Cyber Resilience - Risk Management Evolves

The development of modern cloud-based mobile applications has changed much of the IT landscape. New methods of application development (Agile & DevOps) have driven organizational change and brought IT to the forefront of new digital business models. Hyper-connected, massively distributed Cloud applications are also driving changes in traditional IT methods for business continuity and security - two primary functions missioned to manage IT risk.

Protecting information systems and ensuring their availability has been the province of the business continuity management (BCM) function. On the other hand, access control, privacy, and identity management have been handled by IT security. Historically separate, both functions play an important role in managing operational risk. As cloud and mobile applications evolve several factors suggest the need for a new approach to manage IT risk:

  • Cyber breaches are increasing in frequency. Many threat types such as zero-day exploits and Ransomware create significant business impact with little or no advance warning
  • Acceptable downtime for most IT systems is < 4 hours. Many systems are designed to be resilient with no downtime and minimal data loss placing pressure on business continuity and cybersecurity incident response teams
  • Business continuity and security metrics are often presented in technical terms. For example, the amount of malware detected and blocked, or the percentage of backups successfully completed. Senior executives need to understand these programs in the context of business risk
  • Protecting brand reputation is more important than ever. Companies must respond to disruptions (natural or cyber) with speed and accuracy to ensure minimal impact to brand reputation and external partners

While BCM and cybersecurity are managed separately, both teams must work together to develop and manage a common incident response process. This provides management and company stakeholders with the confidence their organization has a consistent way to defend against threats and respond in a manner that protects their brand.

This new approach, merging security and business continuity functions (while balancing risk and budget) is known as Cyber Resilience. Among the benefits of this approach are better incident response, an improved ability to manage risk, and more effective coordination of resources.

Response to cyber threats has created new challenges that business continuity planners must deal with. Unlike a natural disaster, cyber events create crime scenes. Law enforcement and external stakeholders must be engaged and public image must be managed. Business continuity and cybersecurity planners must develop response plans to manage these new threats.

Best practices for Cyber Resilience are still emerging. Most companies manage BCM and cybersecurity separately, while others have merged the functions. Because BCM and cybersecurity programs often compete for the same risk funding, it’s not uncommon to see conflicts in how these programs are led and managed.

One trend we are seeing is senior executives integrating these functions under the role of a Chief Risk Officer (CRO). The goal is to create a holistic view of risk and a common method for organization, governance, and funding. The CRO is responsible to allocate funding where it’s needed most and drive BCM and cybersecurity programs to ensure they are coordinated, integrated and delivering value.

The nature of risk is constantly changing as Cloud and mobile applications evolve. Internal and external cyber threats will increase as the numbers of blackhats grow.  Consequently, BCM and cybersecurity will continue to evolve as Cyber Resilience tools and techniques mature and companies develop new ways to manage risk.

The CRO may become your new best friend.

 

This blog was co-authored by Jeff Marinstein, Founding Principal of Marinstein & Co. and Michael Puldy, Director of Global Business Continuity Management at IBM.

Cybersecurity Skills Grow in CT

In their 2016 State of Cybersecurity report ISACA and RSA found that 74% of companies surveyed expect to fall prey to a cyberattack in 2016. In 2015, 60% of the survey's respondents were victim to a phishing attack; 30% of those claiming the attacks occurred on a daily basis. 82% of companies report their Board of Directors are either concerned, or very concerned about cybersecurity. 

Despite the rise in threat levels, the skills gap in cybersecurity remains a serious problem. The security profession is struggling to find well-trained, high-skilled workers to fill open positions. More than 60% of organizations have too few infosec professionals. Here in CT every major company has open jobs for cybersecurity professionals. Almost one-third of companies report that it takes 6 months to fill these jobs. Another 9% cannot fill open positions. This skill gap is causing companies to hire people with insufficient skills and invest in training. 60% of companies report that half (or less) of their cybersecurity job applicants are qualified upon hire. 

The most significant skill gaps are the inability to understand the business and lack of communication skills. This skill gap affects all levels of cybersecurity professionals. In my previous blog I noted that many CISOs lack the ability to describe cybersecurity in business terms.  On-the-job training and certification are the top methods of combating this skills gap.

For SMBs the problem is more acute. Smaller companies often lack the budget to properly address the cyber threat. The lack of robust security increases their risk. Difficulty hiring skilled professionals leaves them vulnerable. For these companies it may make sense to use a managed service provider (MSP) to improve their security. MSPs combine leading technology with skilled professionals to offer cybersecurity services. Companies offload the burden of selecting, installing and managing complex technology while having trained cybersecurity experts monitor and manage their environment and mitigate risks.

