Back to the Cyber Basics: Fundamentals Before Innovation Drives Success
In this article
Hybrid work models are now a necessity, but with them has come a massive threat landscape and a rapid upsurge in ransomware and nation state attacks, not to mention heightened regulations and compliance struggles. It's a lot to tackle at once, but we keep charging up to the frontline. And it's so great that we've got all kinds of new cyber tricks to arm us, but it's clear from where I'm sitting: too many of us are losing sight of the basics. It appears we're moving too far, too fast. Without proper grounding, all efforts to innovate may become counterproductive.
The cyber playing field seems to get more and more complex over the years. But perhaps it's us on the defense who are over complicating things. Sure, elaborate innovations help mitigate this ever-complex threat landscape, but they also make it easy to blur the necessary fundamentals.
We are all looking for that next AI product or ML solution to save the day, which are rightfully enticing, but before we get excited about the shiny and new, we need to first cover the basics. Start by asking yourself: What level of risk am I operating at technically? What about programmatically?
Only a strong foundation can support the piling arsenal of solutions and tools of the modern-day cyber battleground. Putting the fundamental principles below into practice will lay the understructure needed to build a future-ready cyber defense system.
A solid risk management strategy is the bedrock of your cyber security posture
To compete successfully in today's global, interconnected business environment, organizations must continuously reevaluate their product, software, and service offerings, as well as whether certain mechanisms continue to deliver real business value to customers, partners and suppliers. In addition, organizations must constantly reassess their overall business risk capacity and tolerance to ensure conformance with various standards, regulations, frameworks and increasing global data protection laws.
The new ways we do business present new challenges, such as competitive markets, electronically enabled global network businesses, corporate governance reform and rigorous security and privacy mandates; therefore, risk management and governance have become critical fundamental business imperatives. In response, organizations are integrating risk management into the fabric of their DNA.
Now an executive priority, risk management has become one of the major determinants of business value realization as well as the very measure by which an organization's portfolio is directed and controlled. It encompasses the following:
- Identification of threats to an organization (IT, business, internally, externally).
- Identification and justification of risk controls for possible threats and vulnerabilities.
- Development and institutionalization of rules and procedures for making and monitoring decisions on strategic concerns regarding internal and external threats.
Factoring in the above, a solid risk management strategy results in the following benefits:
- Improved confidence in operational and financial integrity. The focus is to allow management to understand and deal with events that can create uncertainty in the organization's operational and financial performance. Enterprise risk management allows your management team to quantify and justify risk decisions to support accurate response and decision making.
- Maintaining accurate and timely information. Risk management provides mechanisms to measure and respond to negative impacts and seize opportunities for growth and competitive edge. This is accomplished by providing consistency in measurement, terminology and communication.
- Maintaining measurement of risk throughout the organization. Risk is measured not only at the system and project level, but also for business units, its processes, and from an organization-wide perspective.
- Staying on course. Risk management makes sure an organization meets and exceeds its goals and runs according to plan. Understanding risks improves confidence, lends a strategic advantage and prevents organizations from being caught off guard.
- Reduction in overhead, costs. The unexpected can be costly; identifying risk and implementing appropriate controls allows an organization to control unexpected events and associated costs.
- Operational transparency. Risk management enables the business stakeholders to best understand security using terminology they understand, easing justification and defense of security budgets and resources.
- Boosted reputation. Risk management will increase an organization's ratings and public perception of its efficiency because the organization was able to act quickly and preparedly.
Integrating optimal risk management is an essential baseline strategy that will aptly prepare your organization for what's to come: building secure architectures that facilitate operational resilience, developing an enterprise segmentation solution and selecting the right innovative security tools.
Let's take a closer look at each stride…
Adopt holistic operational resilience
Gartner defines operational resilience as "Initiatives that expand business continuity management programs to focus on the impacts, connected risk appetite and tolerance levels for disruption of product or service delivery to internal and external stakeholders (such as employees, customers, citizens and partners)."
The definition goes on to explain that these initiatives support management of risk assessments, risk monitoring and performance of controls that affect workforce, facilities, processes, technology (IT, OT, IoT, physical, cyber-physical) and third parties across the following risk domains used in the business delivery and value realization process:
- Security (cyber and physical)
- Continuity of operations
Data breach costs rose from $3.86 million to $4.24 million, the highest average total cost in the history accordingly to this report. "Costs were significantly lower for some of organizations with a more mature security posture, and higher for organizations that lagged in areas such as security AI and automation, zero trust and cloud security." Still, many organizations do not have the proper incident response teams or resources needed to keep security strategies up to date.
