there is little to no technical oversight of the risks and countermeasures and you are often in the dark when something happens.  Plan with an understanding of the threats and consequences from inside and outside your organization, and ensure that you have the right legal frameworks and technology monitoring in place to practice a trust but verify approach to mitigating these risks.

4. Focus on your information

Fundamentally what are we trying to protect?  What information do we hold onto and what is the worst-case scenario for when it is exposed, corrupted, or manipulated?  Before all the buzzwords took over, it was about information security.  Organizations should understand that data and information impact their organization's business operations and reputation (see note earlier on resilience); therefore, they must put in necessary policies on data retention, destruction, and most importantly classification.  If we treat data all the same we will end up with something unmanageable as the complexity of these information systems will continues to grow, especially factoring in 3rd party processing of data.  Information and data is categorized and mapped. Draw a line around what you are willing to protect based on budget constraints and carefully balance your program against consequences and regulatory requirements.  Publishing a guideline on information and how it should be secured will help inform the architects of your ICT environment as well as incident responders who must reconstitute business operations during a cyber crisis.

5. Win the war for cyber talent

Recruiting and retaining talent is about culture. Yes money is important, but opportunity, career mobility, and creating a culture to succeed is what is needed.  There is an overall shortage of cyber security professionals. In Cybrary's Cyber Security Job Trends Survey for 2016 68 percent of the 435 senior-level technology professionals surveyed said that there is a global shortage of skilled cybersecurity professionals and that there are currently a million jobs for cyber security positions around the world.  To attract top talent you need to engage with the cyber security community by keeping an active social presence and demonstrating you are leaning forward and open to new ideas and approaches in cyber security. Offering generous training programs, flexible work schedules, and telework options for security professionals fit the typical lifestyle.    Think outside of the box -- create social events and perhaps a work-exchange programs with their industry partners to give them opportunities and exposure to broaden their experience and ensure that they have the tools to do their job. They’re geeks, with a passion for security. Leverage that.  Don't sacrifice investments in your staff for the bottom line; recognize that recruiting and retaining cyber security professionals is not easy.

6. Leapfrog your adversary

Innovate!, Innovate!, Innovate! This sounds like a battle cry, but there is something satisfying in out-manoeuvring your adversary.  In an age where a cyber breach, data destruction, or worse, manipulation, can be a mortal threat to a company, (or its board of executives), it is important to lean forward in your approaches to mitigate risks.  Technically speaking, the internet using the TCP/IP protocol has operated fundamentally the same since it was invented in the 1960’s. We have bolted security on top. There are many who believe a complete internet overhaul is in order-- but others who come up with new ways to squeeze functionality and trust over this age-old resource.  Either way, to survive in these cyber times, run towards change and embrace innovation by investing heavily in research and development and trying new tools, tactics, and techniques to secure your data.  Choose nimble start-ups and consultants with brave new approaches to inform your strategies, plans and programs towards a more trusted end state. By the time there is a commonly available solution, the bad guys have moved on to the next thing.

7. Measure twice cut once

but keep the glue can within reach. Metrics help us check the pulse of the organization and predict if there will be a breakdown in technology, a process failure, or environmental effects that could lead to a ‘black-swan’ event or as others have called it, an unknown-unknown.  Establishing key risk indicators for cyber along with your enterprise risk management program is an important element in determining how risk is understood and reported.  Cyber should be treated differently than other risk management key indicators because cyber is often cross-cutting other disciplines so it will take a whole-of-team approach to collect the necessary metrics and report on progress.  We recommend that organizations create a ‘mission effectiveness’ metrics approach to understanding how investments in solutions buy-down the risk but also increase the cost required for an adversary to attack your networks.  Because securing an enterprise against well-resourced next generation adversaries can be expensive, It all comes down to justifying the business case and having a robust metrics program linked to business efficiencies that help demonstrate the benefits of the program over time.  By measuring investments in cyber risk mitigation capabilities against business performance an executive can begin to measure the effectiveness of their cyber security programs.  Understanding how investments in cyber security capabilities apply to business performance enables a more meaningful dialog with the Chief Information Security Officer on their program budget.

