Cyber-attacks can rapidly derail an enterprise’s ability to create value, and their frequency, reach and levels of sophistication continue to grow. While no organization can defend itself from all cyber-attacks the following three approaches can help bring risk to a manageable level.
2. 22
Cyber-attacks can rapidly derail an enterprise’s ability
to create value, and their frequency, reach and levels of
sophistication continue to grow. Leaders unfamiliar with the
complexities of cyber defense may fail to recognize the gaps that exist in their
digital security strategies. It’s easy to do: regulators and other government bodies
compel companies to focus on compliance with specific regulations, drowning
out other voices that support dynamic cyber risk management approaches.
However, organizations have learned that passing compliance assessments does
not equal data security. Likewise, a strategy focused on acquiring the latest
security products and add-on applications can quickly drain a security budget,
while not appreciably improving the organization’s defensive posture.
While no organization can defend itself from all cyber-attacks the
following three approaches can help bring risk to a manageable level:
Actively engage to make the business a better security “customer”
Strengthen the partnership between the business and security
Continuously exercise organizational defenses
1
2
3
3. 3
Actively engage to make
the business a better security
“customer”
A solid cyber defense requires that partnerships are formed
among an organization’s business stakeholders, its risk
management office and the security team—a relationship
that asks every employee to be responsible for security. The
detection and elimination of cyber threats drops precipitously
if the business stakeholders fail to cooperate fully with the
security team. Some typical challenges include:
• Security lacks sufficient top management access:
Most companies recognize that digital security is an
important agenda item, but in many cases, the Chief
Information Security Officer (CISO) does not have
top-level access.
• The front lines remain unengaged in security issues:
Often, employees do not care enough about security
to change their behavior. Articulating the importance
of security and doing it in an engaging manner starts
at the top.
• Ambiguity regarding who “owns” the systems under
attack: Business teams are agile and entrepreneurial,
creating new applications and data stores to meet
customer demands. Once an attack happens, the security
team needs to know who “owns” the compromised system
or actions will be impeded and reduce the effectiveness
of the response.
Strengthen the partnership
between the business and security
Leaders can align the business side’s commercial needs
and the security team’s cyber defense requirements by
forging an effective business and security partnership.
Four elements of such a partnership are:
• Keep security on the agenda: If organizations can
operate under a concept called ‘presumption of breach,’
acknowledging that a hacker will get into their networks,
their perspective and alignment on the right security
strategy can become laser focused.
• Recognize the complexity of the challenge:
Organizations need to understand the complexity of the
systems they are defending and determine where to “set
the bar” regarding loss tolerance. Part of the challenge
is recognizing the complexity of roles; the organization
has revenue goals and other business targets, and the
security team has its own set of objectives.
• Work together to identify the organization’s critical
data: It often seems overwhelming to organizations since
all risk can’t be mitigated—however it can become very
manageable when an organization is able to pinpoint
their most consequential risk in the relevant networks and
provide them the greatest level of protection.
• Evolve the organizational culture to attract and
retain top-tier security talent: The best companies
tend to think proactively about talent pools; this involves
working with universities to develop key cyber defense
recruits and looking for expertise outside of normal
channels.
Continuously exercise
organizational defenses
Business leaders should also focus on developing
organizational defenses in the following ways:
• Relentlessly test defenses: Organizations leading the
way in cyber defense train with a third-party “sparring
partner” imbued with all of the skills and technologies
(but none of the malice) that attackers bring to bear.
Similar to a boxer, someone who trains exclusively with
a static punching bag won’t stand a chance against a
real opponent. Likewise, an enterprise focused totally
on conventional static defenses will quickly fall prey to
today’s increasingly aggressive digital attackers.
• Hunt inside the organization’s defenses: Assume that
security is compromised and constantly look for intruders
across the entire environment.
• Improve response effectiveness: As the organization
spars with an elite security assessment team, going
through the same tactics as the attacker would use, over
time they develop ‘muscle memory.’ Organizations that
spar repetitively and consistently work more effectively
to minimize an event’s impact.
The intensity and seriousness of current digital attacks
make cybercrimes uniquely dangerous for businesses. In
this confusing new environment, many leaders wonder
what they can do to make their companies more resilient.
Once an enterprise takes the pulse of its cyber defense
strengths and weaknesses, they should develop 100-day
and 365 day plans to build the momentum needed to
realize their cyber defense goals.
2
3
1