The Twelve Days of Cybersecurity
In this blog
2020 was certainly a wild cyber ride, as cybercriminals are exploiting the situation of the COVID pandemic to launch highly sophisticated cyberattacks on every industry possible. In the first six months of 2020, various Fortune 500 companies became the target of massive data breaches where hackers sold account credentials, sensitive data, confidential and financial information of these organizations' cybercriminal forums.
Throughout the year we have seen just about every customer wanting WWT to offer guidance on a number of topics, but in the spirit of Christmas we wanted to sum it up in the theme of 12 Days of Christmas.
Many of our customers are seeking to rationalize a portfolio of tools across many of their domains, with the ultimate goal of providing more capabilities and strategic value to end users with less cost and complexity. Not many of our customers have well organized databases of information around active security tools and we also see a mix of satisfied and unsatisfied users across the internal customer base of tools today.
Organizations need to have an ongoing goal of managing costs and avoiding duplicative tools/functionality, a clear articulation of tool rationalization decisions and value and an integrated roadmap for strategic value realization (including tools, people and processes).
As I wrote earlier this year, enterprise cyber resilience is a strategic requirement and a must-have organizational capability. Security and risk management executives must come together to work as a unified team to design, implement and maintain a cyber resilience program to ensure business initiatives become sustainable operations.
When you look at organizational risks, there are too many to count unfortunately, and they could range from horrific natural disasters to man-made disruptions, equipment failure and operational/human errors. As fast as businesses are growing and expanding, these risks are occurring at an increasing frequency as well and turning into business disruptions that impact the viability of the organization.
More and more organizations are leveraging cloud services such as Google and Microsoft to help scale their new remote workforce, but with that they broaden their attack surface and open up greater security risks for the organization. One can argue that the industry needs a new security approach to better protect workloads outside of an organization's traditional controls.
By implementing Zero Trust (also known as ZTA) across all networks — including public and private clouds — will allow security teams to gain back control of the network and improve visibility, which is very much lacking across the industry.
Another article I wrote earlier this year touched on how cybercriminals are well aware that there are many users working from home who are usually at a branch office behind a corporate security perimeter. You need a security infrastructure that keeps all your users protected against the latest threats, no matter where your users are.
All traffic, including encrypted apps, must be inspected. All users, including third-party contractors, must be given just the level of access needed for them to be productive, without opening them up as attack vectors to the rest of the network.
The cyber skills gap is of grave concern and, candidly, has been for a long time. Recent reports state that as much as 70 percent of cybersecurity professionals stated their organization has been is impacted by the cybersecurity skills shortage. In the past four years, this percentage ranged from a low of 69 percent to a high of 74 percent — as you can see, not much improvement.
As my colleague Melissa Purinton wrote, "according to Gartner, women currently represent about 20 percent of people working in the field of cybersecurity. If my math is correct, this means 80 percent of the cybersecurity workforce are men. Though this is a drastic delta, this is by no means surprising as a woman in cybersecurity." It's clear where we need to look for the next-level talent.
Focus on the basics. Try not to over complicate security — you will go crazy.
One of the first questions I ask customers across any industry is, "do you have an accurate inventory of your assets?" There's no logic to discussing more sophisticated trends if the customer can't nail down the basics first. You can't maintain basic security hygiene on assets you don't know are yours.
This is certainly true for every organization, no matter the industry or size of their networks. Cybersecurity teams now require far more visibility and connectivity than ever before, especially when it comes to remote work environments. They need the right technology that is optimized for many different use cases including electronic trading infrastructures, secure branch/office connectivity, internal segmentation and advanced threat protection. Start here for step one on foundational security.
One of the most critical factors in the success of a cybersecurity program is buy-in from executive leadership. The lack of buy-in can impact many aspects of your progress. The obvious correlation is the impact on budget, but the intangible consequences can be just as severe. Employees in the organization will mimic the actions of leadership, as it indicates their path to progression and success.
When leadership teams actively participate in messaging and include cybersecurity in the culture, it will drive employee engagement.
Cybersecurity goals may or may not be different at each company. One thing that will be different is the journey to accomplish those goals. When using simulated phishing emails, it is important to get an initial baseline for reference. There are many metrics, but most importantly, you want employees to report phishing emails. Your baseline metrics will be a great indicator of success as you continue to improve the percentage of employees who report simulated phishing campaigns.
Cybersecurity leaders need to actively engage with the business to impact culture. Efforts to understand how departments operate are respected and appreciated. There should always be an approach that enables the business instead of a perception that security is an obstacle.
An approach that is viewed as a partnership will yield the best results when implementing controls. If there is an existing relationship, the resolution will be more effective when issues arise.
The lines between personal and business are now blurred more than ever. People will learn more about a topic when they are able to relate. Cybersecurity awareness training should include information that employees can use in their personal lives. Training should always have examples of how cybersecurity risk can have an impact at home.
Employees should not be punished if they fail a phishing simulation. The goal is behavior modification and to educate employees, so they understand why the simulation was effective.
Rewarding employees who accurately report phishing emails is a fun way to get people more engaged. The rewards can be as simple as a gift card for active participants.
Automation was previously a goal for maturity in a cybersecurity program. It has now become a requirement due to the evolving threat landscape and lack of resources. There are many benefits to implementing automation throughout prevention and remediation processes.
Automation provides a way to balance the volume of threats and improve response times. This will also give cybersecurity staff a way to focus on more complex issues instead of repeatable tasks.
At WWT, we are hyper focused on providing secure business outcomes for our global clients. We take on the most challenging problems our customers face and provide innovative solutions that can involve data governance strategy, security platform and tool operationalization, AI/ML model security and enterprise security architecture strategy.