Maksim Kabakou - Fotolia
Every good chief information security officer (CISO) knows that a potentially existential cyber attack, whether from an external or internal source, looms ahead.
There is no “if” for the CISO. Rather, “who, what, where, when, and how” dominate the thought process.
The good CISOs know the punch is coming. The great CISOs anticipate the punches and take proactive measures to avoid, deflect, and/or minimise any punches thrown their way.
In this section, I will share some due care and due diligence actions CISOs and their organisations should accomplish to prepare to survive a potentially “existential cyber punch”.
The first step a CISO should take is to understand their key cyber terrain. CISOs need to understand their organisation’s strategy, mission, goals and objectives.
They should know their organisation’s processes and information, their value, and the impact on their organisation’s operations.
Frederick the Great supposedly said, “he who defends everything, defends nothing”. Sadly, most cyber security organisations attempt to defend every piece of information equally. As a consequence, these well-intentioned folks spend $1,000 trying to protect information worth a penny and $1,000 trying to protect information valued in the millions.
That’s a losing strategy in today’s highly contested cyber environment. World-class cyber organisations understand the value of their information and then invest in defences proportionate to the information’s value.
Top-notch organisations understand the threat environment well. They invest time and effort to maintain situational awareness as to who also values their information and could serve as a threat. They understand that threats may come from many vectors including the physical environment, natural disasters, or human threats.
Further, they understand that human threats include such entities as vandals, muggers, burglars, spies, saboteurs, and careless, negligent or indifferent personnel in their own ranks. They invest in information sharing organisations, subscribe to threat information sources, and share their own observations as part of the Cyber Neighbourhood Watch construct.
These organisations also know the importance of maintaining positive relationships with the cyber divisions of law enforcement organisations. Even before you have been attacked, your local cyber law enforcement organisation can serve as a rich source of threat intelligence that can help you better manage your cyber risk exposure.
Because cyber criminal and nation-state cyber actors operate in “campaign” like activities, chances are extremely high that when they are looking to harvest information, they are not just targeting a single organisation; they are looking across a wide sector.
Cyber law enforcement personnel may have knowledge of reconnaissance or attacks against others in your “cyber neighbourhood” and can help you best align your defences. Get to know your local law enforcement personnel because the time to exchange business cards is not during a crisis!
The grand strategy
Armed with the knowledge of the organisational mission, goals, objectives, and information, the CISO, in partnership with other executives across the organisation, develops a cyber strategy in support of the organisation’s grand strategy.
In today’s cyber environment, where your information may be on-premise, collocated in datacentres, in multiple clouds, and on multiple mobile devices, I recommend the zero trust security strategy as the best approach to securing your data. In essence, in this strategy, you don’t trust anyone. You always verify identity, and only connect individuals to the information they are authorised to access, thus enforcing the principle of least privilege.
The successful implementation of such a strategy reduces your attack surface, secures access to your information, and neutralises your adversaries. With so many third-party partners helping you operate your cyber enterprise, whom should you trust? Nobody! Implement the zero trust security strategy.
Great CISOs lead great cyber organisations that know themselves very well. They understand their strengths and weaknesses and make risk decisions every day as part of the larger corporate risk management program.
They bring in expertise such as independent third-party penetration testing organisations to look for evidence of weaknesses. They sponsor “bug bounties” where they offer a reward for external entities that discover unknown weaknesses in their defence. They continually monitor and control their environment and stay extremely vigilant.
Lessons learned from stunning cyber breaches of organisations like Target, Home Depot, Equifax, the National Security Agency, and the Office of Personnel Management, highlight the need to ensure that you have the right people, with the right training, executing the right processes the right way at the right time, with the right technology to successfully achieve your goals.
Such a chain of action is extremely fragile. Great CISOs make sure they create a resilient architecture that “can take a punch and keep going”. A cyber attack should not take an organisation to its knees or destroy it.
Read more from Computer Weekly’s Security Think Tank about how to survive a cyber attack that could potentially destroy a business
- How to reduce the impact of a potential cyber extinction event.
- BC/DR plan key to cyber attack survival.
- Incident response vital to guard against catastrophic cyber attack.
- Aim for integrated resilience, continuity and recovery.
- Cyber attack survival not a matter of luck.
- Seven steps to manage risk of catastrophic cyber attack.
Your security architecture should recognise that you need the ability to effectively and quickly detect when you are under attack and enable immediate and effective response. Adversaries work 24x7 and your defences have to as well.
Great CISOs ensure that their defences are continually operational and monitored. Many small yet visionary organisations work with managed security service providers to maintain after-hour operations and surveillance of cyber defences as an acceptable and affordable alternative to maintaining a large cadre of cyber professionals working around the clock.
Additionally, the best organisations not only segment their network and its information, they micro-segment in an identity-centric access model.
As spelled out by the actions above, great organisations ensure they identify their assets and take action to protect them commensurate with their value. They plan for every contingency, continually monitor their performance, invest in training and are in a constant state of alert.
The best organisations conduct cyber drills, tests, and exercises on a regular basis with participants from every part of the organisation, including its executives.
They continually evaluate the effectiveness of their equipment, architecture, process, and their people as a pathway for improvement.
Great organisations know that cyber security is a risk management issue that affects every aspect of the business and ensure that all employees know their role.