8. Listen to Sun Tzu

The Art of War by Sun Tzu was written over 2,500 years ago. If you have never read this, I highly recommend reading the complete 13 chapters which capture wisdom that has stood the test of time.  One such passage is about knowledge and insight into one's own capabilities as well as the enemy’s strengths and weaknesses. It states: “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”  This statement seems simple, but applying these lessons to cyber security is quite complex. It is much like warfare and the stakes are high.  Organizations that operate on today’s internet fight for resources in this highly contested environment-- knowing your adversary's motivation and how you appear to them is a critical step in planning your defensive strategies.  This approach ensures that your cyber operations team has the knowledge not only to recover from an unanticipated cyber event, but to recover in a way that deceives the adversary, protecting you from a follow up attack.  Sun Tzu has many relevant things to say about how we can enhance our cybersecurity practices and approaches, and we encourage you to read The Art of War

By adopting these eight guiding principles you will enhance your plans, architectures, and enable risk management decisions. Please contact us by CIO Connect.  Our team is ready to answer any follow up questions that you have.

To recap organizations can start right away to enact these eight principles;

  • Security is led by the executives of the organisation. They embody the culture.
  • Map your ecosystem to understand how your data and Information and Communications Technologies support your most essential functions and consider what is important to keep the mission running
  • Address insider threats proactively, organizations can’t afford to wait until a malicious insider deals a mortal blow to the organization, and this will be very costly.
  • Think outside the box on your recruitment and retention strategies for Cyber Security Processionals - flexible work hours, empowerment from mentoring by industry leaders and education opportunities.  Give the cyber team the tools that they need to do their job and access to information. Be sure to give them the right authorities. Be careful not to create an elitist group within the company, but don’t be held back by stringent human resources methodologies of the past.
  • Implement an affective governance program that connects enterprise risk with cyber risk, and plan ahead to measure the organizations investments against their effectiveness in protecting the business mission (not security for IT’s sake).
  • Finally, lean forward in innovation.  Invest in research and development into new capabilities.  Partner with your peers in industry (sometimes even sharing cyber information with your competitor is critical in combating a sophisticated adversary).  The next generation adversaries will attack you all the same, it’s easier to join forces in this digital battle ground.

About the Author: Mr. Anthony Bargar, is the Managing Director of the Cyber Security Consulting Group (CSCG) with offices in Thailand, Singapore and Washington DC.   Through their partner CIO Connect, they educate Boards of Directors, CIOs, other C level executives and senior leaders on Cyber Security, the ever-increasing risks and methods for thwarting them. CIO Connect provides advice to technology and business leaders on the opportunities and challenges that digital technology developments create.

If you would like to talk to us to understand more, please contact Emma Burrows emma.burrows@cio-connect.com.

The C Suite approach to Cyber Survivability

Can we keep the bad guys out of our networks? – “NO”, Says the former Senior Policy & Strategy Advisor for the US Department of Defense, Mr. Anthony Bargar

Instead we must shift our strategies to Cyber ‘Resilience’ and Cyber ‘Survivability’, to ensure that our most essential business functions can continue in a trusted way despite operating in a hostile information and communications technologies (ICT) battle zone some call “the internet”.

Anthony Bargar has spent a better part of his career in Washington DC, in the US Intelligence Community, and Department of Defense where he started out as a white-hat hacker hacking into military intelligence command and control (C2) systems to demonstrate weaknesses and design more secure architectures, and has since worked on sensitive counter-espionage cases to gather digital evidence to identify and prosecute spies. He quickly moved up the ladder eventually landing at the US Office of the Secretary of Defense (OSD) where he supported the Department’s Chief Information Officer (CIO), and was assigned to National Security Council where he helped the White House re-write the US Cyber Strategy. Mr. Bargar left government service in 2010 and went to Wall Street, where he was the chief consultant to the NASDAQ OMX and helped safeguard the high speed trading networks from Nation state level hackers, he and his team were instrumental in assessing and enhancing NASDAQ’s security program.

