printer friendly version

Resilience is a collaborative effort

Cyber resilience and cybersecurity are not the same thing, despite the efforts of many to promote a technical solution as a cyber resilience solution. Cyber resilience is about collaboration – enterprise-wide collaboration between IT and almost everyone else connected with the business.

Wayne Olsen, managing executive for cybersecurity at BCX, explains that while cyber resilience is an enterprise risk strategy designed to protect the organisation from cyber breaches and exploitation, to be cyber resilient requires collaboration. In fact, he says many of the failures of supposedly cyber resilient companies are the result of a lack of collaboration.

The foundation of cyber resilience requires collaboration between the IT department and the rest of the company, from executives to legal, HR to accounting, and so forth. Moreover, it also requires collaboration between the organisation and its supply chain, including partners and customers.

In a world where criminals are able to exploit the smallest hole in your defences, ensuring that the SME you deal with for stationery as well as the manufacturer you deal with for components supports your resilience (and vice versa) is key to managing this risk. Importantly, Olsen says it is not about ensuring they have the latest antivirus installed, but that everyone starts from within (this includes issues such as the demands of the business, data ownership, where you are vulnerable, etc.) to secure their organisation.

Based on organisational objectives

When reviewing or designing a cyber resilience programme, the CISO (chief information security officer) or someone at the executive level must take ownership of the project. No single person can do it alone, but there needs to be one central enabler. The process starts by identifying all the organisation’s assets, its processes and where it is going; and security needs to empower and enable the company to make use of its resources and accomplish its goals.

Instead of building something and then looking at security as an add-on after the fact (asking the CISO to “bubble-wrap it,” in Olsen’s words), security is part of the development process, whether you are developing software, electronic or mechanical systems, or even business processes. When security is built in from the start, it doesn’t become a burden that has to continually be updated or reworked because new features or threats break the bubble-wrap added after the development phase.

Bring your own IT

Covid-19 was responsible for an extremely fast move to digitalisation among companies, as they suddenly had to enable everyone to work from home in the span of a week. The focus was on communications and IT to make this possible, but security was left until last. The result is a big, remote world of vulnerabilities that security teams had to scramble to secure after the fact, and many are still sorting out.

Olsen says the days of BYOD (bring your own device) are long gone and with remote working it is now more a case of BYOIT (bring your own IT). The network the financial manager pays invoices from is the same one their kids use to access social media and other sites that may not be the safest. The cyber resilient organisation needs to build these risks into its resilience programme from the start or be left chasing its tail as it tries to put out fires (as has happened to many since 2020).

This relates back to asset identification and management. It’s easy to know how many employees the company has or how many cars or buildings, but what about your digital assets? Not only do you have to cater for the ‘official’ digital assets bought – computers, laptops, smartphones, etc. – but also for the devices used by people without the company knowing. And then you include the IoT world where there are billions of devices able to communicate, as well as operational systems that are also connected, and asset identification become a lot more complex.

No single thing

Olsen adds that there is “no single thing” a company can do to be cyber resilient. It’s crucial to understand the whole attack surface, which includes everything from business email compromise (BEC) vulnerabilities to product development and deployment, where speed to market often takes priority over everything else. Moreover, you need a plan (more formally known as an incident response plan).

When hit with some form of cyberattack or major equipment failure, just beating up on the security or IT guys is not constructive (and wastes time needed to recover). The company needs a plan to identify the problem, know who is responsible for that area of the business (responsible in terms of managing the defence and recovery process, not who is to blame) and implement a remediation strategy. This includes IT, HR, PR and even partner and customer relationship managers.

In summing up, Olsen explains that ‘cyber fatigue’ is a real thing, and many companies and security operators are exhausted by putting out fires in one place just to find out there are three more waiting for them to handle over the weekend. He stresses that while technology is part of the solution, buying more technology is not the solution.

Hoping technology makes you cyber resilient is like sticking a plaster (or a Band-Aid for international readers) on a gaping wound. You can keep adding more plasters but eventually they will fail, and you will see that the original wound is still there, but now it’s infected and causing more problems than ever. The CISO needs to understand that cyber resilience means getting to the cause of the problem and dealing with it there, not after a breach.

This can be assisted with automation. Just like false alarms are a curse for physical security companies, control room operators and managers, false cyber alarms are merely diversions that exhaust people and keep your eyes off the serious problems that need attention. With the number of devices that are connected and are going to be connected in the next few years, no organisation will manage the challenge of focusing on what really matters if they don’t have an automated mechanism to sift out the false alarms.

From a BCX perspective, Olsen says that the company operates a security operations centre where it offers the traditional cybersecurity monitoring services (via automated systems and skilled human operators for managed services and responses), but it sees itself as an orchestration point for customer security. It therefore also offers services such as incident response services, CISO-as-a-service, as well as SIEM-as-a-service (security information and event management) and other solutions to help companies that either don’t have the budget for a dedicated cyber resilience enabler or that can’t find the right skills.

The benefit of this approach is that all information is centrally controlled, so that a certain attack on one customer educates everyone on what to look out for to prevent it happening elsewhere – everyone includes the platform itself. Sharing information and learning from each other enables his team members to cross-skill themselves to provide a better all-round service to customers, encompassing IT and OT. A cybersecurity academy is also in the pipeline in the near future.

Share this article:

Further reading: