Governance

,

Future Proof Your Cyber! 8 enduring principles followed by leading organisations

,

As published on Enterprise Innovation, on August 22, 2017

We have all seen the headlines and read the stories about how organizations fail to apply basic security practices-- and ‘somehow’ expose sensitive data, or suffer interrupted business causing chaos and a loss of confidence in their brand.

The industry reacts and in some cases fans the flames of these fears, consulting firms jump on the chance to rabble rouse and tech companies tweak the blinky boxes (technology focused solutions) to block the latest adversary tactics.

During my long career in this industry I have found that typically organizations will make correct cyber security investments if presented with a solid business case that carefully weighs benefits and costs.   Information and Communications Technology (ICT) ecosystems are complex and there are many ‘right’ decisions. It is important to identify the right decision for your organization.  This is doubly true for large multi-national enterprises or nation-states featuring tech driven societies such as Singapore, Malaysia, Thailand, and Indonesia.  To address this challenge, we must change our poor-cyber-habits which lead us down a path of reactionary measures and adopt future proof approaches.

This article will lay out a few guiding principles that leading organizations use to inform their plans, guide their architectures, enable risk management decisions and invest their limited budgets.

Our experience is rooted in the US Intelligence and Defence communities. We have seen at first hand the tools, tactics and tradecraft of well resourced ‘nation state’ level hackers and the mercenaries they train and employ.  We have developed cyber strategies, plans and programs for global companies, governments and critical infrastructure providers. We have seen what works and what fails. 

One commonality that we see is that effective cyber security leadership, starts with a well-informed board of directors and their management team who can quickly understand the risks, consequences, and cascade effects of a cyber threat.

These 8 guiding principles will inform leaders of organizations that operate critical infrastructures how to enhance their strategies, architectures, and culture to reduce potential impacts of undesired cyber events.  This a not full house view or a prescribed list of fixes. The adversaries we face, coupled with increasing connectivity and complexity of our ICT demand a more holistic and dynamic approach to cyber security.

Eight Guiding Principles for establishing an enduring Cyber Security Program:

1. Culture is crucial

Creating an environment that encourages others to follow is particularly challenging given how IT provides more conveniences in our daily lives.  We are used to having instant access to information when and where we want it.  As a result, we must trade security for convenience and develop a plan to carefully balance the risks with the benefits that expanded connectivity and easy access to company resources provides.  Creating a culture of safety and security takes a leadership team committed to empowering their staff to make decisions and realize the consequences that can have.  To assist in developing the right security culture, the workforce must be reminded of the advanced threats that the organization faces and have transparency for when something does go wrong and how it was corrected.  Having a strong disciplinary and reward process is also important.  Testing staff regularly through drills, or even simulated phishing or malware campaigns, is important to keep folks sharp and vigilant.  Finally, it is important for leaders to ‘practice what they preach’ and not exempt themselves from restrictive rules (e.g. 2-factor authentication or remote access policy that is waived for execs).  Your staff is the front line in the daily battle to safeguard your data and business operations, so it’s good to invest in raising their knowledge and establishing a collaborative culture for cyber security throughout your organization.

2. Be resilient, not secure

In the past we have focused on castle wall strategies that layer on defensive capabilities to keep the bad guys out.  This is a failing plan, because we simply cannot afford to protect everything. Our networks are more complex than ever and the adversary can easily develop an attack, while defence can cost more than 10 times that amount.  Look within your organization and first map your ecosystem to understand how your data and ICT support your most essential functions to keep the organisation running, and know where your information is at all times. We must shift our strategies to Cyber ‘Resilience’ and Cyber ‘Survivability’ to ensure that our most essential business functions can continue in a trusted way. This means having an effective “plan B” and/or battle hardening critical systems and applying a costly resilience engineering approach, designing essential systems to “fail gracefully” while under attack but continuing to support essential functions in a degraded mode.

