By John Penn, Security Propositions Architect at BT
The rapidly evolving cybersecurity threat landscape is not breaking news. Yet many organisations, for a multitude of reasons, such as budget constraints and skills shortages, aren’t reaching the level of cyber maturity needed to be resilient in the current threat landscape.
While making sure the proverbial front door is locked and the right technology and processes are in place to prevent cyber-attacks, many organisations are leaving a window open by failing to adequately plan for when the front-line defences are breached.
This year’s Global Cybersecurity Outlook Insight Report from the World Economic Forum (WEF) sounded the alarm on cyber inequity, or the widening gap between cyber-resilient organisations and those that are not.
Cybersecurity protection begins with prevention but shouldn’t stop there. To create a truly resilient cyber strategy, we need to consider a holistic approach that includes the five S’s: stability, security, skills, sustainability and sovereignty.
Only when this five-part cybersecurity strategy is integrated into your organisation’s fabric as a shared responsibility can you stay ahead of threats, create resiliency from the inside out, and safeguard your valuable assets.
Stability: An all-fronts resiliency plan requires establishing a baseline to understand your current cyber security maturity. Many Australian companies have robust preventative tools but lack adequate detection and recovery strategies. So, defining a strategy that highlights weak points and progresses you towards a target end state is critical. Consider what policies and guardrails, data handling procedures, incident response plans, and regular security assessments you might need to ensure this. Another crucial area of consideration is an assessment of your supply chain and third-party risk, particularly in light of the dramatic drop in cyber resilience identified in the WEF report.
Security: Once your plans are defined, it is important to assess your current technology mix and determine whether it still meets your needs. An in-depth defence strategy will provide you with layers of protection. This should include data security, application security, identity security, endpoint, network and cloud security. It is essential to include preventative controls that consider how well you are able to detect threats, and whether your detection and response capabilities need review. One security buzzword that it’s worth looking into is zero trust. Rather than another technology, it’s more of a pathway to guide your direction of travel towards your end-state goal.
Skills: When it comes to the people on the bus, there are four groups that you’ll need to think about. The first is your general user community. They are your first line of defence, and security awareness training coupled with a blameless culture is critical to switching on your ‘human firewall’.
Second is the skillset and capacity of your cyber team. Do they have the right training to get the best out of the tools you’ve got (and are planning to deploy)? And, more importantly, do they have the bandwidth to manage the current alert load?
Closely aligned to this are the skills of your managed security services partner. Are they freeing your team up to give them time to concentrate on higher-value activities? And are they supporting you with proactive enhancements to help improve their services?
Lastly, consider the executive cyber mindset. Is the executive team on board with the strategy? Have you been able to clearly articulate the benefits and provide regular progress updates? Top-level buy-in is crucial to continuity.
Sustainability: Managing your cyber threat landscape is critical to business sustainability and continuity. Cyber incidents are more likely a ‘when’ not an ‘if’ scenario. The key to business continuity is being able to recover quickly. The unfortunate truth is that practice makes perfect, so look for ways of testing your plans and teams ahead of a real cyber incident, when the spotlight of government regulation may be shining brightly on you.
Sovereignty: Governments worldwide have increased their focus on data sovereignty, reflected in the introduction of tighter industry regulations. What’s important for you to understand is where your data is stored, including your cloud services and in transit over your networks. Does the traffic pass through undesirable locations? What happens if there is an outage in your core provider’s network? Where will they re-route your traffic through? How familiar are you with your cloud provider’s shared responsibility model? You must have knowledge and transparency over your data to effectively manage these and meet your compliance requirements.
As navigating the cyber threat landscape becomes increasingly complex, there’s never been more pressure on CIOs and CISOs to create truly resilient systems against cyber threats.
Thinking through the five S’s can help ensure cyber security maturity, which means that your front door and windows are truly secure.