Asked about keeping the bad guys out, Anthony said, “We cant afford to protect everything, our networks are getting more complex and the adversary has to spend very little in developing an attack, while the cost of defense can be a factor of 10 if not more”, he went on to tell us, “The industry has led us to acquire ‘blinky box’ syndrome, that is throwing too much technology at the problem – organizations need to look within and first think more strategically about what is important to keep the mission running, and about where there information is at all times”. Adversaries are now shifting their tactics to attack trust, and take our data hostage—as evident in the global ransom ware attacks---- this is an escalation and the more dependent we become as digital societies, this will give rise to increased attacks on our data networks, and information that we depend on for our daily lives--- the stakes will just get higher and higher as time goes on.

Mr. Bargar leads a consulting group comprised of similarly experienced experts working with the private sector and governments worldwide on resilient architectures, effective strategies, and leap ahead technologies to reduce risk and create business opportunity. Anthony is currently focused in SE Asia enhancing cyber maturity to counter for next generation adversaries. He launched CSCG’s SE Asia HQ in Singapore and has recently inked a collaboration with CIO Connect Pte Ltd to educate Boards of Directors, CIOs, other C level executives and senior leaders on Cyber Security, the ever increasing risks and how they can be thwarted.

CIO Connect is a boutique advisory firm that brings pragmatic tangible advice from tenured advisors with extensive experience of working in IT and the business. We provide advice to technology and business leaders on the opportunities and challenges that digital technology developments create.

“Effective Cyber Security Leadership, starts of course with a well informed board of directors, and their management team who can quickly understand the risks, consequences, and cascade effects of a cyber threat and the decisions they make”—said Anthony Bargar.

“We have been searching for the right senior level cyber security expert who can discuss Cyber strategies with C suite members and the technical implications for IT people. There are many people positioning themselves as experts who aren’t.” – said Barb Dossetter

Working with CIO Connect, the Cyber Security Consulting Group will offer a series of Master Classes on the following subjects:

  • Data Breaches and Cyber Resilience– Strategies, tactics and countermeasures to today’s ransomware and other sophisticated cyber threats.

  • Controlling Cyber Risks from 3rd Parties and Outsourcing ICT Operations– Recognizing risks to your organizations resulting from the growing trends of cloud computing, outsourcing ICT operations, and increasing dependence on 3rd parties.

  • Executive Management of Cyber Security – Build a plan to manage board communications, ask the right questions as leaders, evaluate the effectiveness of your programs (Cyber Maturity Analysis), and implement a governance program that is flexible and adaptable to the cyber threats tailored to your organization.

If you would like to talk to us to understand more, please contact Emma Burrows emma.burrows@cio- connect.com or you can find out more by visiting our website at www.cio-connect.sg

CIO Connect Masterclass - Building the Brand

As IT,  you deliver every day - day in and day out. However, it seems that the only time your business colleagues seem to take an interest is when something goes wrong. This is a common ‘brand issue’ with most IT departments. The effect on the organisation as a whole, is that the organisation has not leveraged the investment in technology. While that might have been ok 20 years ago, now this means that the organisation is not leveraging the huge investment (between 1 and 6% of revenue) in technology. By taking control of your brand, you can reposition IT in the corporate mind.

This can start with a masterclass as a catalyst for change. As a result clients have repositioned themselves as partners to their business colleagues with measureable improvements to the bottom line.

On this masterclass we cover:

  • The Power of the brand
  • Managing stakeholders
  • Communicating for success

Email me at emma.burrows@cio-connect.com to find out more.

CIO Connect Expert View - When Things Go Wrong

Options for a CIO in Resolving Contractual Problems

The Challenge

Organizations increasingly rely on a complex and fast moving network of third parties including ‘as a service’ or cloud providers to implement and support critical IT services. And so they should - out-tasking removes many technological risks from businesses not best equipped to deal with them. CIOs are also rightly encouraged to embrace disruption and ‘start-up’ vendors to maximize opportunities from innovative ways of working.