3. Trust but verify

Recognizing that serious cyber issues can start with misplaced trust placed in others is an important first step in closing a significant gap we often find in large enterprises.  Trust is a broad term, but in this context we are focusing on Insider Threats, and 3rd Party Risk.  Insider Threats, could range from a bad apple (employee gone rogue) or a contractor with little loyalty to your brand.  Addressing insider threats takes teamwork from the folks who interface with your staff, typically Human Resources, Physical Security, and the IT Department.  These agents coordinate their approach on monitoring employee behaviour [e.g. is that employee logging in constantly while on vacation, in Brussels?  Why?] and creating the policy and legal frameworks to act on suspicion.  Finally, 3rd Party Risk is a growing concern as the notion of traditional business operations is replaced with outsourcing by cloud computing, managed services that carry your data and secrets along with it far from your doorstep. Shadow IT is a particular threat because there is little to no technical oversight of the risks and countermeasures and you are often in the dark when something happens.  Plan with an understanding of the threats and consequences from inside and outside your organization, and ensure that you have the right legal frameworks and technology monitoring in place to practice a trust but verify approach to mitigating these risks.

4. Focus on your information

Fundamentally what are we trying to protect?  What information do we hold onto and what is the worst-case scenario for when it is exposed, corrupted, or manipulated?  Before all the buzzwords took over, it was about information security.  Organizations should understand that data and information impact their organization's business operations and reputation (see note earlier on resilience); therefore, they must put in necessary policies on data retention, destruction, and most importantly classification.  If we treat data all the same we will end up with something unmanageable as the complexity of these information systems will continues to grow, especially factoring in 3rd party processing of data.  Information and data is categorized and mapped. Draw a line around what you are willing to protect based on budget constraints and carefully balance your program against consequences and regulatory requirements.  Publishing a guideline on information and how it should be secured will help inform the architects of your ICT environment as well as incident responders who must reconstitute business operations during a cyber crisis.

5. Win the war for cyber talent

Recruiting and retaining talent is about culture. Yes money is important, but opportunity, career mobility, and creating a culture to succeed is what is needed.  There is an overall shortage of cyber security professionals. In Cybrary's Cyber Security Job Trends Survey for 2016 68 percent of the 435 senior-level technology professionals surveyed said that there is a global shortage of skilled cybersecurity professionals and that there are currently a million jobs for cyber security positions around the world.  To attract top talent you need to engage with the cyber security community by keeping an active social presence and demonstrating you are leaning forward and open to new ideas and approaches in cyber security. Offering generous training programs, flexible work schedules, and telework options for security professionals fit the typical lifestyle.    Think outside of the box -- create social events and perhaps a work-exchange programs with their industry partners to give them opportunities and exposure to broaden their experience and ensure that they have the tools to do their job. They’re geeks, with a passion for security. Leverage that.  Don't sacrifice investments in your staff for the bottom line; recognize that recruiting and retaining cyber security professionals is not easy.

6. Leapfrog your adversary

Innovate!, Innovate!, Innovate! This sounds like a battle cry, but there is something satisfying in out-manoeuvring your adversary.  In an age where a cyber breach, data destruction, or worse, manipulation, can be a mortal threat to a company, (or its board of executives), it is important to lean forward in your approaches to mitigate risks.  Technically speaking, the internet using the TCP/IP protocol has operated fundamentally the same since it was invented in the 1960’s. We have bolted security on top. There are many who believe a complete internet overhaul is in order-- but others who come up with new ways to squeeze functionality and trust over this age-old resource.  Either way, to survive in these cyber times, run towards change and embrace innovation by investing heavily in research and development and trying new tools, tactics, and techniques to secure your data.  Choose nimble start-ups and consultants with brave new approaches to inform your strategies, plans and programs towards a more trusted end state. By the time there is a commonly available solution, the bad guys have moved on to the next thing.

