Achieving Interoperable, Reliable and Secure Cyberspace: 3 Key North Atlantic (Europe, Canada and U.S.A) Strategic Cybersecurity Challenges
We collectively identified three main strategic cybersecurity challenges:
1. Building and Maintaining Trust
2. Cross Industry Collaboration
3. Unified Information Sharing
The Current State of Cybersecurity
We are living in a world where our sovereignty, our individual rights, our economic wellbeing, and our national security are inextricably interwoven with the availability and security of our information and critical infrastructures. Information and critical infrastructures are becoming increasingly dependent on IT and cyberspace. Refined, stealthy and persistent cyberattacks focused on cyber resources and organizational infrastructures. These attacks emphasise the need for efficient and effective Cyber Defense for our IT systems and for those who depend on them.
On average businesses spend $15 million per year on battling cybercrime. However, time to detect a breach only marginally improved (204 days in 2014 to 144 days in 2015). Regardless, cybercrime related costs are still projected to reach $2 trillion by 2019 and $6 trillion by 2021.
We should ask ourselves:
- Why are the cybercriminals winning the game?
- Who should take the leadership and responsibility for the cyber resiliency of our organizations?
- What needs to be done to effectively and efficiently secure our organizations against evolving cyber threats?
Why are the cybercriminals winning the game?
My discussions with the senior business and government executives revealed exciting insights about why are the cybercriminals winning the game?
This study reveals that most of the efforts to counter cybercrime are focussed on merely technological solutions. Many organisations are only “marking off” the cyber risk and compliance checklists. Let me summarize our current cybersecurity posture with the following analogy:
9 Chained “Cyber Knights” Fighting 666 “Cyber Devils” With Wings
Doubling of Cyber Criminals
The majority of cybercriminals innovate faster than most businesses and governments. Many of the traditional crimes that occur in real life are now facilitated through the Internet, including but not limited to human trafficking, credit card fraud, identity theft, and financing of terrorism. Most cybercriminals are indiscriminate, have “winning teams”, rapidly deploy latest technologies and don’t suffer from restricting “hierarchy” and shortage of financial resources.
They target vulnerable computer and human networks regardless of whether those are part of a Fortune 500 company, governments, hospitals, schools, churches, or a small business. Moreover, nowadays you don’t need to have technical knowledge to hack networks or cause tremendous damage to information systems. There are plenty of free and sponsored resources available online to get started as a cybercriminal. This leads to the doubling of cybercriminals every day.
Chained Cyber Knights
Most organizations, no matter the size or the industry they are in, are most likely just a breach away from a disaster. The “Cyber Knights” within those organizations are “handcuffed” and “chained” in their ability to effectively and efficiently protect the Human and Digital network of their organizations. Those “chains” consist various elements, including but not limited to:
1. Lengthy and complex procurement processes to adopt to new solutions
2. Strategic decision makers mostly relegate cybersecurity to “just an IT issue”
3. Low IT Budgets, in most cases, they never seem to fulfill the actual requirements of the IT department
4. Shortage of passionate and multidisciplinary cybersecurity teams
5. Technologists are in charge of making risk decisions, which often leads to business folks intentionally neglecting the internal IT and security policies
In summary, the lack of sufficient understanding of the cybersecurity playfield and the support from the executive leadership leads to “declined trust” and “frustration” between the executive leadership and those (Cyber Knights) who are capable and willing to effectively and efficiently protect the Human and Digital network of their organizations.
Who should take the leadership and responsibility for Cyber Resiliency of our organizations?
On May 11th, 2017, the president of the United States of America, Mr Donald Trump signed an Executive Order entitled “Strengthening the Cybersecurity of Federal Network and Critical Infrastructure”. According to the Executive Order “heads of agencies” are responsible for their organization’s Cyber Resiliency.
Furthermore, Secretary of Homeland Security John F. Kelly said: “DHS has long been a leader in protecting our nation against cyber threats and this executive order reaffirms our central role in ongoing cybersecurity efforts. We have developed strong operational relationships with our government partners to protect federal civilian networks and have established trusted partnerships with the private sector to improve the cybersecurity of the nation’s critical infrastructure.”
