The Security Interviews: Cyber security is about managing risk effectively

One of your recommendations to CIOs and CISOs is to work on simplifying IT environments to improve management and security. But how do you start doing this? Are there different models to achieve this? What do you think is the best way to do it?

Kris Lovejoy: It is always easiest to approach simplification within the lens of “critical services first”. Assuming you have an accurate understanding of those systems which support critical business opportunities, I would recommend CIOs and CISOs analyse security controls to determine if there is an opportunity to consolidate vendors and reduce cost, with the objective of shifting savings to control automation.

In parallel, for systems that are non-critical, consider options for removing them from use or at least radically simplifying the infrastructure that supports their operation. Regardless of where you are in that journey, keep in mind that success is dependent on a culture of collaboration and dedication to continuous improvement. Without these ingredients, any simplification journey will fail.

Cyber security threats and risk may come from multiple fronts, and they constantly evolve. Are AI-enabled tools ready to successfully identify them?

Lovejoy: More and more, AI is enhancing organisations’ ability to identify and detect potential threats and vulnerabilities in a much faster and streamlined way. With high levels of data flowing into security teams daily, it has become a major challenge to make sense of it all.

As a result, organisations have been using machine learning and AI to sift through the noise in a more effective way by utilising automation and analytics techniques. We see generative AI as the next evolution of AI and machine learning. If proper guardrails are implemented, generative AI could take the next step to enhance our ability even further to analyse those threats more quickly and make the security team more effective.

How can you train employees to deal with AI-amplified attacks?

Lovejoy: The cyber resilience landscape becomes more complex each year. Sophisticated and well-funded actors, increased rates of successful disruptive attacks like ransomware and denial of service attacks, skills shortages, budget restrictions, a growing real estate of vulnerable legacy devices and increasingly prescriptive cyber regulations have made managing cyber security more challenging than ever before.

While organisations can take the right steps to track these changing dynamics and implement strong safeguards to protect their business, the workforce continues to remain the weakest link. Generative AI is proving to be an increasingly effective technology which can be used to exploit that link.

To counter the risk, leaders should cultivate a company culture that values responsibility and transparency. This involves empowering employees to actively contribute to creating a cyber-resilient environment and emphasising the importance of reporting security issues without fear of repercussions.

More tactically, investing in cyber security training, table-top exercises, testing and cyber simulations are crucial to ensure that employees understand the significance of the training and retain the information.

With the rise in generative AI, many organisations are eager to adapt. For organisations looking to engage with AI projects, how can they navigate these challenges?

Lovejoy: Organisations are entering uncharted –and largely unregulated– areas of ethically and responsibly developing and using autonomous technology. It is important to keep these strategies in mind – and do so in a systematic and risk-sensitised way.

Look to emerging AI standards for guidance. Pay attention to the source and integrity of the data. Begin the generative AI journey with a use case – one of the most effective approaches to successfully using GenAI is in customer support.

While AI is tremendously appealing and well intentioned, it also has the potential to wreak havoc if not properly guided and managed. Because of this, appropriate guardrails and governance must be set from the start for AI to function as a trusted companion for businesses. And it is critical that these guardrails appropriately strike the balance between managing risks and enabling sustained innovation and growth.

What should be considered when developing a cyber security strategy that can be successful? What is the first step a CISO should take? How do you achieve an adequate state of protection?

Lovejoy: Cyber security is a risk management process. This allows an organisation to identify, protect against, withstand and recover from cyber attacks, which can impact business operations and data.

A good cyber security strategy will always start with defining business risk tolerance – how much risk is the business willing to take? No risk, minimal risk, moderate risk, other? This requires CISOs to engage the business from the start and clearly define a shared understanding of what “good” looks like.

“With high levels of data flowing into security teams daily, it has become a major challenge to make sense of it all”

Kris Lovejoy, Kyndryl

With this understanding, it becomes possible for a CISO to craft a logical strategy – based on a risk framework – that allows them to describe in concrete terms what investments or actions are going to support risk reduction efforts. It then becomes a matter for management to determine whether the risk/reward trade-off is acceptable.

By creating a strategy based on the common understanding of “what’s good enough”, the CISO won’t be left “holding the bag” when the inevitable breach occurs.

Another major reason CISOs fail in strategy development is that they try to secure what is inherently not securable. Today, most organisations have a range of legacy assets that will never be safe for use. In this circumstance the CISO needs to become the primary champion of modernisation in support of more resilient business operations.

How does data quality relate to security?

Lovejoy: There is an old adage – bad data in, bad data out. In an age where we become more and more reliant on AI, we must recognise the absolute truth of that statement – reliable data, where provenance and integrity are ensured at minimum, is the foundation for any form of analytics. This is an area where I see organisations at significant risk.

While there is healthy discussion about ethics and security around AI algorithms, we often fail to consider the provenance and integrity of the data we use to feed the algorithms. It is critical we ask ourselves: can we trust the data hasn’t been manipulated? Keep in mind, once an AI algorithm has been trained, it is almost impossible to go back and "untrain" by removing features representing the bad data.

Think of it as if you were training a child. Just as you cannot make a child “unsee” what they have watched on TV, you cannot easily make AI unsee the data it has been fed.

How is business resilience achieved? Do you think that companies have a good understanding of this concept and what it entails?

Lovejoy: Kyndryl has adopted a distinctive approach to address customers’ need to ensure resilience of their digitally enabled business. We have encapsulated the approach in what we term cyber resilience. We define this as the capacity to anticipate, protect against, withstand, and recover from any adverse condition, disruption or compromise affecting a cyber-enabled business.

We strongly believe that organisations must go beyond a myopic focus on traditional cyber security threats, and consider anticipating, protecting, withstanding and recovering from various disruptions to their cyber-enabled business, such as ransomware attacks, hurricanes, floods, power outages, pandemics and more.

This can be achieved through adoption of a cyber risk management framework which looks through the broad aperture described above.

While this may be a statement about human behaviour, we have seen that those organisations with mature awareness reside in countries or operate in sectors that are regulated. Without regulation, organisations tend to only invest after experiencing an incident. Looking at a map of cyber regulation, it becomes easy to predict which organisations will fare better than others in the face of a significant disruption or breach.