According to the World Economic Forum Global Risk Report 2022, "For the next five years, respondents again signal societal and environmental risks as the most concerning." However, over a 10-year horizon, the health of the planet dominates concerns: environmental risks are perceived to be the five most critical long-term threats to the world as well as the most potentially damaging to people and planet, with climate action failure, extreme weather and biodiversity loss ranking as the top three most severe risks.
Respondents in this report also signaled debt crises and geoeconomic confrontations as among the most severe risks over the next 10 years. Technological risks such as digital inequality and cybersecurity failure are other critical short- and medium-term threats to the world, according to GRPS respondents.
One major element of operational resilience is cyber. Cyber resilience is the degree of adaptiveness and responsiveness to which an organization can defend itself against a threat or failure of digital business ecosystems. A mature cyber resilient enterprise ensures that restored software and technology infrastructure/services are not only reliable, but also safe and accessible despite a range of hostile or adverse disruptions to those critical ecosystems.
Cyber resilience covers a superset of technology infrastructure, services and data found in IT, OT, IoT, and physical ecosystems. Cyber resilience incorporates not only information-centric organizations, such as healthcare, banking, financial services, and insurance, but also industries such as manufacturing, utilities and transportation. Effectively, cyber resilience is particularly focused on the technological flexibility of where information resides.
When it comes to the basics of cyber resiliency, all organizations, regardless of vertical market or size, would benefit from the following courses of action:
- Establish an enterprise cyber resilience and delivery program, including program management, risk identification and management.
- Establish a governance and accountability framework such as MITRE or the updated NIST SP 800-160 Vol. 2 Rev. 1 (keep in mind there is no single authoritative definition for cyber resiliency).
- Identify and document the organizational resilience drivers.
- Identify gaps in organizational resilience programs by assessing current resilience against applicable frameworks.
- Correlate and map the components of the organization's digital business initiatives to each organizational cyber resilience layer.
Enterprises in every industry are continuously threatened by security breaches that can have significant consequences when it comes to business operations and success. As we all know, compromised data is an extremely costly issue, so making a significant investment in preventative measures will always pay off.
Plan for reducing the attack surface
Segmentation is a must, but this requires top-down buy-in and the right amount of rigor and discipline; it simply cannot be accomplished by buying a single OEM solution.
Clearly defined segmentation will be instrumental in mitigating threats. A flat network is a network without segments, where all assets (servers and workstations) can communicate with each other once behind the internet edge firewall.
Optimal segmentation involves examining vital dependency areas to identify immediate risk reduction opportunities within existing programs, architectures and technologies. To ensure all basics are covered, organizations need to approach their segmentation strategy by identifying existing capabilities within the following areas:
- Asset inventory
- Data classification
- Policies and regulations
- Application dependency mapping
- Network mapping
- Existing technology that is segmentation capable
- Existing segmentation and strategy documentation
- Shared infrastructure
Be advised, security is a process not a SKU
Every organization should conduct a thorough tools rationalization exercise, but one that really dives into a full portfolio review and capability mapping. You'll need to gather a high-level understanding of the entire security tool estate (and how it came to be) and prioritize areas for deeper investigation.
Another important step is to identify high-level rationalization opportunities based on logic/data-driven framework, enabled by data and hypothesis. Next, conduct deep dives to generate recommendations within each rationalization opportunity areas with specific implications (e.g., cost savings, organizational/ operational impact). Lastly, develop an executive-level ROI perspective for the overall initiative; then pair that with findings on how/why the tool sprawl occurred and recommendations on intake processes and governance.
That all may seem like a lot, but when accomplished methodically with the support of a technology partner like WWT, the process can be fast, seamless and inexpensive.
In support of your journey
At WWT, we understand the importance of your security transformation journey and can bring our expertise to assist in protecting technology and ultimately, your business. Our security consultants provide a formal yet flexible method of evaluating enterprise cyber maturity based on foundational building blocks across a variety of industry security frameworks.
Utilizing a holistic approach when evaluating an organization's control and risk mitigation environment, WWT can provide a detailed analysis that will be used as a roadmap to increase maturity and maximize the use of people, processes and technology for the purpose of reducing risk while increasing efficiencies. And as always, if you need any guidance, we're here to point you in the right direction.