There is rarely a day that goes by when we do not hear of a cyber breach. Often the target is small and medium companies, and the result of a cyber-attack can mean loss of operations or even going out of business.
The reality is that a new era of exponential digital connectivity propelled by the COVID-19 pandemic has changed the security paradigm to employees working from hybrid and remote offices. Also, the threats have grown along with the connectivity. The growing and sophisticated cyber-threat actors include various criminal enterprises, loosely affiliated hackers, and adversarial nation states. The cyber threat is so pervasive that it is estimated to cost the world $10.5 trillion annually by 2025. Cybercrime To Cost The World $10.5 Trillion Annually By 2025 (cybersecurityventures.com)
In our current digital environment, every company is now a reachable target, and every company, large or small, has operations, brand, reputation, and revenue pipelines that are potentially at risk from a breach. What should the C-Suite do?
The C-Suite needs to address the new realities and prioritize cybersecurity. Executives can no longer view security, both physical and cyber, as a cost accounting item. It needs to be prioritized as an investment in people, processes, and technologies. It really needs to be part of the company culture from top down.
The bottom line is that almost every type of business, large and small, touches aspects of cybersecurity whether it involves law, finance, transportation, retail, communications, entertainment, healthcare, or energy. Cyber threats are ubiquitous, and they can be an existential event for companies and the C-Suite urgently needs to have a plan.
- Adopt an Industry-Specific Cyber-Risk Management Strategy
Create a corporate risk management strategy and vulnerability framework that identifies digital assets and data to be protected. A risk assessment can quickly identify and prioritize cyber vulnerabilities so that you can immediately deploy solutions to protect critical assets from malicious cyber actors while immediately improving overall operational cybersecurity.
Risk management strategies should include people, processes, and technologies. This includes protecting and backing up business enterprise systems such as financial systems, email exchange servers, HR, and procurement systems with new security tools (encryption, threat intel and detection, firewalls, etc.) and policies. That risk management approach must include knowing your inventory and gaps, integrating cybersecurity hygiene practices, procuring, and orchestrating an appropriate cyber-tool stack. It should also include having an incident response plan in place if you do get breached.
There are several encompassing security strategies to evaluate, depending on your requirements and threat posture. These include:
Security by Design is really the initiation point of a risk management process – especially if you are a software or hardware developer concerned with security. In an article in United States Cybersecurity magazine, cybersecurity expert Jeff Spivey provided an excellent working definition: “Security by Design ensures that security risk governance and management are monitored, managed, and maintained on a continuous basis. The value of this ‘holistic’ approach is that it ensures that new security risks are prioritized, ordered, and addressed in a continual manner with continuous feedback and learning.” Security by Design | United States Cybersecurity Magazine (uscybersecurity.net)
Defense in Depth. A variety of strong definitions exist for defense in depth in the security community. A NIST publication defines the defense-in-depth concept as “an important security architecture principle that has significant application to industrial control systems (ICS), cloud services, storehouses of sensitive data, and many other areas. We claim that an ideal defense-in-depth posture is ‘deep,’ containing many layers of security, and ‘narrow,’ the number of node independent attack paths is minimized.” Measuring and Improving the Effectiveness of Defense-in-Depth Postures | NIST
Zero trust (ZT) is the term for an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources. A zero-trust architecture (ZTA) uses zero-trust principles to plan industrial and enterprise infrastructure and workflows. Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the internet) or based on asset ownership (enterprise or personally owned). Authentication and authorization (both subject and device) are discrete functions performed before a session to an enterprise resource is established. Zero trust is a response to enterprise network trends that include remote users, bring your own device (BYOD), and cloud-based assets that are not located within an enterprise-owned network boundary. Zero trust focuses on protecting resources (assets, services, workflows, network accounts, etc.), not network segments, as the network location is no longer seen as the prime component to the security posture of the resource. This document contains an abstract definition of zero-trust architecture (ZTA) and gives general deployment models and use cases where zero trust could improve an enterprise’s overall information technology security posture. Zero Trust Architecture | NIST
These three pillars of cybersecurity risk management need not stand alone. In fact, they all should be incorporated together in cybersecurity framework strategy to identify gaps, mitigate threats, and build resilience in the case of an inevitable cyberattack.