At the same time we must recognize that these positive trends introduce a significant level of commercial risk that cannot be left unmanaged. In a dynamic multi sourced network there is a greatly increased risk of vendors failing to deliver the required level of integrated services. The three most common areas that give rise to problems are vendors

  • Not adopting collaborative behaviours when working with competitors to deliver an integrated service
  • Being resistant to proposing innovation and change to the benefit of the client
  • Not adopting constructive approaches to resolving disputes which can arise even in the best managed relationships

The increasingly volatile nature of the vendor market and the lower capital strength of new vendors in the market also present increased risks to service continuity from failure to stay in business or from being absorbed into stronger – potentially less attractive - competitors.

There is much good advice especially from CIO Connect around how to manage vendors to mitigate these risks. I do not intend in this article to repeat that rather to explore what options exist for a CIO and team when prevention has not worked.

Managing the Conflict

Technology failures and human errors cannot be avoided completely even in Tier 1 providers. In a complex outsourced service model these invariably lead to disputes over who is responsible and who should pay. The contract may appear to be clear on this but very often day to day service delivery depends on important intangibles not covered by the legal allocation of responsibilities and liabilities. From my own experience as a CIO I am clear that naïvely hoping that disputes don’t happen doesn’t work. We need to accept that a constructive approach to managing conflict is essential to maximizing value from key and long term vendor relationships.

My current role as an arbitrator has taught me that positive dispute management should be based on very clear processes for escalation of a problem within the party organizations. In many cases the problem will be resolved eventually by an agreement between individuals and it is essential that good communication lines are kept open throughout the dispute.

We save you time We help you & your leadership team excel We focus on your key business imperatives We ensure you have a return on your investment We are your local boutique partner

However it is naive to assume that parties to a dispute will be able to take an entirely objective view of the problem unaffected by their own corporate pressures and interests. Inter-party negotiations should be supported by early recourse to a professional third party able to provide an independent view before parties become too entrenched. It is important to ensure during contract negotiations that such recourse is incorporated in a valid arbitration clause.

There are two main approaches to independent involvement in a dispute. In the first category the parties to a dispute may commission an independent analysis of the causes of a dispute and a report containing an objective assessment of the dispute and a proposed framework for resolving the dispute. This is known as early neutral evaluation or ENE, and is often the forerunner to the appointment of an independent mediator between the parties who will endeavour to facilitate an agreed settlement between the parties.

However if an agreed settlement is not possible through ENE or mediation, the parties may agree to the appointment of an independent arbitrator. An arbitrator will conduct a formal resolution process and the parties must agree in advance to accept the outcome of the resolution. Arbitrations for contracts concluded under English Law will be conducted within the Arbitration Act 1996 but other jurisdictions have similar legislation and sets of arbitral rules governing the conduct of the dispute.

Why Arbitration?

An arbitration is not a court case and need not involve legal representation. However it still provides an effective resolution as it is a legally binding process, rules of evidence apply and an arbitrator’s awards are usually legally enforceable.

Managed correctly, arbitration should always be more cost effective than litigation. With the agreement of the parties it is possible for the arbitrator to fix in advance how much the case will cost and how long it will take.

In addition the parties are able to select an arbitrator who is qualified to understand the professional and technical context of their dispute. In many cases the arbitrator can deal with the case without a hearing but even if one is required the arbitrator will seek to minimise the adversarial nature of a court case and concentrate on establishing the merits of each case using the facts rather than points of law.

The arbitrator is also legally bound to conduct the resolution with strict impartiality and also ensure confidentiality unlike a court case which of course is in the public domain.

In short taking a dispute to arbitration means that it can be resolved in a legally binding way but as it is conducted confidentially, impartially, and relatively swiftly at a known cost the matter can very often be resolved without undisputed areas of the contract being affected.

Summary

Prevention is always better than cure and, to ensure effective management of the risks arising from reliance on external sources for key business services, CIOs should have good vendor management processes and a clear understanding of vendor risks in place.

However CIOs also need to be aware that problems will arise even in the best managed contracts and having a constructive approach to managing disputes in place is essential. Early recourse to an independent mediator or arbitrator is part of a constructive approach and this will often be crucial in ensuring that vendors deliver the business value that was anticipated during the procurement and sales process.

