In Cyber, Some Things Change and Others Remain the Same
In This Article
Being in the security industry since 1998, I thought we would have the basics down and would be focusing on so many new threat vectors -- but not so fast. Now is actually a good time to talk about and remind everyone of what a good cyber hygiene program might look like.
During National Cyber Security Awareness Month (NCSAM), every organization's CISO should take a step back and ask a few basic questions, such as:
- What is the most important security aspect to the CEO? Is it the confidentiality, integrity and/or availability of their information, and what are we doing around awareness with our employees to ensure we are doing our part to protect it?
- Are we revisiting company culture, business operations, employee areas of expertise and the gaps that might need to be filled? It's important to directly find out what is top of mind.
- Are we conversing with the business units to understand how far the envelope is being pushed to accelerate sales, and if there are shortcuts being taken around cyber polices?
- What are the best ways employees learn and ensure the training program is aligned properly? Everyone learns differently and at different paces, so adjust accordingly.
As Will Rogers said, "Even if you're on the right track, you'll get run over if you just sit there." Everyone needs take a step back and re-evaluate. I have been saying my whole career that the biggest way to make an impact is to understand the business and why it exists. Don't fall into the trap of trying to build "your" kingdom, but always ensure you serve others and protect the CEO's mission.
Every awareness program should incorporate the latest challenges enterprises are facing, and not just rinse repeat the same content year over year over year.
When we look at 2020, it has definitely been a wild ride -- not just for security but in all aspects of our lives. I'm interested in finding out how your business is addressing these areas in your current awareness programs!
The increasing growth and complexity in the number of partners and suppliers is mind boggling. In turn, vulnerabilities across such partners exposes organizations to a variety of risks that can come from the exploitation of the weakest link in a global network, which could be several layers down your supply chain.
While you are building your cyber resilient organization, let's not forget the basics. Honestly, when was the last time your company conducted a simple exercise of your incident response plan? As I have said before, a lot of feedback I get is: "we don't have time, they're not real or they're too complicated." It sounds like the same excuses people make to get out of going to the gym in the morning!
The introduction of 5G has greatly raised the hyper speed and scale at which all personal data is processed, stored, transmitted and received, which in turn will increase the risk that privacy will be sidestepped. Security and risk management leaders need to enhance customer and stakeholder trust by implementing counter measures that minimize privacy risks.
To combat the ransomware problem, organizations really need to apply some rigor around conducting regular tests on how existing defenses adapt to trends for the most prevalent threat vectors: malware, phishing and attack on credentials. Conduct incident response tabletop exercises and engage in a cross-team effort to improve discovery of new assets and emerging business technology use. Leverage the use of a risk register to standardize the approach to aim at a more continuous exposure assessment.
Compliance isn't a simple process. It's not a product you buy, and it affects multiple areas of a company, not just SecOps or IT. You'll need executive buy-in to obtain the staff hours and other resources to make this happen.
By 2021, 90 percent of web-enabled applications will have more surface area for attack in the form of exposed APIs rather than the UI (up from 40 percent in 2019). Poor API design can limit usage and functionality, and results in deployment delays and cost overruns.
Another area that has come in many of the conversations I am having is the need to have technical security personnel leverage cyber ranges to conduct war gaming and tabletop exercise. Cyber ranges are virtual environments that can be used for testing as required. They range from single stand-alone ranges in a single schoolhouse or Internet-replicating ranges that are accessible from around the world. Cyber ranges may be used internally by private and public organizations, by students in the classroom or online from training and education providers.
Sound risk management and security awareness practices are not only a key competitive differentiator for companies, but they are also essential for controlling cost and facilitating the profitable delivery of products to the market. Moreover, organizations that ignore risk management and security awareness run the gamut of failed shareholder and market expectations, increasingly incur regulator wrath, and lose competitive traction.
The cheapest risk reducing measure that anybody can take is awareness training -- take advantage of it.
As always, the world of cybersecurity continues to evolve. It's apparent that my advice from the previous decade continues to ring true as we move forward: it is more important than ever to continually evaluate your security posture and stay up to date on what today's attacks look like and how to respond.