Rapid digitisation across industries, integration of operational technologies (OT), increased inclusion of third parties in business functions and augmented focus on regulatory laws such as the General Data Protection Regulation (GDPR) have compelled chief information security officers (CISOs) to re-design cybersecurity strategies.
A cyber criminal’s ease of access to the dark web to use their networking forums, tools and even hire specialised services such as DDoS-as-a-Service, Ransomware-as-a-Service, Phishing-as-a-Service and many such service offerings easily available at cheap prices has enhanced their repertoire of ‘ready to be launched’ attacks. Addition of artificial intelligence (AI) into the arsenal has exponentially increased the complexity of the attacks.
As per recent industry reports, average cost of a data breach is nearly $4 million, and this notwithstanding the possible regulatory penalties which can severely dent the organisation’s bottom line besides dampening its reputation.
All these thus require the CISO to be steps ahead of cyber criminals and their attacks.
In the midst of adopting one or more of the following four vectors of business enablers – on premise, mobile, cloud and IoT – chief information officers (CIOs) and CISOs are required to draw a fine line between business agility and cybersecurity. Whilst it might be easier to brick-wall unwarranted exposures in the name of cybersecurity, it could in turn cause heartaches to the business which is strongly focused on improving its books. While business leaders seek speed and agility it is vital to assure them that the organisation has the necessary cybersecurity controls to ensure business agility with security.
Since the ransomware outbreak in 2017, cybersecurity has been a constant feature in all board conversations as well as amongst “Top 5 Risks” lists all the time. A recent survey conducted by Infosys covering over 800 Executives across 12 key industries revealed that cybersecurity is a common concern with respondents irrespective of their industry alignment. This is a reflection of the current trend of cyber criminals targeting enterprises across industries.
In today’s hyperconnected and digitised world, cybersecurity has become an important strategic imperative owing to the sophistication of cybercrime. Digital businesses require complex and distributed interactions among people, applications and data — on-premise, off-premise, on mobile devices and in the cloud. The result is an increase in the attack surfaces that are hard to protect and defend. As the perimeter continues to diminish, visibility into the environment gets tougher. Operational Technology (OT) and the Internet of Things (IoT) massively expand the scope of security strategy and operations. When a massively distributed fleet of autonomous devices that can make decisions is combined, directly affecting the physical state of people and things, there is a considerable risk to manage. This issue is not limited to the CISO but needs the involvement and sponsorship of the leadership and the board.
Building a strong and secure core
Lack of knowledge of its crown jewels is one of the prime grey areas for any business as a deep understanding of this becomes the starting point to know what it should protect in the first place. For instance, a cybersecurity program for a healthcare organisation must include the mandatory regulatory compliance, similarly for an e-commerce business, its credit card data is the most critical information.
An enterprise must strategise on a strong cybersecurity framework that considers both present and future threats, lays out the investments required on people, processes and technology while facilitating a controlled cultural change. The board of an organisation must be invested in the cybersecurity program and the CISO must commit to relentless implementation and maintenance of policies, processes, procedures, standards and guidelines basis its risk exposure and appetite.
There are several best practices that can be adopted to strengthen an organisation’s cybersecurity.
Institutionalise a robust cybersecurity strategy
Organisations must consider cybersecurity as an integral part of their business. A successful cybersecurity strategy will strongly align with the organisation’s business goals as well as be in harmony with its respective industry alignment, supported by a well-designed cybersecurity governance program including a metrics program to allow constant measurement, recalibration and prioritisation of controls. Alignment of the strategy to industry leading standards and frameworks such as NIST Cyber Security Framework and ISO 27001 will help provide a certain assurance to the board and CISO that a set of strong baseline is in place.
Organisations may invest millions to implement and manage their cybersecurity but security is only as strong as its weakest link – Humans. Every CISO must focus on its security awareness program to constantly, and innovatively, remind every employee in the organisation on why they must inculcate a security mindset and how they are important to the security of the organisation.
Embedding security in the enterprise architecture
Cybersecurity infrastructure and application security architecture are the foundational technological elements for every organisation. This cannot be done as an ‘add on’ towards the end but at every stage of the business cycle to ensure all projects, processes and infrastructure are well-protected right from the conceptualisation stage. An early engagement with the security architecture experts and DevSecOps will give maximum visibility in order to minimise risks and ensure compliance as part of the process thereby ensuring secure-by-design from the word go.
Risk, statutory and regulatory compliance
At the onset of GDPR and similar privacy and cybersecurity requirements effecting businesses globally, the need to keep a close watch on all risks, statutory and regulatory compliance mandates round the clock has become paramount. A question such as ‘Do I know what are the laws of the land I need to adhere to, in all the countries my organisation operates from?’ could be a starting point for a CISO to introspect on this topic.
In spite of an organisation’s investments and relentless efforts in cybersecurity maturity management, incidents happen. What then would matter is ‘How do we ensure cyber resilience during adverse events?’ Implementing a comprehensive cyber resilience program will help organisations recover quickly, and most of the times seamlessly, so that the business is not interrupted.
Cyber security team
Last but not the least, subject matter experts in various fields in cybersecurity is critical for a CISO group. The digital and threat landscape has grown exponentially in recent years resulting in the need for large pool of cybersecurity professionals. Having them hired, continuously trained and retained is crucial to ensure the organisation’s cyber agenda is met as desired thereby protecting the business at all times.
Lastly, it is important for companies to be able to scale up and address new threats arising from emerging technologies or changes in the market conditions or even government policies. For organisations with a low security maturity, approaching a service provider who specialises in security solutions can sometimes be the best way to take the first step to securing their business.
Views are personal.
The author is chief information security officer & head of cyber security practice – Infosys.