7. Measure twice cut once

but keep the glue can within reach. Metrics help us check the pulse of the organization and predict if there will be a breakdown in technology, a process failure, or environmental effects that could lead to a ‘black-swan’ event or as others have called it, an unknown-unknown.  Establishing key risk indicators for cyber along with your enterprise risk management program is an important element in determining how risk is understood and reported.  Cyber should be treated differently than other risk management key indicators because cyber is often cross-cutting other disciplines so it will take a whole-of-team approach to collect the necessary metrics and report on progress.  We recommend that organizations create a ‘mission effectiveness’ metrics approach to understanding how investments in solutions buy-down the risk but also increase the cost required for an adversary to attack your networks.  Because securing an enterprise against well-resourced next generation adversaries can be expensive, It all comes down to justifying the business case and having a robust metrics program linked to business efficiencies that help demonstrate the benefits of the program over time.  By measuring investments in cyber risk mitigation capabilities against business performance an executive can begin to measure the effectiveness of their cyber security programs.  Understanding how investments in cyber security capabilities apply to business performance enables a more meaningful dialog with the Chief Information Security Officer on their program budget.

8. Listen to Sun Tzu

The Art of War by Sun Tzu was written over 2,500 years ago. If you have never read this, I highly recommend reading the complete 13 chapters which capture wisdom that has stood the test of time.  One such passage is about knowledge and insight into one's own capabilities as well as the enemy’s strengths and weaknesses. It states: “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”  This statement seems simple, but applying these lessons to cyber security is quite complex. It is much like warfare and the stakes are high.  Organizations that operate on today’s internet fight for resources in this highly contested environment-- knowing your adversary's motivation and how you appear to them is a critical step in planning your defensive strategies.  This approach ensures that your cyber operations team has the knowledge not only to recover from an unanticipated cyber event, but to recover in a way that deceives the adversary, protecting you from a follow up attack.  Sun Tzu has many relevant things to say about how we can enhance our cybersecurity practices and approaches, and we encourage you to read The Art of War

By adopting these eight guiding principles you will enhance your plans, architectures, and enable risk management decisions. Please contact us by CIO Connect.  Our team is ready to answer any follow up questions that you have.

To recap organizations can start right away to enact these eight principles;

  • Security is led by the executives of the organisation. They embody the culture.
  • Map your ecosystem to understand how your data and Information and Communications Technologies support your most essential functions and consider what is important to keep the mission running
  • Address insider threats proactively, organizations can’t afford to wait until a malicious insider deals a mortal blow to the organization, and this will be very costly.
  • Think outside the box on your recruitment and retention strategies for Cyber Security Processionals - flexible work hours, empowerment from mentoring by industry leaders and education opportunities.  Give the cyber team the tools that they need to do their job and access to information. Be sure to give them the right authorities. Be careful not to create an elitist group within the company, but don’t be held back by stringent human resources methodologies of the past.
  • Implement an affective governance program that connects enterprise risk with cyber risk, and plan ahead to measure the organizations investments against their effectiveness in protecting the business mission (not security for IT’s sake).
  • Finally, lean forward in innovation.  Invest in research and development into new capabilities.  Partner with your peers in industry (sometimes even sharing cyber information with your competitor is critical in combating a sophisticated adversary).  The next generation adversaries will attack you all the same, it’s easier to join forces in this digital battle ground.

About the Author: Mr. Anthony Bargar, is the Managing Director of the Cyber Security Consulting Group (CSCG) with offices in Thailand, Singapore and Washington DC.   Through their partner CIO Connect, they educate Boards of Directors, CIOs, other C level executives and senior leaders on Cyber Security, the ever-increasing risks and methods for thwarting them. CIO Connect provides advice to technology and business leaders on the opportunities and challenges that digital technology developments create.

If you would like to talk to us to understand more, please contact Emma Burrows emma.burrows@cio-connect.com.

CIO Connect Expert View - When Things Go Wrong

Options for a CIO in Resolving Contractual Problems

The Challenge

Organizations increasingly rely on a complex and fast moving network of third parties including ‘as a service’ or cloud providers to implement and support critical IT services. And so they should - out-tasking removes many technological risks from businesses not best equipped to deal with them. CIOs are also rightly encouraged to embrace disruption and ‘start-up’ vendors to maximize opportunities from innovative ways of working.

