Across industries, how well companies fare in the future will depend largely on their ability to embrace technology. Advances in areas like artificial intelligence, machine learning and cloud computing are driving the evolution of virtually every business model as companies scramble to leverage the myriad capabilities these technologies offer.
The rewards of winning the digitalisation race—improvements in speed to market, enhanced customer experience and increased operating efficiencies—come with a salient caveat, notes Robert Hill, CEO at Cyturus Technologies. “The adoption of digital technologies massively increases your risk profile in terms of cyber threats,” Hill told us when discussing the nature of threats organizations are about to face in the future. “As a company becomes more technology based, board members will face an increasingly pressing need to incorporate cyber vulnerability into their overall business strategy.”The growing range, frequency, and sophistication of cyber-attacks has not only underlined the vulnerability of today’s IT systems, but also increased the pressure on comprehensive business planning. As an example, the recent attack on IT management software vendor, Kaseya, resulted in a malicious update containing ransomware being sent to around 50 of its managed service provider customers. From there, more than 1,500 down-stream customers further down the supply chain were also impacted. Some saw their data encrypted with the inevitable disruption that brings, and media reports spoke of ransom payments being made for access to decryption keys that didn’t release all the locked data. Given the fact that bad actors can design attacks of such sophistication, businesses and their security teams will now have to take the view that attacks on their infrastructure and risks to their data are no longer a case of ‘if’ but a simple matter of ‘when’.
For company boards, the idea of assessing and addressing cybersecurity risks associated with technology represents a formidable challenge, remarks Hill. “Most boards with which we at Cyturus have been engaged, have a serious knowledge gap about the types of threats they will face in the future. Cybersecurity is not just about the codebase and internal IT systems anymore; it must now incorporate an understanding of physical end point location and the remote work culture while making these business decisions. It is important to recognize the end-point has moved to employee’s home network and therefore the previous boundaries of physical security are no longer applicable.”
“All situations are different and a one size fits all strategy approach doesn’t work for all industries or verticals. Once a baseline is established, you should incorporate certain workplace changes which greatly impact the business risk an organization faces.”
Making Business sense out of Cybersecurity risk
Risks related to digitalisation extend beyond cybersecurity, notes Hill, who pointed out that many companies may find their transformation efforts thwarted by a dearth of talent. Companies that also face a lack of technical acumen in the boardroom should consider taking steps to help directors get and stay conversant with technological developments. As an alternative to rushing out to recruit directors with a tech background, outside experts can help bridge technical and knowledge gaps, says Robert, “Getting qualified, talented people will always remain a problem as we move towards the future. One of the biggest issues that we at Cyturus have noticed is the divide between IT and the executive. The executive’s understanding of the core causes behind cybersecurity risks is hampered by the tendency of cyber experts to incorporate the technical language of IT while describing mitigations. This leads to misaligned priorities when incorporating cyber risk management into business strategy. Many organizations while engaging in risk management and cyber maturation strategies are looking first at compliance as the defining factor for their cybersecurity model. Hand in hand goes their focus on threat avoidance. Unfortunately, while compliance and threat avoidance are important for protecting one’s business from attack, they do not ensure cyber resiliency. Take Equifax as an example. They had a strong focus on threat avoidance, they did deep threat hunting, they had all the tools money could buy within their 7-figure budget, and they still fell victim to an attack. What needs to happen is a fundamental change in the way we approach cyber risk management. Successful organizations today are incorporating compliance, threat avoidance and threat assessments as a part of their business risk strategies. The most effective way to cybersecurity improvement is to change the way we speak about the topic. At Cyturus we do this by using the language of business rather than technology jargon when interacting with business leaders who are seeking to improve their cybersecurity, a lesson which all businesses should incorporate in their business strategy.”
