How did this happen? I thought you had this under control? What went wrong? Are we 100% secure? Are you sure? How bad is it out there? What about what happened at X company? How are we compared to others? Do we know what our risks are? What keeps you up at night? Are we appropriately allocating resources? Are we spending enough? Why are we spending so much?
Chances are, most security and risk leaders have heard these questions, possibly multiple times, from their boards of directors ever since COVID19 has impacted businesses globally.
As companies continue to depend on a workforce unaccustomed to working from home, boards are overwhelmed in navigating a global pandemic with increased phishing threats.
The problem is these questions are unanswerable, more so when they are driven by exaggerated, incomplete, or contradictory public information and are a distraction from more relevant questions.
No doubt, while some of these questions are unanswerable, one should have cyber health in mind as much as physical health.
Risks from Internet-Connected Technology
Over-dependence on digital connections has made any potential security gap a tempting target, both from external sources as well as the people you may know and trust. Your systems, files, and data (both personal and workplace-related) are inherently useful and sell-able to someone, making you just as likely a target as your friends, family, colleagues, or random strangers.
Every person who uses a piece of internet-connected technology or participates in services that must utilize internet-connected technology is at-risk of their systems, files, and data being compromised or misused.
The Disconnect and the Failed Approach
Cybersecurity has been on board agendas for at least a decade. Still, the recent coronavirus outbreak puts a spotlight on the disconnect between the executive understanding of Cybersecurity and an organization’s actual capabilities.
The stories that we’ve seen during the COVID-19 outbreak are the latest example highlighting the failed approach to Cybersecurity that many organizations take. While executives focused on ensuring compliance and stopping hackers, simple opportunities like enabling secure remote access technologies — which have a much more significant business impact — were ignored. Now, organizations are scrambling to catch up.
These missed opportunities detected during the coronavirus outbreak are just the most recent example of how the disconnect between security and business outcomes is often underestimated. Organizations should focus on the creation of adequate, reasonable, consistent, and effective controls in a business context.
The COVID-19 disconnect should create a wakeup call for CIOs, CISOs, and IT executives about the critical need to address Cybersecurity in a business context and as a business decision. But IT leaders can build an executive narrative to change how Cybersecurity is treated in their organization.
Many organizations take an ineffective approach to Cybersecurity. These failed approaches lead to poor decisions and bad investments.
This disconnect between executive decision making and effective Cybersecurity should encourage both business and security leaders to focus their attention on new ways to approach the problem.
Areas on which to Focus
In a sea of overwhelming priorities, security and risk teams should focus on seven areas.
- Incident response plans and protocols need to be adjusted. Even incidents that would generally be well-managed risks can become more significant issues if the team can’t respond effectively.
- Ensure that corporate laptops have the minimum viable endpoint protection configurations for off-LAN activity. Security and risk teams should also be cautious with access to corporate applications that store mission-critical or personal information from personally owned devices.
- Make sure you reach out to senior leaders with examples of target phishing attacks, and alert employees to the escalating cyberthreat environment. Remind them that they must remain focused and hypervigilant to suspicious activities.
- Ensure that your monitoring tools and capabilities are providing maximum visibility. Check that internal security monitoring capabilities and log management rule sets enable full visibility.
- Engage with security services vendors to evaluate impacts on the security supply chain.
- Security and risk teams should focus on ensuring foundational Cyberphysical Systems PS/OT security hygiene practices such as asset discovery and network segmentation and evaluating the risk of fixing a vulnerability against the risk, likelihood, and impact of an attack to prioritize scarce resource deployments.
- Organizations may collect employee information that relates directly to the COVID-19 pandemic. For example, organizations might want to record when an employee visits a risk area or is home with an illness.
Create a Business Context Around Cybersecurity
To create a business context around Cybersecurity, first, identify the business context of your organization. Every organization has budgets and costs, desired outcomes, and supporting business processes, sources of revenue, and customers. Each of these components comes with key technology dependencies. Understand the organization’s most essential processes and business outcomes, and identify how technology maps back to them.
Then, using the business context as a guide, shift toward an outcome-driven approach to Cybersecurity. An outcome-driven approach is a governance process where priorities and investments are determined based on their direct impact on protection levels in a business context. This approach helps the organization see how well the organization is protected, rather than just how it is protected.
An outcome-driven approach creates an entirely new lens for non-IT executives and other stakeholders to consume information about cybersecurity issues in a business context. Priorities and investments can be adjusted to balance the needs to protect against the needs to run the business.
Visibility, Awareness, and Alertness
There is no way to guarantee cyber health, much like your physical health. Still, the most important thing to always consider is: the visibility of your actions, awareness of the risks of every interaction (especially online), and remaining alert to new threats.