What You Need To Know About WEF’s 5 Principles for Effective Cybersecurity Leadership
Get an overview of the important finds from recent security studies performed by the World Economic Forum, and see how WWT's security teams align our approach to the main leadership principles.
In March of 2020 the world was shaken by a global pandemic, which forced organizations in every industry to rethink how they are doing security and risk management. Many of the customers I talk to have made statements like:
- “We have new risks as a result of the extended enterprise."
- “Our threat landscape is growing.”
- “Would it be preferable to treat everything outside of the DC area as 'open' and move the perimeter to the DC/cloud edge?”
- “COVID-19 is providing many banks with the 'ultimate experiment' to send everyone home and stress test the security infrastructure."
- “The nature of perimeter-based security is problematic when granting remote access to an extended workforce that includes contractors and temporary workers.“
- “Prepare our organizations for a new normal: a permanently remote workforce.”
Reading the recent reports from the World Economic Forum (WEF) brought up some very interesting points as well:
“COVID-19 is forcing business leaders to adapt operating models faster than ever before to ensure existential survival. The large-scale adoption of work-from-home technologies, exponentially greater use of cloud services and explosion of connectivity allow companies to continue operations even with social distancing and 'stay at home' orders."
They go on to say: “However, the paradigm shift is putting immense pressure on cybersecurity operations. As organizations are making extraordinary efforts to protect their workers and serve their customers during the pandemic, exposure to cyberthreats is increasing significantly.”
What I found very interesting was that The World Economic Forum’s COVID-19 Risks Outlook survey of companies found that “the third greatest concern for companies is that new working patterns may increase cyberattacks: as the COVID-19 crisis accelerates dependency on technologically enabled economic processes, it is also exacerbating... cyber risks.”
The WEF developed five cybersecurity leadership principles that would ensure effective business continuity in "the new normal." I thought it would be of value to our customers and partners on how WWT’s global Security Organization aligns its approach and services to these five leadership principles.
1. Foster a culture of cyber resilience.
Cyber resiliency is a very hot global topic and a good cyber resilience plan at its core will have the ability to anticipate, withstand, recover from and adapt to adverse conditions, stresses, attacks or compromises on cyber resources. What we hear often is that “I have a business continuity plan," or "I have a disaster recovery plan," or "I have a backup strategy, and isn’t that enough?”
As you know, cyber resiliency goes way beyond disaster recovery (DR) and business continuity (BC) solutions. By programmatically testing the integrity of backup data and isolating its flow, organizations can recover when DR and BC systems are compromised.
Cyber resiliency requires more than technology. There are costs to implement, costs to maintain and of course, people to train, as well as new policies, standards, procedures and guidelines to define. Organizations need to adopt new governance models and processes and need to develop a new digital resilience team that has the following attributes:
- Cross-silo knowledge (this is extremely important).
- Must also include executives such as CEO, CFO, COO, CIO and CSO.
2. Focus on protecting the organization's critical assets and services.
A big issue we see our customers struggle with is a lack of visibility into data, devices, applications and users.
One of the first questions I ask customers across any industry is, “do you have an accurate inventory of your assets?” There’s no logic to discussing more sophisticated trends if the customer can’t nail down the basics first. You can’t maintain basic security hygiene on assets you don’t know are yours.
This is certainly true for every organization, no matter the industry or size of their networks. Cybersecurity teams now require far more visibility and connectivity than ever before, especially when it comes to remote work environments. They need the right technology that is optimized for many different use cases including electronic trading infrastructures, secure branch/office connectivity, internal segmentation and advanced threat protection.
If you can answer the questions below as an example, you are well on your way to having confidence about what you own and how you are managing it. If you struggle with some of these, you might want to start a conversation around how to improve.
- Do you know what's running on your systems?
- Do you have audit capabilities?
- Do you collect logs and what kind?
- How do you integrate those logs?
- What kind of instrumentation and supporting analytics do you have?
- Do you see what's running or do you believe what people tell you is running?
- Do you have any level of continuous monitoring for compliance and anomaly detection?
- Can anyone load software from anywhere?
- Can only authorized software be loaded by authorized people?
- Do you know where your sensitive data is and who is accessing it?
- Do you have a good handle on PII, PHI, NPI or any data that needs regulated control?
Whether you want to examine configured operating systems, identity assets or identify the misconfiguration of services, browsing actions or applications — a security assessment can arm your team with an organization-wide view.
