Ibrahim Azab, regional sales director, MEA, Cyber Res, tells Security Advisor how the cybersecurity landscape is changing and what organisations must do to streamline their cybersecurity approach.
The cybersecurity industry is in an exciting space today: The constant growth of the attack surface, new attack vectors and the consequent challenge in cyber defence and methods of resilience, all make it an interesting and creative place to be in.
There used to be a time when organisations had pre-defined assets and perimeters and one policy that ruled them all. Today, technology is the accelerator of development and the security landscape is in a constant flux with cloud services, automation, IoT, hybrid working methods and different data management solutions.
In this context, risk assessment and management, too, have undergone systematic change. Today, it is a constant challenge to find ways to rejig organisational processes, products and procedures to minimise the impact of cyberattacks on people and businesses.
Who’s the biggest adversary?
Very often, organisations make the mistake of zeroing-in on the wrong adversary or attack surface as the biggest threat: In my opinion, the single most formidable opponent that all businesses everywhere must fear, is the state of being unprepared. Look at it this way: threats will always happen-in fact, the nature of these will be complex, complicated and unexpected. One only has to look around at the recent cases of devastating cyberattacks and corporate espionage, to realise this. If organisations do not recognise the signs and begin working on a comprehensive resilience strategy, then that’s where the whole problem lies, and such organisations will be the biggest hit. Remember this: there’s no such thing as “if” in cybersecurity. With the frequency with which attacks are happening today, the only question is “when.”
The numbers challenge
Perhaps, the biggest challenge faced by smaller organisations and businesses today is that of small teams and the fear of signing on large cybersecurity agencies or even appointing a Chief Information Security Officer (CISO). In fact, many of them are content with over-the-counter software to take care of the defence part, which we all know, is hardly enough.
In such cases, I’d recommend two approaches to the problem: If an organisation thinks that it has invested significantly in skills and cybersecurity solutions, then they should consider moving to the next stage: investing in automation solutions. These solutions will take on the level-1 events-those that are most common, giving organisations enough time and space to focus on the more critical, serious attacks.
The second approach for those organisations that lack the necessary cyber defence skills but are growing in every other respect, is to join hands with a cybersecurity agency that will help them build a solid and stable cyber defence mechanism. However, they should be careful selecting the right company, since no two security agencies have the same approach or the same kind of product. Each organisation must sit with the cybersecurity agency, get to know each other well and then come up with a defence strategy that works best.
In each of these cases, though, it is critical to appoint a CISO to take charge of the entire cybersecurity management of the organisation and is engaged full-time in defending important data. Not only must the CISO oversee the security technologies and solutions and define suitable controls and standards based on the company’s geographical location and the regulatory frameworks in place in that location, but he must also implement the entire cybersecurity strategy of the organisation, whether it is done by internal teams or by an outside organisation.
My data is breached, what do I do now?
This is the most important question that businesses ask today. I firmly believe that in this case, the most important thing to do is to communicate and be transparent. Instead of shifting the blame or hiding facts, any organisation that realises it is breached must make sure that all of its employees and stakeholders are made aware of the situation. This is the time to put in place a well-defined communication plan. This allows everyone in the organisation to step up, be alert and involve their teams in planning for co-ordinated activities.
Secondly, learn from your mistakes. Re-evaluate the cybersecurity strategy and program. Conduct a comprehensive risk assessment to assess the new risk appetite and the defence strategies in place. Optimise the existing technology, people and processes to identify gaps and address issues.
How to streamline the cybersecurity approach
There are five things all organisations must keep in mind to make sure that cybersecurity strategies work and are resilient enough.
- Implement a comprehensive cyber-resilience program: For this to happen, companies must have a proper governance plan that defines ownership, accountability, risks and compliance. Very often, organisations mistake cyber resilience programs for a set of IT procedures or a security policy document.
- Define data assets:In order to derive maximum value from their data, it is imperative for organisations to understand their data and have an end-to-end privacy policy in place. This framework should comprise deliverables to ensure data resilience, data insights and data usability, throughout the entire data lifecycle.
- Understand that cybersecurity is a system, not just technology:It is important to understand that people are as important in a cyber resilience strategy, as technology. So implement technology controls where applicable, but make sure to involve people in the whole program, especially when it comes to reporting security violations or change in governance policies.
- Keep policies simple and easy to fathom: This is one of the most important aspects, and yet, the most abused. In order to have a cyber resilience strategy that works, organisations must understand the difference between ‘policy,’ ‘standard,’ ‘procedure’ and ‘product.’ A policy is a directive that has a goal, enough information to support it and does not change very often. Standard refers to the rubric by which implementation and compliance are measured. Procedures are the immediate steps to achieve the goal, and this can change frequently, from time to time.
- Have a crisis communication plan in place: Every organisation MUST have a plan to deal with sudden, unexpected disruptions to their business, especially those that threaten its survival. This communication plan should comprise details like how a crisis is tackled, who in the organisation should be the first to deal with it, by when the crisis is expected to be resolved, and specific communication directives to employees and external stakeholders. Each employee and stakeholder must be given clear instructions on their duties at the time, and who is in charge ofwhat-whether it is system restoration or carry out a manual backup or even issue a press/media statement.