The People Factor
An important aspect of changing how we talk about cybersecurity is to change the way we approach the human factor, notes Hill. “Everyday behaviour of employees presents one of the greatest risks to your organisation and its customers. While technical defences are important, they have limited effect if they are undermined (mostly non-maliciously) by employees who do not follow security policies either because they find them inconvenient or because they don’t recognize the necessity of these practices, procedures, or controls. The commitment of your people to protecting your organisation is an essential component of a strong cyber defence. This means a critical part of your cyber strategy must be to focus on the human aspects of your organisation – on developing a positive security culture that is grounded in employees’ attitudes, evident in the behaviours people exhibit (especially when no-one is looking) and which is reinforced by the actions of leaders.”
So how can one develop an organizational culture that makes a business more secure? Robert recommends the first thing executives can do is to establish a current organizational maturity baseline, and then incorporate the necessary changes into core employee behaviour. “All situations are different and a one size fits all strategy approach doesn’t work for all industries or verticals. Once a baseline is established, you should incorporate certain workplace changes which greatly impact the business risk an organization faces.”
These changes can manifest in a number of ways. Robert stresses that executives can greatly improve the cybersecurity profile at their organization by incorporating the following as part of their work culture and associated business practices:
“Create a culture based on trust not surveillance”: Stress the responsibility of the individual as well as the whole team for protecting critical assets and make no exceptions for leaders, who must act as role models. Rather than increasing monitoring (CCTV, checking email etc.) in response to a security breach, acknowledge what has happened openly and treat it as an opportunity to learn. Make it acceptable for employees to challenge colleagues directly when they see poor security behaviour (such as holding sensitive conversations in open locations), rather than encouraging employees to report on colleagues. This builds Team accountability and cooperative responsibility.
“Frame security as a critical enabler”: Encourage your people to view security not as something restrictive but as a foundational pillar that enables your organisation to deliver its promise to customers. Develop a compelling narrative that resonates with your employees and clearly demonstrates that by protecting information assets effectively your organisation proves itself worthy of the trust that customers, suppliers and partners place in it when they share personal or business data.
“Reduce the misperceptions, friction, and pain points between the IT team and the board”: Regular engagements with members of the IT team are key. Engage not only the CTO and the head of IT, but also the people under them to make presentations on a regular basis to the board and the executive committees. Conduct informal engagements with technical talent. Invite them to lunch or a board dinner because those less structured interactions are where leadership really get a sense of people and what they’re doing.
“Think outside your immediate organisation”: An effective security culture does not stop at your organisation’s walls and physical boundaries. Take account of your employees’ approach to security both in the workplace and outside it. Identify ways in which you can involve your customers, suppliers, partners and contract staff (especially those often overlooked such as custodial resources) to promote an integrated, end-to-end view of the ‘right things to do’. Be specific about the behaviours and define ‘ways of working’ that make the most difference in securing your organization’s critical assets.
“Recognise and respond to new ways of working”: Make it easy for people to do the right thing. Social media and working from home are normal behaviour that is here to stay. By recognising this, your organisation takes the first step to finding ways to enable employees to transfer information securely and protect customer data as well as minimising the temptation for employees to find ‘work-arounds’ which make your organization more vulnerable to attack.
Maximizing Cyber Maturity
While the above steps might seem onerous to some, the volume, velocity, and complexity of today’s sophisticated cybersecurity threats mandate that security operations be refocused away from the legacy reactive, check-the-box mindset and toward measurable, meaningful and proactive security outcomes. This is where the concept of measurable cybersecurity maturity comes into play. As Robert explains, “You might think that your company has its cybersecurity risks under control, with the latest technology protecting your networks and protocols for employees to follow, which include practices for reporting potential breaches. While these may give you some peace of mind, it does not provide wholistic protection of business information from hackers. This is where the concept of cyber maturity assessment comes in. A cyber maturity assessment is a helpful tool that a business of any size can use. It serves two purposes. One is to establish your organizational cyber maturity level, and the other is to measure your organization against industry standards and the required security compliance and regulatory frameworks applicable to your organization.”
To understand what cybersecurity maturity actually represents, we first need to understand why cyber security maturity models exist and how they help organisations orient their business processes against a rotation of monitoring, assessments and continual improvement.