3. Balance risk-informed decisions during the crisis and beyond.
In order to successfully compete in today’s global, interconnected business environment, organizations must continuously reevaluate their product, software and service offerings, as well as the mechanisms to deliver real business value to customers, partners and suppliers. In addition, organizations must constantly reassess their overall business risk appetite and tolerance to ensure conformance with various standards, regulations, frameworks and global data protection laws.
Given the challenges of operating in today’s business environment — COVID-19, competitive global markets, remote workers, corporate governance reform and rigorous security and privacy mandates — risk management and governance has become a critical fundamental business imperative. Businesses are moving to a more mature position in which risk management is integrated into the DNA of an organization.
Risk management is a C-suite priority because it is one of the single most important determinants of business value realization. Risk management is the system by which an organization’s portfolio is directed and controlled. It accomplishes the following goals:
- Identification of threats (IT threats, business threats, internal and external threats) to an organization.
- Identification and justification of risk controls for possible threats and vulnerabilities.
- Development and institutionalization of rules and procedures for making and monitoring decisions on strategic concerns, specifically internal and external threats to businesses.
An organization's management has a duty to control risks. As digital and security transformation have become an increasingly important enabler, it's imperative to apply the notion of risk management to organizations. A risk-based approach to management can lead to greater accountability and a better change management environment.
Moreover, beyond the core purpose of assessing risks, risk management serves to demonstrate an organizations serious effort toward compliance and/or industry best practice such as NIST, ISO, CIS and more. Business impact and risk analysis are used as the foundations for understanding operational vulnerabilities, as well as the platforms from which to explore risk mitigation and contingency-planning activities.
Risk management should be applied to all parts of the enterprise's operations and should be coordinated through an operational risk management committee. These processes must be built on a foundation of cultural and process change to explicitly identify and manage operational risks.
A thorough understanding and holistic picture of effective enterprise risk management practices are necessary to ensure that businesses not only maintain but sustain their strategic advantage. That's why we employ a balanced approach in ensuring that an organization’s line of business is competing for both today and tomorrow.
4. Update and practice the organization's response and business continuity plans as business transitions to "the new normal.”
Back in 2017, I wrote an article on security awareness, and whether I wrote it in 2017 or 1998, I will always say the first step toward creating a successful cybersecurity awareness program is to recognize that this is not a project with a defined timeline and an expected completion date. Instead, this initiative should foster cybersecurity consciousness in the company culture and throughout the organization. This requires constant education and vigilance.
While you are building your cyber resilient organization, let’s not forget the basics. Honestly, when was the last time your company conducted a simple exercise of your incident response plan? As I've said before, a lot of feedback I get is that “we don’t have time, they’re not real or they’re too complicated.” It sounds like the same excuses people make to get out of going to the gym in the morning!
Typically, the most effective programs are those that educate users upon initial hire and every quarter that follows. This training should educate all users, especially those at the executive level who are considered high-value targets.
A mature program should also be shaped by a keen understanding of the organization’s culture. This will not only help set the tone for the material but will be informative for coaching and guiding individuals to change their cybersecurity competence and behavior.
5. Strengthen ecosystem-wide collaboration
Create a collaborative environment by adopting agile principles in cybersecurity. Even if teams agree on the areas that need improvement, there needs to be a way to share knowledge during the entire adoption process. Organizations should consider multi-team meetings and workshops to aid with team communication and prioritization. Additionally, to help with operationalizing information sharing, mediums such as intranet sites and other collaboration tools should be used and socialized for maintaining internal recommendations and documentation.
As I've said before, for most organizations, the ability to demonstrate compliance directly correlates to the maturity of their cybersecurity program. The ability to rapidly take inventory and assess operational risk from configuration management, vulnerability assessments and operational procedures is one way to build your baseline.
Adapting an application of the Capability Maturity Model Integration (CMMI) is one way you can measure the security capabilities of your organization and its ability to operate through various threats and vulnerabilities.
It’s understood that no network is 100 percent secure, but collaboration with your stakeholders to understand your environment and move toward a multi-vendor architecture that creates an integrated security platform will certainly mature your program.
WWT works with some of the largest businesses and governments in the world on complex cybersecurity issues. We know it can be a sensitive subject. That's why we're committed to understanding your needs and protecting your privacy during and after engagements. Learn more about how we can contribute to your security strategy.