Originally Published: 16 May 2017
A short while back Andrew Penn, Telstra CEO, wrote a ‘must read’ article describing how Cybersecurity should be viewed and managed at a Board Level. Let’s call Andrew’s excellent article a ‘Top-Down’ perspective. I am going to try to complement his article with my own perspective, which is more a ‘Bottom-Up’ perspective.
In my experience, what are the key reasons for a Cybersecurity failure? What can a board, C-Level and senior management do the prevent a high-profile failure or do to improve the situation?
Firstly, any corporate security initiative must start with support from the top. Without this, security initiatives are doomed. And I’m not talking about throwing good money after bad at security initiatives which are not producing results. It starts with leading from the top and instilling the right culture in the organisation. This is critical. I remember John Chambers, CEO of Cisco once said, “responsibility for security starts with me”. On the flip, I remember one client where it was a standing joke that everyone knew the CFOs five-character password and the fact he forbid the implementation of minimum password size and complexity standards, because “they were too hard to remember”. Needless to say, no one in that organisation took security seriously.
In many senior management circles, I have heard the question – What are our peers doing? I have heard it asked in Australia, New York and several Asian countries. While this is an interesting question, that’s about it. When everyone is wondering about everyone else, it’s a circular situation. It is critical to understand your own information assets, their value, and the business impact if they were compromised. I can not emphasise this enough. With these questions understood, ensure your organisation plots its own path forward. There is a massive problem in the information security business called “Status Quo” – just executing against a checklist is not sufficient in today’s dynamic business environment and rapidly changing threat landscape.
The Wannacry outbreak on 12 May 2017 is a clear example of a Cybersecurity failure on a massive scale. Microsoft released a ‘Critical’ patch on 14 Mar 2017. Organisation had nearly two full months to remediate the underlying vulnerability. What we saw was a huge numbers of systems, many performing critical functions, left exposed. Why? WannaCry was not a new event!
To stay on top of Information and Cyber Security today, an adaptable, agile and innovative culture is required. Security is about People, Process and Technology and it’s an organisations culture which underpins all three (more on these topics shortly). This culture must be established, driven and supported from the top. Yep, that’s probably a big ask, if so, just focus on having it right in your security teams.
This leads us onto ‘People’ – Getting the most from your people is probably one of the hardest tasks. However, a team staffed with skilled, proactive and innovative people, plugged into the external communities, can be invaluable.
Having spoken to a vast number of people in various capacities over the years, in my experience the above situation is uncommon (apart from large organisation who have dedicated teams for this purpose). Certainly I have seen very clue-full groups which is fantastic, more commonly people understand the issues and risks, but are resource constrained making it difficult to act. Unfortunately, I have also seen many people in positions of responsibility who want to ‘put their heads in the sand’ or are downright wilfully negligent. Often this is because “it’s just too hard” or dealing with the reality doesn’t align with their political agenda. These attitudes can be a hugely dangerous.
Senior management and boards should actively enquire about the organisation’s Threat and Risk Management programs. In particular, how they identify and respond to Cybersecurity threats. The program should consider the companies crown jewels and business outcomes it wishes to avoid. When major system changes are made, or new ones commissioned, senior management should insist on a risk assessment and appropriate testing. For the larger or high profile projects, an outside organisation should be engaged to perform these assessments.
Reporting and metrics – In my experience, there is often a huge communication gap between the usually technical people at the coal face and the business oriented senior management. Bridging this gap can be difficult. However, the use of good security metrics can provide a helpful mechanism. Appropriate metrics should be produced by the security teams or departments to provide senior management and boards a picture of the effectiveness of the organisations security programs.
For example, a solid metrics approach could have articulated the number of critical systems, missing critical patches, ahead of the WannaCry outbreak. For many organisations, this one metric would have been a very loud alarm bell!
In security when nothing happens, it’s a good result. But being able to differentiate good luck from good management is key.
Process – In security, solid process is essential. But those processes need to be kept current and adapted as changes occur. Having an organisation full of people who blindly follow an out of date process, is not a recipe for success.
Technology – I would make two points. It is essential that adequate funding is available to ensure current security technology is deployed. When an organisation makes an investment in a security technology, it is imperative that it is properly deployed and the intended outcome is achieved. I have seen plenty of organisations make sizable security technology investments which were either improperly deployed or not adequately leveraged. Secondly, in a fast-changing landscape, the solution to many security problems may be a new technology. It is important to monitor technology developments and make discretionary budget available to purchase a new technology if it can solve a problem or lower a risk.
In recent times there has been a trend of outsourcing IT problems. In other words, taking a hard problem and to quote Hitchhiker Guide to the Galaxy making it “someone else’s problem”. Some BYOD and Cloud initiatives fall into this category. My perspective – if you can find area’s of IT that are sufficiently commoditised and can be cost effectively outsourced, then go for it. But with that said there are areas of IT, like protecting your Crown Jewells, that are high skill and require appropriate people on staff. I would advise against attempting to outsource these areas and would strongly recommend developing and supporting In-House capabilities. Once you lose key talent, it does not come back in big hurry.
From a budgeting perspective, when applications or new systems are rolled out, the full lifecycle cost should be understood up front, including the cost of a secure initial deployment and the ongoing operational costs. Do not allow the security elements to be unfunded and allow the operational costs to fall onto some other department. Usually this means they get ignored.
Finally, be careful who you take advice from. There is no qualification or certification for a Cybersecurity professional (if we draw a comparison to a Chartered Engineer for example). There are plenty of people touting job titles of ‘Cybersecurity Consultant’ who have only recently entered this domain and have minimal experience.
_