Rethinking Cyber Security Governance - Adaptive Agile
I have spent decades across different fields, especially in IT governance and risk management. I have helped CIO's and senior C-level leaders address the challenges facing their organisations and find solutions that meet their needs. The nature of those challenges and solutions were at times tactical, and at other times strategic. Most of them were transformative in nature. Most of those critical solutions broadly accommodated tolerable timelines of remediation. The challenges were, dare I say, relatively static; hence, a reactive remediation didn't bring down the business in an instant. I always hesitate to quote studies, because they can be used to prove any point , i think this stat proves the broader aspect that breaches are rising at an exponential pace.Based on a study by Risk Based Security
In 2017, globally there were a total of 5,207 breaches and 7.89 billion information records compromised - worst year on record and trend is picking up.
Dealing with information security across all domains is a significant challenge and needs a different mindset. The nature and sources of threats are morphing by the hour. It is akin to fighting an invisible enemy who is trying to compromise the entire business. Enterprises must evolve, or in many cases, think like the "bad guys," and protect themselves against the sophisticated challenges such morphing brings. If a CIO or IT leadership tried to adopt the old reactive mindset or "keep the lights on," they certainly would pay a significant price and look very ineffective to their business stakeholders.
The attack surface is wide and porous. The information security triad of Confidentiality, Integrity, and Availability (CIA) needs an almost paranoid approach to defending the enterprise against both insider and outsider attacks while ensuring that information assets be available for all legitimate enterprise functions.
The traditional paradigm of IT/Enterprise infrastructure management, and even security, relies on historical data and views it as static. It prioritizes looking at risks and mitigating those through reactive measures. For example, infrastructure instability might lead one to determine that an outage would lead to a business function disruption, which would lead to loss of orders or some financial or other impact. There was enough time to put in measures to mitigate those over a period of time while taking ad-hoc steps in the interim. Information security breaches don’t lend themselves to accommodative reactive mitigations.
Information security in the past meant considering compliance needs or addressing perimeter network security, and these approaches felt adequate.
This perimeter approach falls way short and, in fact, could debilitate your organisation and practically put you out of business. Despite being ISO 27000 or PCI compliant or, for that matter, meeting any other standard, 90% of enterprises have frameworks and standards that are attacked and compromised on a daily basis. If ISO, NIST, and other standards are alone not the answer, what do enterprises do to defend themselves?
It starts by recognising that a potential cybersecurity compromise is a business risk, not an IT risk. Also necessary is realising that any attack could permanently debilitate the organisation and therefore one must treat these topics with a paranoid mindset. Finally, it’s necessary to accept the fact that getting hit is inevitable. Hackers are relentless, becoming more sophisticated, and target any vulnerability.
It is akin to guerrilla warfare: they are invisible, and you are exposed; they are small, and you are big and vulnerable; they have very little and you have everything to lose. They know you and you don't know them.
Last but not least, your enterprise is no longer bound by perimeters; it is practically boundless, and that means any one weak link could compromise the entire chain and bring down your enterprise. It extends to your entire information and digital supply chain.
Let us explore the key principles that would lay a solid foundation for a robust Agile, Adaptive Cyber Security governance program.
1. Constant Visibility into Assets, their Value, and Location.
- Assets in a boundless enterprise, in the cloud and connected world, are everywhere.
- Includes Sanctioned and Shadow IT.
2. Continuous Integrated Risk Assessment.
- Continuous Risk Assessments, not just periodic assessment.
- Leveraging third party risk scores and benchmarks.
- Integrated view across vendor, internal, compliance, market perception, shareholder value, legal, and much more.
3. Multi-pronged Continuous Threat Assessment – Be Proactive, Be Paranoid.
- Attack Path Analysis - algorithms and third-party resources.
- Offensive Threat Modeling.
- Protecting against internal threats.
- Constitute a Core Threat intelligence team to monitor sources like CVE, Vendor releases, dark web, OWASP etc. - gain firsthand knowledge and contextualise threats.
- Constantly learn and share with industry and peers – take advantage of strength in numbers and have a collective defensive approach.
4. Layered Defense and Response.
- Assess and deploy defenses at every vulnerable layer.
- Isolate networks - avoid contagion.
- Minimise impact of breaches - intelligent microsegmentation.
- Least privilege access mindset.
- Insider threat identification and mitigation programs.
- Enlist MSSP but don't outsource accountability and ownership.
- Disaster risk management and BCM - 2 key pillars should treat cyber security breaches as a show-stopping event.
As per Chuck Brooks and other sources
The 2016 Cyber Security Intelligence Index, IBM found that 60% of all cyber- attacks were carried out by insiders. A Verizon 2016 DBIR Report disclosed that that 77 percent of internal breaches were deemed to be by employees, 11 percent by external actors only, 3 percent were from partners and 8 percent involved some kind of internal-external collusion which makes them hard to categorize.
5. Security Awareness Across All Stake Holders.
- Enlist change agents.
- Mentor and identify security champions.
- "Gamify" awareness to increase participation and adoption.
- Measure program effectiveness and report.
There is always something to be prepared for. A key philosophy and approach to cyber security governance is to understand that you cannot avoid all breaches. The key is to be agile and adaptive in your approach. Minimise the impact of any breach, play out all scenarios, and know what is feasible. My thinking about risk management goes back to a very fundamental approach to how we should live our lives: "Know what you can change, accept what you can't, and most importantly know the difference between the two - but still be prepared to respond."
Please share your thoughts and share this article if you find it informative
I will be sharing my points of view and experiences in the coming days and weeks on diverse aspects and domains of Cyber Security.