Forewarned is forearmed
Tips and tricks on core cyber defensive capabilities
In a world increasingly driven by digital technologies and information, cyber threat management is more than just a strategic imperative. It’s a fundamental part of doing business. Yet for many executives and board members, the concept of cyber security remains vague and complex. It might be on your strategic agenda, but what does it really mean? And what can your organization do to shore up its defenses and protect itself from cyber threats? A common myth is that cyber-attacks only happen to certain types of organizations, such as high-profile technology businesses. However, the cold, hard truth is that every organization has valuable data to lose.
Sergio Hernando & Tim Grieveson - June 4, 2015
The good news is you can fight back
Attacks can result in significant tangible costs, ranging from stolen monetary assets and intellectual property to regulatory fines, legal damages, and financial compensations. But those are just the tip of the iceberg. The really significant costs are intangible, such as loss of competitive advantage, loss of customer trust, and damage to an organization’s reputation and brand. Intangibles such as these can have a major impact on an organization’s strategic market position and share price, potentially compromising the long-term sustainability of any given business.
The good news is that cyber threats are a manageable problem, if you have the right preventive, detective and reactive measures in place. A well-balanced cyber defense needs to be secure1, vigilant 2, and resilient3. No organization can ever be 100% secure, but by focusing on these three key attributes, it is entirely possible to manage and mitigate cyber threats in a way that reduces their impact and minimizes their potential for business disruption.
Seven questions to ask yourself
Here are some takeaway questions to reflect on through the lens of a secure, vigilant, and resilient approach to cyber security:
1. Does your security program include a balanced mix of people, processes and technology? Security programs need technical and non-technical components in order to be successful. This creates the need to have strong governance in place, and operate your security areas as if they were business areas, that have to yield measureable and repeatable results. This can only happen with talented professionals and with the adequate supporting technology.
2. Are we focused on the right things? Often asked, but difficult to accomplish. Understand how value is created in your organization, know where your critical assets are, and how they are vulnerable to key threats. Practice defense in-depth using a top down approach, from business value to underlying IT.
3. Do you have the right people? Best-of-breed technology under world class governance is not enough, lacking the right teaming and motivation. Quality over quantity. Be aware that there may not be enough talent to do everything (intelligence, engineering, detection and response) in-house, so take a strategic approach to sourcing decisions. Are the security teams really focused on the relevant areas? Can they manage high quantities of possible security events in a 24x7 operation? Are they sufficiently trained, retained and motivated? Talk to your partners and team up to fill in the gaps.
4. Attempting to deal with this problem using a big bang approach? Forget it. Increase your maturity gradually. This is a transformational journey that requires being constant to achieve results. Start by resolving the lack of basic security capabilities, such as elemental preventive controls. Then move up to a full operational capability, gradually adding detective and reactive controls to your security services catalogue. Don’t forget that the vast majority of incidents are made possible by the lack of basic security controls.
5. Are we incentivizing openness and collaboration? Build strong relationships with partners, law enforcement, regulators, and vendors. Foster internal cooperation across groups and functions, and ensure that people aren’t hiding risks to protect themselves. Security needs to be built through the entire company and its ecosystem.
6. Are we able to adapt to changes? Attackers are relentless, and they constantly innovate and change their approaches to overcome your efforts. Security needs to be built around agility and adaptability, to be able to rapidly accommodate changes in the ever-changing threat and risk landscape.
7. Are you ready to deal with the unknown? Work on your situational awareness and increase your maturity towards a real-time capability in which relevant security events can be detected at early stages, enabling an effective use of the kill chain. Security needs the ability to deal with known threats, but also with the unexpected and the unknown. Just as basic attacks can be translated into use cases, think about using analytical approaches for the long run, to enable visibility of threats that can’t be quantified.
Being forewarned is being forearmed.
1Secure: Being secure means focusing protection around the risk-sensitive assets at the heart of your organization’s mission — the ones that both you and your adversaries are likely to agree are the most valuable.
2Vigilant: Being vigilant means establishing situational awareness throughout the organization, and developing the capacity to detect patterns of behavior that may indicate, or even predict, compromise of critical value chains.
3Resilient: Being resilient means having the capacity to rapidly contain any damage, and mobilize the diverse resources needed to minimize impact — including direct costs and business disruption, as well as reputation and brand damage.
"Cyber threats are a manageable problem, if you have the right preventive, detective and reactive measures in place"
Want to know more? Contact the authors:
Tim Grieveson, C|CISO, CISM, MBCS
Chief Cyber & Security Strategist - EMEA
HP Software - Enterprise Security Products
+44 (0) 7795 012 424
Or contact Sergio Hernando, Deloitte, via SHernando@deloitte.nl or +31 (0) 610 999 219. See more details below.