The World Economic Forum’s Global Risk Report 2020 recognizes ‘cyberattacks as the second most concerning risk for doing business globally over the next ten years.’ This fact puts cybersecurity leaders at the helm of a plethora of risk management as well and crisis management efforts unless, as a leader, you plan and delegate better cybersecurity programs.
But as a C-level executive, when you feel like a clock is always ticking, and that there will be crucial tasks that take a backseat, regardless of how scheduled your activities are, where would you begin to prepare for the revolution that your business is looking at? The 4IR technologies relying on 5G currently (and soon on 6G) call for a constant catch up and spare nobody. There is no fighting digital transformation, and as a leader, nothing can be more humbling as well as challenging than spearheading this revolution with your cybersecurity and integrity at their finest.
Below are challenges, factors, and to-dos to help you through the tide. Read on…
What are the factors and challenges that surround cybersecurity?
Much like all the mission-critical transformations that businesses are faced with, cybersecurity’s breakneck speed and extent do not rely on one ‘set of best practices.’ As cliched as its sounds, building toward a security-led way of life is what it takes. Let’s get it out of the way right at the beginning – fool-proof security isn’t your IT head’s lone KPI. It is an organizational responsibility that, when failed, could underpin everything your organization has built.
So let’s look at factors influencing cybersecurity –
Transparency and visibility
The term ‘real-time’ is overused. From your laundry service provider to your AI analytics engine, everything and everyone is all about leveraging the power of ‘now.’ The power of now is of paramount importance to being cyber secure enough and you’d need to keep an eye out for this expanding threat envelope in ‘real-time.’ More importantly, senior leaders must communicate internally and externally about what the organization is doing to stay on track. At times, the speed of this reaction is all that differentiates a vulnerability from a catastrophe. Having multiple remote teams, a whole bunch of different vendors and suppliers across geographies only means that the cyber real estate you oversee includes parties and nationalities who aren’t necessarily as well-prepared to stay protected but are nevertheless under your purview. Further, when you talk about it often enough and foster the faith in your employees, partners, associates, and shareholders, not only will they begin to value cybersecurity awareness, but will also have your back when unforeseen events strike. No company can justify either opaque operations or ignorance about their cyber footprint. 2020 and its technologies are unforgiving. So, don’t let poor visibility cost you dearly.
Visibility sure gets the ball rolling. But what next? A typical change management woe, people, most often don’t take ownership of the changes, the new set of ideas and plans that can potentially create a difference. A collaborative culture is of utmost importance then. Faced against threat actors who can cost you billions, competing priorities of different teams, animosity between geographies, or poor vendor relationships will all take a backseat. As an organization, invest in stakeholder and employee training measures to generate buy-in. Only when the whole tribe of your cheerleaders willingly and consciously take the right steps – from adhering to best practices to getting the proper controls in place, can you genuinely brag about a zero-trust culture that’s alive and kicking! Go ahead, throw open communications about everything – including if everyone takes customer data protection, access controls, and data privacy seriously enough.
As an entity, your company would have a long-term strategy for nearly everything.
Does this include your cybersecurity program? It can come as a shock that even the most nuanced of leaders fail to outgrow the ‘fire-fighting’ frame of processes when it comes to cybersecurity. They only fix what is broken and carry on. But a long-term picture is amiss. As a result, insider attacks could wreak havoc until detected. Target much?
So, it is essential to dedicate resources on long-term strategy planning such that you always have basics covered, are ahead of malicious elements, and most importantly, don’t sacrifice innovation at the cost of security awareness. Cybersecurity vision must factor innovation, changing technologies, and their relatively insecure endpoints, as well as the fact that identities are everywhere – wearable shareable and soon enough employable. Don’t firefight. Nip the arson in the bud.
Continuing from the previous point, Cybersecurity tech stack today is the product of the ‘firefighting’ phenomena, which means that the tools are islands isolated from one another. This staccato approach has left CISOs red in the face, and they are often trying to answer uncomfortable ‘ROI’ related questions, even as they scramble to decipher the required data. At times, on the other extreme, pursuing false alarms is often cited as a productivity damper too. The sweet spot then lies in the right platform that can bring different islands together, can direct action with the correct data, and is open to scale at an organization’s maturity scale. Consolidating your infrastructure through a platform or opting for one that is open to multiple integrations across the cybersecurity landscape is both sound starting points. Of course, such a solution does not emerge on its own. It is the consequence of a vision, conscious effort to align cybersecurity leaders and thought processes within the organization and, ultimately try different approaches until the winner is found.
