By Cheryl Martin, Partner/Principal, Other Advisory.
Cyber risk is a bigger issue now than it’s ever been, but organizations still may not be taking a sufficiently broad view.
Picture a hacker.
Did you just picture a greasy, loft-bound “hacktivist” performing random attacks on corporations out of some vaguely directed sense of anarchy?
Or did you picture a large, multimember organization, possibly a nation state or a criminal network, whose attacks are planned months in advance and deployed with massive resource and well-defined strategic goals?
A decade ago, the first figure would have been the bogeyman of IT departments. But now, as major incidents have shown, it’s the latter that should cause real concern.
This changing threat landscape means that organizations may need to change their mentality fundamentally when it comes to addressing and mitigating cyber risk.
Perception is beginning to shift: in the EY 2016-17 Global Information Security Survey (GISS), from the 1,735 organizations surveyed, 56% of respondents rated criminal syndicates as the most likely source of attack. But how can organizational leadership respond to this new era of cyber threat?
Cybersecurity needs to get operational
An important thing for the C-suite to bear in mind is that cybersecurity is no longer just a technical responsibility — it should be an operational responsibility as well. For leadership, it should also be a question of “What steps do we need to take to manage threats as they emerge?”
Mitigating cyber risk doesn’t just mean allocating resources to your IT department so that it can buy and maintain the latest firewall. It also involves communicating the scale of the risk to stakeholders across the whole firm, and taking organizational steps to reduce that risk, such as mapping key assets and putting contingency plans in place.
Part of protecting an organization’s assets could be as simple as clarifying who should have access to what data within a company, and who shouldn’t. After all, according to the EY 2016-17 GISS, 74% of businesses say that careless employees are their top cyber vulnerability — a persistent finding since the internet became a common feature of the workplace.
Protecting the crown jewels
Another important thing to remember is that you probably can’t stop all cyber attacks. A degree of cyber exposure is to be expected. It’s not a question if, it’s a question of when.
One way that organizations can look at making their company more resilient is to understand and map what we call their “crown jewels.” These are the company’s most valuable assets, the assets that would-be cyber criminals would most like to get their hands on, and those whose compromise would cause the most damage to the company — whether that be reputational or financial.
Do you know your most valuable assets?
These crown jewels take some interesting forms. You may not be surprised to learn that customer payment details are an important asset for an online billing company. But for a pharmaceuticals company, the crown jewels might not be its chemical formulas, but its “operational tech” (OT), the machines that make its products.
A stolen patent can be contested in court; but a worm that sabotages precision machinery could set production back years. Other manufacturers could also be subjected to similar kinds of industrial sabotage — or even political sabotage.
The organization’s assets need mapping as well as protecting. This could mean installing discovery tools, which provide the organization with full visibility of its assets and its relative vulnerability, enabling the management of risk exposure.
The creation and operation of a cyber management framework
While we may have painted a picture of despair, filled with criminal syndicates and rogue employees looking to cause disruption at every step of the way, the reality is that if organizations can bring together a forward-thinking cybersecurity strategy combined with external expert resources, this can help enable proactive risk mitigation and support of the organizational strategy.
An effective cyber management framework can enable and encourage collaboration between the in-house cybersecurity function and a managed external function, often referred to as a managed security operations center (MSOC). Rather than an organization’s cybersecurity function being a group of techies shut away in one corner of the office, a MSOC approach takes a holistic, proactive view of cybersecurity, and more effectively contextualizes risk exposure.
This approach can address the need for cross-functional cooperation when managing cyber risk. A lack of clarity about other department needs, and their risk tolerance and operational requirements, can lead to suboptimal security solutions – which could create avoidable cyber vulnerabilities.
The heads of OT departments’ tend to be skilled engineers. But sometimes their understanding of technical operations and risk tolerance are at odds with other parts of the organization, including the IT department. By employing broad organizational risk mitigation strategies, the MSOC approach focuses on collaboration and aims to build solutions that cater to the needs of the various organizational stakeholders.
Forward-looking options can include technological functions, such as big data tools that learn the layout of your digital systems, and can distinguish between legitimate programs being uploaded by IT departments and genuinely hostile threats. However, the main aim is to bring together the diverse functions of the organization in the common understanding that maintaining operational resilience in the face of cyber threat is the responsibility of everyone in the organization, with a common goal of streamlining those responsibilities into one coherent strategy.
Keeping an eye on the big picture
Ultimately, a strong cyber risk management strategy should take account of the wider cyber risk landscape. That means continued understanding that the bad guys are bigger, badder and better organized than ever, and recognition of the impact this can have on organizations.
But it also means understanding that containing risk means more than just increasing your IT budget without a strategic focus. It should translate into an organizational understanding of what attackers want, what most needs protection, your tolerance to incidents, and clear articulation of the responsibilities of each person in the organization. The EY 2016-17 GISS describes how the concept of Sense – Resist – React to threats can help an organization achieve cyber resilience. The addition of an external MSOC to your cybersecurity capabilities could be your first significant step towards protecting your crown jewels.
To learn more about (Managed) SOC, watch our webcast “Is your biggest cyber risk the one you cannot see coming?”.