As published on Enterprise Innovation, on August 22, 2017
We have all seen the headlines and read the stories about how organizations fail to apply basic security practices-- and ‘somehow’ expose sensitive data, or suffer interrupted business causing chaos and a loss of confidence in their brand.
The industry reacts and in some cases fans the flames of these fears, consulting firms jump on the chance to rabble rouse and tech companies tweak the blinky boxes (technology focused solutions) to block the latest adversary tactics.
During my long career in this industry I have found that typically organizations will make correct cyber security investments if presented with a solid business case that carefully weighs benefits and costs. Information and Communications Technology (ICT) ecosystems are complex and there are many ‘right’ decisions. It is important to identify the right decision for your organization. This is doubly true for large multi-national enterprises or nation-states featuring tech driven societies such as Singapore, Malaysia, Thailand, and Indonesia. To address this challenge, we must change our poor-cyber-habits which lead us down a path of reactionary measures and adopt future proof approaches.
This article will lay out a few guiding principles that leading organizations use to inform their plans, guide their architectures, enable risk management decisions and invest their limited budgets.
Our experience is rooted in the US Intelligence and Defence communities. We have seen at first hand the tools, tactics and tradecraft of well resourced ‘nation state’ level hackers and the mercenaries they train and employ. We have developed cyber strategies, plans and programs for global companies, governments and critical infrastructure providers. We have seen what works and what fails.
One commonality that we see is that effective cyber security leadership, starts with a well-informed board of directors and their management team who can quickly understand the risks, consequences, and cascade effects of a cyber threat.
These 8 guiding principles will inform leaders of organizations that operate critical infrastructures how to enhance their strategies, architectures, and culture to reduce potential impacts of undesired cyber events. This a not full house view or a prescribed list of fixes. The adversaries we face, coupled with increasing connectivity and complexity of our ICT demand a more holistic and dynamic approach to cyber security.
Eight Guiding Principles for establishing an enduring Cyber Security Program:
1. Culture is crucial
Creating an environment that encourages others to follow is particularly challenging given how IT provides more conveniences in our daily lives. We are used to having instant access to information when and where we want it. As a result, we must trade security for convenience and develop a plan to carefully balance the risks with the benefits that expanded connectivity and easy access to company resources provides. Creating a culture of safety and security takes a leadership team committed to empowering their staff to make decisions and realize the consequences that can have. To assist in developing the right security culture, the workforce must be reminded of the advanced threats that the organization faces and have transparency for when something does go wrong and how it was corrected. Having a strong disciplinary and reward process is also important. Testing staff regularly through drills, or even simulated phishing or malware campaigns, is important to keep folks sharp and vigilant. Finally, it is important for leaders to ‘practice what they preach’ and not exempt themselves from restrictive rules (e.g. 2-factor authentication or remote access policy that is waived for execs). Your staff is the front line in the daily battle to safeguard your data and business operations, so it’s good to invest in raising their knowledge and establishing a collaborative culture for cyber security throughout your organization.
2. Be resilient, not secure
In the past we have focused on castle wall strategies that layer on defensive capabilities to keep the bad guys out. This is a failing plan, because we simply cannot afford to protect everything. Our networks are more complex than ever and the adversary can easily develop an attack, while defence can cost more than 10 times that amount. Look within your organization and first map your ecosystem to understand how your data and ICT support your most essential functions to keep the organisation running, and know where your information is at all times. We must shift our strategies to Cyber ‘Resilience’ and Cyber ‘Survivability’ to ensure that our most essential business functions can continue in a trusted way. This means having an effective “plan B” and/or battle hardening critical systems and applying a costly resilience engineering approach, designing essential systems to “fail gracefully” while under attack but continuing to support essential functions in a degraded mode.
3. Trust but verify
Recognizing that serious cyber issues can start with misplaced trust placed in others is an important first step in closing a significant gap we often find in large enterprises. Trust is a broad term, but in this context we are focusing on Insider Threats, and 3rd Party Risk. Insider Threats, could range from a bad apple (employee gone rogue) or a contractor with little loyalty to your brand. Addressing insider threats takes teamwork from the folks who interface with your staff, typically Human Resources, Physical Security, and the IT Department. These agents coordinate their approach on monitoring employee behaviour [e.g. is that employee logging in constantly while on vacation, in Brussels? Why?] and creating the policy and legal frameworks to act on suspicion. Finally, 3rd Party Risk is a growing concern as the notion of traditional business operations is replaced with outsourcing by cloud computing, managed services that carry your data and secrets along with it far from your doorstep. Shadow IT is a particular threat because there is little to no technical oversight of the risks and countermeasures and you are often in the dark when something happens. Plan with an understanding of the threats and consequences from inside and outside your organization, and ensure that you have the right legal frameworks and technology monitoring in place to practice a trust but verify approach to mitigating these risks.
4. Focus on your information
Fundamentally what are we trying to protect? What information do we hold onto and what is the worst-case scenario for when it is exposed, corrupted, or manipulated? Before all the buzzwords took over, it was about information security. Organizations should understand that data and information impact their organization's business operations and reputation (see note earlier on resilience); therefore, they must put in necessary policies on data retention, destruction, and most importantly classification. If we treat data all the same we will end up with something unmanageable as the complexity of these information systems will continues to grow, especially factoring in 3rd party processing of data. Information and data is categorized and mapped. Draw a line around what you are willing to protect based on budget constraints and carefully balance your program against consequences and regulatory requirements. Publishing a guideline on information and how it should be secured will help inform the architects of your ICT environment as well as incident responders who must reconstitute business operations during a cyber crisis.