“Two-thirds of cybersecurity professionals polled at RSA Conference 2019 say they have had to change where they do business and with whom due to international cybersecurity concerns,” as quoted by Computer Weekly. This one fact probably summarizes the multi-layered influence that geopolitics has on cybersecurity better than anything else does.
Themed the ‘human element,’ this year’s conference is likely to delve deeper into how people in the network must be secure to make security a real priority. Also, the role of leadership in making businesses and the world at large secure enough will be discussed.
Add to this, the slowing economy, that makes purse strings tighter, changing policies that make talent mobility across borders harder, a CISO needs to collaborate with people and culture leaders to emphasize on the security of the ‘world’ over everything to break geopolitical barriers.
What are the immediate steps you can take to do things better?
A whole lot of guides, an abundant number of certifications, and qualified folks to take care of cybersecurity. Yet, by 2030, the economic impact of threats could reach 90 million. What is amiss, and what is the starting point?
Measure, prevent, and respond. This routine is on-going.
Unlike project handovers, there is no rest for the devil when it comes to your state of the cybersecurity process. It is an ongoing ecosystem that MUST always be on.
Threat vectors are changing sooner than non-mature industries can adapt, technology upgrades translate to loopholes that organizations are unaware of, and to top it, threats include ransomware-as-a-service and DDoS for hire as per the World Economic Forum’s ‘The Cybersecurity Guide for Leaders in Today’s Digital World’ Further, the Mitre Framework is an excellent rulebook for leaders to go with.
What is the recommended ‘Three-pronged approach’?
1. Have multiple levels of risk assessment and contingency measures. Ensure that your internal systems prevent risks and that you have prevention metrics readily available.
2. All threats cannot be prevented internally, and this is where controls must be placed to take immediate action to ensure that damage is minimized.
3. While we cover response management comprehensively in the following point, when the right detection happens, you will also need to provide respective departments with the knowledge and autonomy to take the right steps.
While large companies can afford to have large-scale cybersecurity operations spanning technology, people expertise and the bandwidth to operate from, mid-sized and smaller organizations will benefit from outsourcing it to manager services experts, until they can develop a better grip over things.
Crisis management and recovery plans are crucial no matter how prepared you are
While the Nork Hydro attack cost the aluminum giant around $40m, it was unanimously applauded for the way it handled things –
“Norsk Hydro has been applauded on how it handled its public relations, with daily updates on its progress in restoring operations. But had it not done so, the attack could have inflicted significant reputational damage and loss of confidence in the brand, for which the costs can be much higher – and take longer to recover from.”
It is one thing to learn to endure what you cannot prevent. But nuanced crisis management best practices and recovery processes ensure that your reputation, trust, and integrity remain safe.
Here, crisis management involves multiple areas. In an era of technology overdependence, you must have backup plans that have some degree of manual processes that remain unaffected at the time of a crisis. Further, teams must learn to work cross-functionally in as much as being able to render an affected department the right support to get going. Most importantly, a detailed plan that details everything from the controls you take to the internal, as well as public communication approaches you take in case of an emergency, is crucial. The media must be given a unified response from all parties. When communication is ambiguous and contradictory, it will make everything as much worse.
Also, after an event occurs, you will have to be able to recover your resources quickly and make a speedy yet healthy recovery.
1. Understand critical assets spanning your finances, infrastructure, intellectual property, and data. Have multiple levels of risk metrics and disaster management controls in place, depending on the extent of the breach. Further, if the threat only reached your periphery and didn’t touch your critical assets, you can qualify it as a milder breach and keep customers informed accordingly. Besides, the clarity on organizational assets and priorities are crucial
2. Further, the recovery plan must factor the assets detailed and have policies and controls listed, such as recognizing the backup server location and the process involved in governing it.
3. Communicate the strategy you have in place and govern your policies. Review your policies, keep doors open to communicate, and ensure that everyone stays informed.
Cybersecurity hygiene is technology, management, and human intuition all coming together.
The tripod will fall no matter which leg is affected.
Suggested Reading –