Maturity models have been used in software engineering since as early as 1986. Originally, the Capability Maturity Model (CMM) was developed to assess U.S. Department of Defense contractors process maturity as a gauge as to how likely they are to deliver a successful software project. The higher the maturity score, the better their processes and the higher likelihood they use established processes for the design, development, quality assurance (testing) and building of software. The term maturity relates to specific aspects of the assessment, where the level of establishment and optimisation of each process can range from ad hoc to formally defined and optimised.
Since the U.S. Department of Defense took such a keen interest in process maturity, it’s no surprise they released their own approach to cybersecurity maturity in the form of the Cybersecurity Maturity Model Certification (CMMC) framework. CMMC has five levels of certification that measure cyber process maturity, with each tier developing on the previous one with specific technical and business process requirements.
Understanding the position of your organization within the framework requires a thorough assessment. As Robert explains, “The first step in this journey is to better understand the maturity of your organization’s cyber operations. This basic form of how this can be achieved, is by answering probing questions about your organization, such as:
How do you handle alerts, events, and escalations?
Do you have repeatable processes or playbooks in place?
How do you analyse and predict threats?
Are your security initiatives aligned with your business delivery objectives?
Are your activities more reactive or more proactive?
By answering questions like these, you can begin to establish whether your security operations program is at a fundamentals stage, an integrated stage, or an adaptive stage. Once you identify where you are and establish a baseline, you can follow a defined roadmap to move toward measurable cyber-maturity.”
While a basic risk questionnaire may be enough for organizations handling non-critical information, the scenario changes considerably for organizations which handle sensitive data. This is where firms like Cyturus come in. Their Adaptive Risk Model (ARM) identifies deficiencies, measures potential business impact, and recommends prioritized mitigation actions. The engagement cycle results in a customized set of rank-ordered tactical actions to mitigate the associated business risks while accurately quantifying the cybersecurity risk profile for your organization.
This ARM process is applied through their C2MA Cybersecurity Capacity and Maturity Assessment (C2MA). As Robert explains, “The C2MA processes cybersecurity risk as a business problem, not simply an IT problem. This assessment measures both the cybersecurity capacity, capability, and maturity of the organization across the entire business enterprise and provides visibility into the areas offering the greatest potential reduction in business risk. The findings are then used to generate a mitigation roadmap enabling the focused deployment of cybersecurity resources. The ARM process enables organizations to adapt rapidly to changing environments, organizational needs and business threats.”
A cyber maturity assessment might not be something an organization wants to perform. It does cost companies in both time and money, but nowhere near as much as the cost of a breach. One cybersecurity breach could result in a potential financial disaster when the fines and penalties start adding up. Therefore, use of tools like ARM can and should be used to routinely monitor the effectiveness and efficiency of current cybersecurity programs.
Total Security?
Today most security professionals would agree that total prevention is not possible and that cyber risk should be managed through the continual improvement and coordination of several elements in an organization: technology, process, people, and intelligence sharing. Security is a continuous process. Fortunately, this outlook is now being shared by business leaders across the board.
If companies learned anything from coping with the COVID-19 pandemic, it was that preparation pays off. Efforts to build resiliency, the ability to adapt and thrive through setbacks, positioned companies to overcome an event no one foresaw last year, notes Robert. “The biggest takeaway from all the events of the past year is that we can do all the risk mitigation and planning possible, but no matter how careful we are, the world is going to change and we have to be agile enough to change with it. That is the essence of cyber resilience.”
*Robert Hill is the CEO of Cyturus and has spent over 30 years in the IT space promoting significant and measurable reductions in business risk through applied cybersecurity practices, programs, and technologies. Prior to founding Cyturus, Robert worked as an industry leading cybersecurity consultant often featured on Network News broadcasts, seen on stage as a forum panellist, and found in Fortune 500 conference rooms discussing cybersecurity risk in business terms.
Robert is a member of the FBI InfraGard, is a Certified Information Systems Security Professional (CISSP) and attended the University of Alabama at Birmingham where he received his degree in Biomedical Clinical Engineering.