5. Win the war for cyber talent
Recruiting and retaining talent is about culture. Yes money is important, but opportunity, career mobility, and creating a culture to succeed is what is needed. There is an overall shortage of cyber security professionals. In Cybrary's Cyber Security Job Trends Survey for 2016 68 percent of the 435 senior-level technology professionals surveyed said that there is a global shortage of skilled cybersecurity professionals and that there are currently a million jobs for cyber security positions around the world. To attract top talent you need to engage with the cyber security community by keeping an active social presence and demonstrating you are leaning forward and open to new ideas and approaches in cyber security. Offering generous training programs, flexible work schedules, and telework options for security professionals fit the typical lifestyle. Think outside of the box -- create social events and perhaps a work-exchange programs with their industry partners to give them opportunities and exposure to broaden their experience and ensure that they have the tools to do their job. They’re geeks, with a passion for security. Leverage that. Don't sacrifice investments in your staff for the bottom line; recognize that recruiting and retaining cyber security professionals is not easy.
6. Leapfrog your adversary
Innovate!, Innovate!, Innovate! This sounds like a battle cry, but there is something satisfying in out-manoeuvring your adversary. In an age where a cyber breach, data destruction, or worse, manipulation, can be a mortal threat to a company, (or its board of executives), it is important to lean forward in your approaches to mitigate risks. Technically speaking, the internet using the TCP/IP protocol has operated fundamentally the same since it was invented in the 1960’s. We have bolted security on top. There are many who believe a complete internet overhaul is in order-- but others who come up with new ways to squeeze functionality and trust over this age-old resource. Either way, to survive in these cyber times, run towards change and embrace innovation by investing heavily in research and development and trying new tools, tactics, and techniques to secure your data. Choose nimble start-ups and consultants with brave new approaches to inform your strategies, plans and programs towards a more trusted end state. By the time there is a commonly available solution, the bad guys have moved on to the next thing.
7. Measure twice cut once
… but keep the glue can within reach. Metrics help us check the pulse of the organization and predict if there will be a breakdown in technology, a process failure, or environmental effects that could lead to a ‘black-swan’ event or as others have called it, an unknown-unknown. Establishing key risk indicators for cyber along with your enterprise risk management program is an important element in determining how risk is understood and reported. Cyber should be treated differently than other risk management key indicators because cyber is often cross-cutting other disciplines so it will take a whole-of-team approach to collect the necessary metrics and report on progress. We recommend that organizations create a ‘mission effectiveness’ metrics approach to understanding how investments in solutions buy-down the risk but also increase the cost required for an adversary to attack your networks. Because securing an enterprise against well-resourced next generation adversaries can be expensive, It all comes down to justifying the business case and having a robust metrics program linked to business efficiencies that help demonstrate the benefits of the program over time. By measuring investments in cyber risk mitigation capabilities against business performance an executive can begin to measure the effectiveness of their cyber security programs. Understanding how investments in cyber security capabilities apply to business performance enables a more meaningful dialog with the Chief Information Security Officer on their program budget.
8. Listen to Sun Tzu
The Art of War by Sun Tzu was written over 2,500 years ago. If you have never read this, I highly recommend reading the complete 13 chapters which capture wisdom that has stood the test of time. One such passage is about knowledge and insight into one's own capabilities as well as the enemy’s strengths and weaknesses. It states: “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” This statement seems simple, but applying these lessons to cyber security is quite complex. It is much like warfare and the stakes are high. Organizations that operate on today’s internet fight for resources in this highly contested environment-- knowing your adversary's motivation and how you appear to them is a critical step in planning your defensive strategies. This approach ensures that your cyber operations team has the knowledge not only to recover from an unanticipated cyber event, but to recover in a way that deceives the adversary, protecting you from a follow up attack. Sun Tzu has many relevant things to say about how we can enhance our cybersecurity practices and approaches, and we encourage you to read The Art of War.
By adopting these eight guiding principles you will enhance your plans, architectures, and enable risk management decisions. Please contact us by CIO Connect. Our team is ready to answer any follow up questions that you have.
To recap organizations can start right away to enact these eight principles;
- Security is led by the executives of the organisation. They embody the culture.
- Map your ecosystem to understand how your data and Information and Communications Technologies support your most essential functions and consider what is important to keep the mission running
- Address insider threats proactively, organizations can’t afford to wait until a malicious insider deals a mortal blow to the organization, and this will be very costly.
- Think outside the box on your recruitment and retention strategies for Cyber Security Processionals - flexible work hours, empowerment from mentoring by industry leaders and education opportunities. Give the cyber team the tools that they need to do their job and access to information. Be sure to give them the right authorities. Be careful not to create an elitist group within the company, but don’t be held back by stringent human resources methodologies of the past.
- Implement an affective governance program that connects enterprise risk with cyber risk, and plan ahead to measure the organizations investments against their effectiveness in protecting the business mission (not security for IT’s sake).
- Finally, lean forward in innovation. Invest in research and development into new capabilities. Partner with your peers in industry (sometimes even sharing cyber information with your competitor is critical in combating a sophisticated adversary). The next generation adversaries will attack you all the same, it’s easier to join forces in this digital battle ground.
About the Author: Mr. Anthony Bargar, is the Managing Director of the Cyber Security Consulting Group (CSCG) with offices in Thailand, Singapore and Washington DC. Through their partner CIO Connect, they educate Boards of Directors, CIOs, other C level executives and senior leaders on Cyber Security, the ever-increasing risks and methods for thwarting them. CIO Connect provides advice to technology and business leaders on the opportunities and challenges that digital technology developments create.
If you would like to talk to us to understand more, please contact Emma Burrows firstname.lastname@example.org.