Security Think Tank: COVID-19 highlights need for embedded security
This article was first published in Computer Weekly
The novel coronavirus or COVID-19 is the latest event that is focusing the minds of global organisations. Large-scale events often cause businesses to look internally to understand how prepared they are for such circumstances.
However, this should be an ongoing activity, to continually analyse how global incidents affect their complex networks, people, processes and technologies.
This is no different for the role of a chief information security officer (CISO) and their security and resilience teams, which need to be embedded in the wider business.
International supply chains, a wider range of customer profiles and buying habits, risk and threat profiles, and developments in competition and legislation are all examples of how globalisation is challenging organisations’ cyber resilience.
Building a defence with input from senior executives
In response to global events, there can be a tendency to react in the short term to limit exposure to risks and threats, yet in a digital world this is not a sustainable strategy.
Growth and development are critical to business success, and security professionals need to engage more strategically with senior executives to understand their aspirations and how best to protect the business.
This is not just about the nuts and bolts of the technology, but requires a focus on other aspects central to growing the business such as the people, culture and processes.
Understanding what is critical to business success requires detailed discussions of what impacts the business can absorb if it is caught up in an attack or a global event. This may include downtime, customer numbers, financial losses and data breache,s and will vary according to geography, business objectives and legislation.
Risk and security teams should then analyse the risks, threats and vulnerabilities, recognising that these too will depend on the assets involved, jurisdictions, security cultures, network segmentation, user policies or outsourcing arrangements.
This will then enable security teams to assess how exposed the organisation is and put business cases forward for investments to build proportionate defences to keep within tolerances.
Detecting incidents quickly
While these strategic decisions are vital, it is equally important to prepare to react quickly to a breach or unexpected event. Security teams should propose, agree and build monitoring skills, processes and technologies for critical assets to enable quick escalation and notification.
To shore up defences, teams need to continually analyse the data from monitoring activities and external intelligence reporting. Over time, this builds a picture of the business environment, risks and threats, enabling more targeted defences and reactions to changes in the outside world.
This data should be reported to senior executives to back up the case for investment in improved defences such as monitoring equipment, security awareness, access restrictions and notification systems.
Respond collaboratively
Wherever a threat comes from, similar principles apply to managing it. That means technical, operational and strategic teams from across the business need to collaborate, using their diverse expertise and priorities to respond effectively; these teams need to have practised that response together.
It is important that detected incidents are escalated quickly from security teams to the appropriate level to ensure the business tackles the priority areas first.
Rehearsing technical, operational and strategic teams with regular crisis exercises is critical to improving reaction speed and efficiency, building familiarity on how teams interact and translate technical messages, and clarifying priorities for short-term and long-term incidents.
Frequent training sessions and exercises will build relationships between the business and security teams to create the trust needed to respond more effectively.
Improving the security culture
The growing vulnerability of organisations in all sectors to external threats underlines the need for security professionals to have greater authority to change the security culture and make cyber security a key enabler of growth for the business and something to be proud of.
This pride in good security has long been evident in the defence sector and is becoming more typical in financial services, driven by increased regulation, and telecommunications, given increasing pressure to retain customer loyalty.
In practical terms, this means working more closely with internal teams such as communications, human resources and line managers to embed the behaviours and values needed to create a culture of pride in good security and to shore up defences. This can include leadership advocacy, awareness raising at company meetings, campaigns, training, walkarounds, and behavioural change campaigns.
That requires a focus on the leadership demonstrating good behaviours and developing ways to translate technical knowledge into benefits for the organisation. Linking cyber security to achievement of overall strategy so that it resonates with senior executives when they are making decisions to invest time and resources in learning programmes and new technologies.
CISOs also need to press suppliers to meet their commitments by making sure they are held to account for the security requirements in their existing contracts. That will require regular meetings and reviews to provide clarity on the expectations and priorities, requesting evidence they can meet the organisation’s needs.
More than ever, security professionals and senior executives need to work together so they can grow their organisations safely in today’s digital world. They should assume that they will be compromised and that external events will have an impact on their business, so defences need to include the ability to respond quickly and within agreed tolerances.
Regular testing and exercising will help to spot vulnerabilities and enable continuous improvement. This demonstrable progress will then provide the credibility, authority and business buy-in security professionals need to implement a solid defence against external events.
Tom Wootton is a cyber security expert at PA Consulting