Southern CT has seen a surge in the availability of tech talent fueled from a variety of government, quasi-government and non-profit activity. Into this growing talent pool we welcome Blackstratus, which has moved their CYBERShark security-as-a-service operating unit to Stamford, CT. CYBERShark takes Blackstratus' proven security and compliance platform and delivers it at a fraction of the cost in the Cloud. The service provides 24x7 monitoring, real-time alerts, and remediation for malicious activity. 

"We're truly excited to be part of CT's thriving tech community and really excited to part of CT's extended and integrated ecosystem for doing business here," Blackstratus CEO Dale Cline told several dozen employees and public officials. Read more about the Blackstratus announcement here and get more info about CYBERShark and Blackstatus here

Cyber Risk on the Rise

This week I attended an excellent conference on Cyber Security. TakeDownCon run by EC-Council and hosted by the UConn School of Business in Stamford, CT provided great speakers with separate tracks for CISOs and technologists. I highly recommend an EC-Council event if you’re looking to learn more about Cyber Security or obtain certifications.

In 2015 over 169 million personal records were exposed as a result of cyber intrusions; the result of more than 780 publicized breaches across education, healthcare, government and financial sectors. The average cost per stolen record exceeded $150. In the healthcare sector the cost per stolen record was $360. Despite the rising threat posed by foreign governments, hacktivists, and cyber criminals only 38% of global organizations report they are prepared to handle a sophisticated cyber attack.

Here are some key takeaways from the conference:

·      Companies are not framing the issues of cyber risk in business terms. This creates a disconnect with senior executives and the Board of Directors. Cyber programs produce volumes of data and dashboards, but do little to describe Cyber Security issues in business terms. As a result many programs remain underfunded and understaffed despite the growing threat landscape.

·       An effective cyber program cannot be implemented until a company knows where all of its data is, who would want to access it and why. As computing becomes more distributed (through Cloud and mobile) it becomes harder to identify where all the data is.  The growing number of endpoints increases the cyber threat. Many companies cannot identify how many servers they have and where all of their data is located.

·      There is an inherent tradeoff between security and convenience. Senior executives are often unwilling to sacrifice convenience for better security. Weak passwords, poorly administered systems, and the proliferation of devices with poor security controls are examples of vulnerabilities that stem from the desire for convenience. Hackers exploit these vulnerabilities with relative ease.

·      There are hundreds of vendors selling security products and services. According to the experts most of these are of limited use. Security products are implemented without a properly designed risk management framework; in essence many companies throw technology at the problem only to find that they are still vulnerable to hackers. Products end up providing a false sense of security unless the company has learned how to manage risk.

·      The majority of cyber attacks result from exploiting human behavior, e.g. opening email attachments which install malware. Companies are beginning to develop analytics to examine and predict behavior and identify employees who may attempt to steal corporate information. These analytics examine online behavior, badge in/out times, login times, system use, files downloaded/copied, social media activity and other HR related data to profile employees. These behavioral analytics are a new line of defense for companies and may become a Cyber Security best practice as they evolve.

·      Effective CISOs can add business value beyond protecting the company. A CISO at a major retailer installed thermal imaging on in-store cameras to analyze the traffic patterns of shoppers. Company executives used this data to tailor product placement based on traffic flow. By placing high margin items in strategic high traffic locations the company increased profit by 4%.

·      US law prevents companies from using certain techniques that could help thwart cyber attacks. Federal and State computer crime laws make it illegal to hack (unauthorized access to a computer system).  As a result, US companies are unable to deploy probes or take offensive action for fear of being prosecuted. Companies have hired foreign groups to deploy cyber “weapons” hoping to prevent future hacks. There is effort to create legislation to allow companies and civilians to act in their own defense without fear of prosecution.

Despite the amount of investment and innovation in Cyber Security technology, the threat landscape is widening and the risk of a data breach is increasing. Humans are the problem; our lack of understanding about Cyber risk coupled with our desire for convenience create opportunities for bad actors. The expanding role of the CISO is critical to engaging, educating, and helping senior executives effectively address cyber risk.  As one speaker put it - there are two kinds of companies; those that have been hacked, and those that don’t yet know they’ve been hacked.

In another blog post I’ll dive into more details about Cyber risk and its ties to resilience.