Cybersecurity perils: What CISOs must bear in mind By Elets News Network - 22 November 2019
In a world where cyberattacks have become the norm, organisations have no other option but to make cybersecurity a top priority. Cyberattacks can affect the very ability of an organisation to fulfill its mandate. Many cybersecurity leaders and teams voice concern around lack of funding and minimal executive support at all levels of the organisation (including the CISOs). However, this is just a reality and not the root cause. Therefore it is critical to understand and introspect the root causes, which organisations can easily miss out, as a result of which the company’s true security risk reduction suffers. While many companies have understood the implications of cyberattacks but they are still lagging behind implementing the security measures.
Here are the top five cybersecurity pitfalls organisations face and what they should do to overcome them:
1. Prioritise business risk
Today a number of cybersecurity programs are attempting to boil the ocean instead of focusing on what’s most important for the business. Enterprises must know which business process and information are of the utmost importance and make efforts to protect them.
Some organisations which have made attempts to identify the most critical data and assets to protect, though it often tends to leave integrity and availability concerns and focus solely on data theft (confidentiality). Business continuity and IT disaster recovery programs and plans traditionally work to ensure that they are able to react to availability issues from any type of outage. In many cases, these efforts are disjointed and data integrity risks are largely left to be managed by the quality or compliance department.
What to do:
Chief Information Security Officers (CISOs) can help their companies connect deeply with their business. They can understand worst-case scenarios for information theft, manipulation, which is not limiting thinking to IT systems. Once the company plans to focus on the most critical elements of business, they can easily build speed and depth to protect them. For example: If a company has 1,000 IT systems and 10 different functional areas, comprising 500 business processes, then where does the company start to protect its system? Is everything critical? We have seen companies fail to answer this question and significantly slow their efforts on a critical control or focus only on one risk dimension (e.g. compliance, or data theft).
One can easily identify the most critical to business elements by just imagining what a CEO would be most concerned about if a cyberattack hit at 3 a.m. The CEO won’t be concerned about the technical details but he would rather focus on business risk and operational impact. When you keep this in mind you would be able to focus on your information security program.
2. Avoid media distractions
Today, the media plays a key role in educating people about cybersecurity breaches. At the same time, the media distracts the enterprise. This is mainly due to privacy-driven data breach reporting laws, and media attention tends to focus more on customer breaches and exposed personal information rather than the pitfalls or reasons for such an event.
This reporting bias doesn’t account for all of the internal and external attack types and the companies’ true risk impact profile. Employees might end up reading media stories on security breaches, they may get into a reactive mindset or start exhibiting confirmation bias that may or may not be applicable to the particular situation of your company. This kind of thinking can distract you from your organisation’s biggest risks.
What to do:
One cannot control the kind of articles your employees read but there is a strategy to avoid knee-jerk reactions to specific vulnerability and breach-related news. The company can leverage news media in a way that provides isolated value instead of creating a distraction by getting deeply involved in threat intelligence and sharing with other companies. One can evaluate the inputs from the media so that you can rationalise what you should react too and act upon.
3. Be strategic about your cyber tool plays
Judging from the social media backlash about the “vendor circus” at major security conferences and events, there is some recognition and reflection about the cyber tool sprawl. When it comes to technologies like AI, machine learning and blockchain, we are often promised silver bullets – and told that these tools would be implemented as soon as possible. This creates a sense that, if these are not deployed, then they would face an imminent failure in protecting the company.
We recently learned about a smaller organisation’s security leader who was proud to have acquired seven marquee threat detection tools. When we asked him about how he had the ability to leverage them all effectively, his reply was that he focused on one thing which gave him the most actionable data. He was using only one threat detection tool at a time. The other six were still running and producing logs and alerts, but no one was looking at them.
What to do:
It is a known fact that the company’s strategic architecture practices may not yield full potential at the beginning. But by bringing a deeply experienced, big-picture security architect on board to develop an ecosystem of cybersecurity tools will help it scale appropriately. CISOs need to look past the initial funding for “cool” tools towards the more comprehensive total cost of ownership (for both internal and external resources), linkages to business scope, ability to drive down risk and plans for appropriate scale.
4. Know the basics
One should know the basics as these matters the most to any organisation. According to the Center for Internet Security Critical Security Controls (CIS CSC), there are the top four basic controls, which include inventory and control of hardware, inventory, and control of software, continuous vulnerability management and controlled use of administrative privileges. However, many organisations report ineffective or incomplete efforts in all four of these fundamental efforts. Meanwhile, investments may be focused more on tools and controls that are popular in the market.
What to do:
The solution is to prioritize some core efforts and basics in order to ensure that your team isn’t spread so thin working on shiny new tools that it obstructs progress on critical building blocks.
The CIS CSC provides a robust and periodically updated playbook that includes hardware and software inventory, vulnerability management, controlling admin privileges, secure configuration (hardware/software) and maintenance and monitoring of logs. While they all seem essential for any security program, not many companies have solid progress and maturity towards these.
While connecting the dots between prioritizing business risk and solidifying the basics, companies should leverage business risk to drive privileged access security programs.
5. Get tools and capabilities to the appropriate scale
Many a time it happens that a company buys a tool but does not implement it fully and then moves on to the next new thing or realises that they don’t have the resources to execute, scale up or support after the initial investment money runs out. This does not help in reducing risk in the organisation.
What to do:
Getting to the appropriate scale with these efforts is the only way to fully achieve the risk reduction efforts that your money, time and effort would have costed you. Scaling is hard but it is where the magic happens with risk reduction. The “appropriate scale” connects directly back to the business risks where you plan to reduce.
Companies that achieve appropriate scale leverage solid and consistent project management and measurement methodologies. They think proactively about the total cost to achieve the desired risk reduction. They don’t run after new tools when they see their peers implementing in their companies. Since many CISOs have a maximum of two years of tenure in the role, they may not be focusing on long-haul solutions at scale.
(Views expressed above are the personal opinion of Rohan Vaidya, Regional Director of Sales – India, CyberArk)