Please see my article in Forbes: Combining Three Pillars Of Cybersecurity (forbes.com)
Good industry specific sources for adaptive risk management frameworks can be found at NIST: http://www.nist.gov/cyberframework/
And at MITRE: MITRE Engage: A Framework and Community for Cyber Deception | The MITRE Corporation
- Test, Simulate, and Identify Gaps to New Real World Cyber Threats with Risk-Based Metrics
Penetration testing is a good practice, but most have not been able to keep current to the cyber-threat ecosystem. Cyber breaches are not a static threat and criminal hackers are always evolving in tactics and capabilities. The evolving cyber threats can make traditional testing methods inadequate. Cyber criminals are now using stronger evasion techniques that can even stop running if malware detection software runs. Injection of code and manipulation of memory space as exploit kit is injected in the target system; often these criminals use stolen certificates that are sold underground or on the dark web to bypass anti-malware detection and around machine learning code. Some are going one step further using fileless, living-off-the-land attacks that use steganography to encrypt and hide many types of malicious software.
Scalability of testing tools deliver enormous data, all of which needs to be correlated and prioritized in terms of metrics. Tasks take time, and CISOs are often dealing with more data than they have people to analyze it. CISOS need real-time reports that can provide quantifiable security KPIs to measure and track security performance.
Because of the sophisticated and growing attack surface being exploited by hackers, testing needs to go beyond traditional vulnerability scanners and manual penetration testing. It also needs to be automated to keep up with the pace of change in the evolving cyber landscape. Simulation testing fills that gap. In simulations, results can be immediate, can be performed frequently, and they do not rely on the skill level of the tester that can be a weak point that leads to vulnerabilities.
Simulation combined with penetration testing is a good avenue to consider. Specifically, breach and attack simulation (BAS) technology can be used for both cloud and on-premises environments. Simulated attacks also enable the security blue team to assess and fine-tune their detect, alert, and respond capabilities through integrations with existing security programs and systems including vulnerability management, EDRs, SIEM, SOAR and GRC systems. Via BAS, companies can verify how efficiently virtual fences are able to guard their systems and can also spot potential leaks that need to be fixed. The need for modernization and digital transformation will drive demand for continuous testing and attack path management tools used in cybersecurity simulation solutions.
- Build a Cybersecurity Leadership Team for Cyber Defense and Incident Response
Cybersecurity at the C-Suite level requires effective communication with the board and management team. The CISO, CTO, CIO, and executive management must align strategies, collaborate, and regularly assess their information security programs, controls, and safety of networks. They must be cross-disciplined and should be capable of creating an Incident response framework that includes mitigation, and business continuity planning, and secure back-up protocols in case networks and devices are compromised. The leadership team should also coordinate continual security training for employees.
- Consider a Cybersecurity Hub
Evolving cybersecurity challenges require strategy and new and collective thinking. One initiative to consider is creating an internal company “Cyber Hub” (CH) to optimize corporate approaches to cybersecurity such as simulation and testing and act as a purple-teaming fusion center.
The benefits of creating a CH could cut across a wide number of different areas. The CH itself should be composed of those who can help steer the company and should include the C-Suite management leadership, the boards, and especially the CISO, CIO, and CTOs. The CH would operate as an internal operational think tank geared toward planning the specifics of mitigating, and being more resilient to, cyber threats, especially from remote and hybrid work.
Having a CH Team to share insights and recommendations could provide an exceptional return on investment at minimum and more likely a value added to ensuring company security and vitality.
For more details on this topic please see my article in Forbes: Creating An Internal Cybersecurity Hub Inside Your Company (forbes.com)
- Utilize the Board of Directors and Bring in Outside Expertise
For the C-Suite, the easiest way to address cybersecurity knowledge gaps is to have a strong board of directors and/or advisors. Board directors should have a working understanding of risk management (and risk exposure) and have context on the different array of threats and threat actors. Areas of special knowledge for a board should prioritize risk management and cybersecurity as a company imperative that includes incorporating legal compliance, cybersecurity technology solutions and services, training, liability insurance, governance, and policy.
Cybersecurity requires expertise and experience. A corporate board should include a blend of internal and outside subject matter experts. It is very useful for executive management to get perspectives and ideas from experts on the outside for situational awareness, technology validation and threat intelligence. This will be especially important as we move forward in digital transformation.
The evolving tech landscape will include artificial Intelligence, machine intelligence, IoT, 5G, and virtual and augmented realities, and quantum computing will have a disruptive impact on business operating models and security during the next decade. The leadership team should have a strong understanding of how best to leverage these tools to optimize future cybersecurity scenarios.
There are many challenges of functioning securely in a changing digital world catalyzed by emerging tech. For industry, it requires constant awareness and restructuring of plans that can detect, prevent, and mitigate changing cyber threats. In the past, much of the cybersecurity focus and activities by industry have been predominantly reactive and viewed as an operating revenue cost. Being proactive is not just procuring technologies and implementing policies, it also means adopting a new security mindset with heightened testing. For the C-Suite it should also include a recognition that cybersecurity risk management is an investment in a company’s future and survival.