Moreover, recently the European Union Agency for Network and Information Security identified three directives related to electronic communications with indirect relevance to corporate governance. The latter makes only indirect reference stating that a company should “implement appropriate RM/RA [risk management & risk assessment] measures with regards to network/information security”.
In summary, the aforementioned directives mandate the executive leadership to make cybersecurity a part of their strategic planning process. Moreover, they must take the full responsibility to gain comprehensive understanding of the cybersecurity playfield in which their organizations are involved. Furthermore, they should take all the “appropriate measures” and allocate the “necessary resources” to enable cross industry collaboration. Finally, they should support the “Cyber Knights” in their organizations to effectively and efficiently protect the Human and Digital network of their organizations.
What needs to be done to effectively and efficiently secure our organizations against evolving cyber threats?
Building Upon Shared Responsibility
No single country, industry, community, or individual is immune to cyber threats, and no single government agency, company, or individual can solve our current cybersecurity challenges alone. The continuous availability and security of our information and critical infrastructures is a “shared responsibility” that we all must embrace to keep our societies and our nations secure.
From critical infrastructures, to processes, to data, to people, cybersecurity touches everything an organization is doing. Therefore, a multidisciplinary cybersecurity team is indispensable to fully understand the different aspects of the threat actors and attack surface. Moreover, a shared responsibility requires a cross industry collaboration with unified information sharing based on common practices, procedures and policies build upon trust.
Industry Wide Cyber Security Preparedness
Common practices, procedures and policies should be designed to enable cross industry collaboration with unified information sharing and to assess an organization’s cybersecurity preparedness. Moreover, an integrative risk and governance framework with strong board and senior level engagement on cybersecurity issues is essential and critical to the success of organization’s cybersecurity efforts. In addition, organizations should develop, implement and test incident response plans to support cross industry collaboration with unified information sharing. Key elements of such plans should include containment and mitigation, eradication and recovery, investigation and notification of new cyber threats within the trusted network of industry partners.
Protecting and Monitoring Vendor Digital Networks
Some organizations typically use vendors for shared services that provide the vendor with access to sensitive firm or customer data or access to organization’s ERP systems. Organizations should manage cybersecurity risk exposures that arise from these relationships by exercising strong due diligence across the lifecycle of their vendor relationships.
Strengthening the “Human Network” against Spear Phishing and Ransomware
Most of the efforts to encounter cyber crimes are nowadays focussed on merely technological solutions and / or on “marking off” the cyber risk and compliance checklists. Furthermore, the foremost reason that the current approaches are failing to help businesses improve their cybersecurity is that they fail to understand or address cybersecurity factors at macro, meso and micro level in cyberspace. Moreover, another important reason is that the most approaches neglect human factors in the security chain. The security chain is as strong as the weakest link in it and humans are the weakest link of an organizations security chain.
Therefore, a well-trained staff is an important line of defense against evolving cyberattacks. Even well intentioned staff can become inadvertent vectors for successful cyberattacks through, for example, the unintentional downloading of malware though Phishing attacks. Effective training helps reduce the likelihood that such attacks will be successful.
· Recognise that cybersecurity is an industry-wide risk, not just an IT issue
· Design cross industry-wide interoperable, reliable and secure cybersecurity ecosystems based upon “shared responsibility”
· Appoint multicultural and multi-disciplinary cybersecurity teams to enable “Industry Wide Cyber Security Preparedness”
· Protect and monitor “Vendor Digital Networks” by exercising strong due diligence across the lifecycle of vendor relationships
· Strengthen the “Human Network” against “Spear Phishing” and ransomware attacks
About Sheraz Ali, M.B.A
I support business executives (CEO, CIO, CFO) with effectively reframing (complex) problems into great business opportunities while, providing action oriented recommendations based on sound business analysis.
Are you looking for a trusted advisor to help your organization significantly improve its Cyber Defense? I help you deliver business value with IT and guard your People and Critical Assets. I ensure you quantify and communicate this value to your stakeholders. Contact me today!