In Part 1 of this article, we examined how holistic cybersecurity planning needs to start all the way back at business strategy, and why it’s critical for boards to understand how and why their organizations are so much more vulnerable to cyber-attack than they were only five or so years ago.
In Part 2, let’s look at how should the board think about building a holistic cybersecurity approach, and how to prioritize what to protect.
A ‘secret service’ approach
If you’ve ever seen any U.S. president on the move, there is no doubt about who and what is most important to the agents assigned to protect him. The president is surrounded by multiple layers of Secret Service personnel—in front, in back, above, below. Everywhere, all with one common mission: protect the president.
By focusing on its business strategy, a company should be able to obtain just as clear and precise a view of its most important assets as do those Secret Service agents. And, given such a clear view, it’s possible to focus cyber resources and invest with total confidence.
Consider a car manufacturer. Intellectual property (IP) may be its biggest crown jewel. Cars compete on visual style, handling and performance, fuel efficiency, safety and, these days, innovation, all of which start with the design IP. Dozens or hundreds of suppliers provide components for the vehicle, so that network of third parties is a critical asset. If the production line were to go down, it might cost the company millions per day. Such a company has many crown jewels to protect.
What is more, a car company has a very large attack surface. Threat actors can get in through the corporate or manufacturing networks; third parties with trusted connections back to those networks; mobile applications; interfaces in the vehicle itself; and even aftermarket applications (insurance companies and performance-enhancement companies use software “devices” that plug into a car’s onboard systems).
Of note, the threat to cars and car makers is more than theoretical. There was the highly publicized hack in 2015, in which “ethical hackers” working with Wired magazine attacked a moving Jeep and brought it to a stop on a highway. And, in 2016, the executive chairman of specialized cyber-risk management firm Stroz Friedberg reported that, “My firm was contracted by a prominent automaker to perform a confidential ‘ethical hacking’ exercise. We staged a nation-state style attack of the enterprise, and after many weeks of work with a large team, achieved complete control such that we would have been able to interfere with corporate and manufacturing networks and interactions with the vehicles.”
Elements of the strategy
In the end, there are a small number of policies, processes, and procedures that, when deployed within a business-risk-based approach, yield a strong holistic cybersecurity strategy.
Zero Trust. Because business and IT leaders once believed that their internal networks could be trusted while external networks should not, trust became an implicit assumption in the design of most private networks, according to John Kindervag, who coined the term Zero Trust while working for Forrester Research (today, Kindervag is Field CTO of Palo Alto Networks). Says Kindervag: “Trust is the root cause of all data breaches and most other negative cybersecurity events; we don’t need trust in digital systems when the only beneficiaries of it are attackers.” Zero Trust assumes no user or process can be trusted; all must be verified.
Maturity Models. A cybersecurity maturity model helps organizations evaluate, prioritize, and improve their cybersecurity capabilities by defining multiple levels of competence that guide the organization to improve and, ultimately, to imbue cybersecurity into its culture. The U.S. Department of Energy provides a good framework, the Cybersecurity Capability Maturity Model (C2M2), that defines four levels of competence from incomplete (the equivalent of cybersecurity “lip service”) to optimized, in which a business-risk-based approach guides an organization that integrates cybersecurity throughout its corporate culture.
Integration and Automation. This is the heart of a holistic cybersecurity strategy. Organizations have become highly complex and have far too many potential security alerts every day to handle them manually; it would be all anyone ever did. Instead, organizations should deploy automated analysis of potential malware and intrusions, and integrate their systems such that the result of any automated analysis is propagated simultaneously to all points on the network.
Third-party Practices. Remember, third parties play a big role in any business. Few companies can conduct business without their help. And third parties often are the “pivot point” enabling attackers to enter an otherwise secure organization. Prioritizing third-party security, using the Zero Trust approach, is necessary for strong cybersecurity.
Network Segmenting. It might sound more technical/tactical than a board member should be concerned with, but making sure that your network designed in multiple logical segments is important to support a Zero Trust approach. It enables an organization to restrict every user’s access to only what they need for their job, rather than have open access to the entire network, thus limiting potential damage should any one person’s credentials become compromised.
For most organizations, cybersecurity must change because “outside-in” thinking, based on threats, is not effective in today’s world. A business-risk-first approach, coupled with Zero Trust, and built on an automated and integrated platform—rather than on standalone point products—is what modern organizations require to effectively mitigate cyber risk and enable their businesses to prosper.