About the Author:

Stephen Hand is a Fellow of the Chartered Institute of Arbitrators and a member of the Institute’s Business Arbitration panel. He is the former CIO of a global marine organisation with many years senior IT management experience. 

 

CIO Connect Masterclass: The World of 2020 - Harnessing the Future in a Fast Changing World

Our business colleagues expect IT to deliver technology led innovation. The aim is to make innovation an integral part of what IT delivers to their business community.

This masterclass reviews technologies in the context of the business’s future and uses scenario planning as a way to uncover ideas and define how to ‘sell’ them to the business community.

Why is this so important? Click here & take a look at this recent Forbes article

Overview:

  • One day results orientated masterclass
  • Focussed for the CIO and their Leadership Team
  • Tailored specifically for the organisation
  • Actionable outcomes

The masterclass covers:

  • What is Innovation?
  • Leading Innovators
  • Testing for Innovation
  • How do we manage innovation?
  • Shadow IT or Citizen Developer?
  • Scenario planning 
  • Disruptive technologies or opportunities?
  • Business exercises
  • Disruptive business or new business opportunities?
  • Further reading material 

The Result: 

  • IT positioned as forward thinking on business strategy

 

Exploiting the power of business and technology fusion

I do so love our Technology Leadership in a Changing World Programme! We had the second session this week and our morning session, led by Dr John Kenworthy covered Understand your Business. This still is a challenging subject but progress was made when the participants moved from speaking about 'us and the business'  to ' us'. It's so easy to see our business colleagues as from a different place.

We started with the discussion on the different types of business cultures and discussed our own businesses in that light. We looked at the changing roles and expectations of IT and the value that IT delivers to different parts of the organisation. The session is always conducted under Chatham House Rules, so I can't share some of the more juicy bits!

There are three takeaways that I can share though.

  • The critical activity going forward is for IT to shift its role from commodity provider to trusted advisor, from a target to be outsourced to becoming involved in the development of the business strategy and therefore key to the organisation. We looked at some actions that we can take to make that happen. While this is often happening at the c-level, it is important to understand that all senior executives have a role in contributing to the business strategy.
  • There are various ways to influence stakeholders. We discussed several of them. The area that was new to me was the chemistry of influence. I must say, it definitely appealed to the nerdy side of my nature!
  • Probably the most immediately relevant is the way to hold more powerful meetings. That is not to be interpreted as more meetings. As we all run from meeting to meeting, we are really delivering less value than we can or should. We discussed ways to reduce the number of meetings we attend and make sure the ones we attend, and more importantly the ones we run deliver clear actions and benefits.

With the second of these sessions, the benefits of sharing experiences, led by a domain expert in a safe environment with the coaching and mentoring which we deliver between sessions was more obvious. If we are going to make a difference, we need to do more than attend a session. We need to inhale the experience, and make it an integral part of our DNA before we get absorbed back into the day to day madness that is most of our lives.  Otherwise, there will be no change and we will continue to do the same thing with the same result.

Preparing Yourself for Leadership

Yesterday we had the first session of 'Technology Leadership in a Changing World' here in Singapore. This has been a very successful programme in the UK and HK and run for many years in both places, so not so much a new programme - more a new venue.

The first session was about us preparing ourselves for leadership. Led by Dr John Kenworthy, he had us tap our inner selves and inner strengths. As we know, IT people are notoriously nerdy, and we tend to focus on others rather than ourselves, problems and solutions rather than promoting ourselves. No wonder the marketing people get the big bucks, they know how to ask for them! So what did we learn? Some key takeaways were:

  • How to bring our unconscious competence to the fore, and to use it day in and day out to be successful leaders
  • Key aspects of emotional and cultural intelligence
  • How to have presence  

We covered a lot more in the session and will pick up on some of these themes and areas over the next 3 sessions in the next 3 months of the programme. By taking this approach with a combination of workshops and mentoring, the attendees have a chance to embed the lessons into their professional DNA.

C-suite members cite their leadership teams as one of their most critical success factors. By giving people a chance to build their leadership skills in this way, they are investing in the future success of their organisations.