At the same time we must recognize that these positive trends introduce a significant level of commercial risk that cannot be left unmanaged. In a dynamic multi sourced network there is a greatly increased risk of vendors failing to deliver the required level of integrated services. The three most common areas that give rise to problems are vendors

  • Not adopting collaborative behaviours when working with competitors to deliver an integrated service
  • Being resistant to proposing innovation and change to the benefit of the client
  • Not adopting constructive approaches to resolving disputes which can arise even in the best managed relationships

The increasingly volatile nature of the vendor market and the lower capital strength of new vendors in the market also present increased risks to service continuity from failure to stay in business or from being absorbed into stronger – potentially less attractive - competitors.

There is much good advice especially from CIO Connect around how to manage vendors to mitigate these risks. I do not intend in this article to repeat that rather to explore what options exist for a CIO and team when prevention has not worked.

Managing the Conflict

Technology failures and human errors cannot be avoided completely even in Tier 1 providers. In a complex outsourced service model these invariably lead to disputes over who is responsible and who should pay. The contract may appear to be clear on this but very often day to day service delivery depends on important intangibles not covered by the legal allocation of responsibilities and liabilities. From my own experience as a CIO I am clear that naïvely hoping that disputes don’t happen doesn’t work. We need to accept that a constructive approach to managing conflict is essential to maximizing value from key and long term vendor relationships.

My current role as an arbitrator has taught me that positive dispute management should be based on very clear processes for escalation of a problem within the party organizations. In many cases the problem will be resolved eventually by an agreement between individuals and it is essential that good communication lines are kept open throughout the dispute.

We save you time We help you & your leadership team excel We focus on your key business imperatives We ensure you have a return on your investment We are your local boutique partner

However it is naive to assume that parties to a dispute will be able to take an entirely objective view of the problem unaffected by their own corporate pressures and interests. Inter-party negotiations should be supported by early recourse to a professional third party able to provide an independent view before parties become too entrenched. It is important to ensure during contract negotiations that such recourse is incorporated in a valid arbitration clause.

There are two main approaches to independent involvement in a dispute. In the first category the parties to a dispute may commission an independent analysis of the causes of a dispute and a report containing an objective assessment of the dispute and a proposed framework for resolving the dispute. This is known as early neutral evaluation or ENE, and is often the forerunner to the appointment of an independent mediator between the parties who will endeavour to facilitate an agreed settlement between the parties.

However if an agreed settlement is not possible through ENE or mediation, the parties may agree to the appointment of an independent arbitrator. An arbitrator will conduct a formal resolution process and the parties must agree in advance to accept the outcome of the resolution. Arbitrations for contracts concluded under English Law will be conducted within the Arbitration Act 1996 but other jurisdictions have similar legislation and sets of arbitral rules governing the conduct of the dispute.

Why Arbitration?

An arbitration is not a court case and need not involve legal representation. However it still provides an effective resolution as it is a legally binding process, rules of evidence apply and an arbitrator’s awards are usually legally enforceable.

Managed correctly, arbitration should always be more cost effective than litigation. With the agreement of the parties it is possible for the arbitrator to fix in advance how much the case will cost and how long it will take.

In addition the parties are able to select an arbitrator who is qualified to understand the professional and technical context of their dispute. In many cases the arbitrator can deal with the case without a hearing but even if one is required the arbitrator will seek to minimise the adversarial nature of a court case and concentrate on establishing the merits of each case using the facts rather than points of law.

The arbitrator is also legally bound to conduct the resolution with strict impartiality and also ensure confidentiality unlike a court case which of course is in the public domain.

In short taking a dispute to arbitration means that it can be resolved in a legally binding way but as it is conducted confidentially, impartially, and relatively swiftly at a known cost the matter can very often be resolved without undisputed areas of the contract being affected.

Summary

Prevention is always better than cure and, to ensure effective management of the risks arising from reliance on external sources for key business services, CIOs should have good vendor management processes and a clear understanding of vendor risks in place.

However CIOs also need to be aware that problems will arise even in the best managed contracts and having a constructive approach to managing disputes in place is essential. Early recourse to an independent mediator or arbitrator is part of a constructive approach and this will often be crucial in ensuring that vendors deliver the business value that was anticipated during the procurement and sales process.

About the Author:

Stephen Hand is a Fellow of the Chartered Institute of Arbitrators and a member of the Institute’s Business Arbitration panel. He is the former CIO of a global marine organisation with many years senior IT management experience.