Insights from the cybersecurity trenches…
Cybersecurity is a choice – and it’s a choice that needs to be carefully considered with an educated management and board.
You can spend a lot on tools but get low level protection if the business isn’t brought into it and you haven’t actually developed the capability properly.
Without talking about risk, you end up talking about whether you are secure or not, which is a Boolean equation.
Organizations which perform best in cyber resilience tend to have better engagement with their boards, executives and key business stakeholders. They’ve presented the risks in terms that are understood and allow for much more informed choice by the business. And those businesses understand that technology is not really the key to resilience, it is an enabler but really, people and process are more important.
That means the role of the CISO, CSO, or individual with responsibility for security is actually changing. They need to be at the top table, they need to understand what the business strategy is, align the security strategy on a risk-based approach and become enablers of secure business and not blockers of it.
Security is actually a choice, based on risk, appetite and tolerance so if we’re not conveying the risks in terms a board or executive can understand so they can make a decision about the levels of investment then we potentially leave the business exposed to greater risk and vulnerability.
Providing regular updates covering KPIs relevant to cyber at a board and executive level is the measure step, while contextualizing the measures – adding color and depth to the discussion – is his ‘communicate’ step. One step further, adding simulations or different exercises to bring to life the situation.
Those scenarios and simulations are becoming increasingly important not only to create the knowledge or inform or educate, which is a very passive way of describing it, but to actually engage in a discussion of what it actually means and what decisions we need to make together between management and the board.
Cybersecurity is a choice.
You can have lower costs and higher risk at one end and greater levels of investment and lower risk at the other end. And you chose a point on that continuum based on your risk appetite, your risk tolerance, and understanding of what it is you’re trying to protect. The conversation around security is really one about risk appetite, it’s not a binary thing – are you secure or not. It’s about how much risk are you willing to take as a business.
But to make those assessments, the board and management need information presented to them in a way that makes sense to them, both agreed – pushing more responsibility back on the CISO, who needs to know enough about the organization’s operations and strategy and purpose so that they can inform those decisions.
Risk is a fantastic lens in which we can talk about it. Without talking about risk, you end up talking about whether you are secure or not, which is a Boolean equation which you don’t want to have in a conversation.
Risk allows you to have a conversation that resonates with the board, allow us to align with tolerance around the general risk of the organization, not just about the IT, the widgets, the software we need to do. So, it is an incredibly powerful tool in our arsenal of how to communicate a topic that quite complex.
Increased publicity and awareness of cybersecurity risks is making it easier to communicate cybersecurity with boards, ‘never waste a good opportunity to have a conversation’. The most usual question is ‘could it happen to us?’. And the answer to that is yes, it could happen to you, and these are the reasons why, but here’s what we could do about it, or here’s what we are doing about it to manage those risks.
Decommissioning strategies
When it comes to knowing how to priorities where to spend time and money to improve cyber security readiness, there are any number of tools that will be really, really good. We are not lacking tools to help security. But there are other things you can invest in to improve security and sometimes they have bigger influence.
So, if you think about your decommission strategy, if you think about what you need to do in a breach in terms of efficient recovery, how do you ensure you have a patching regime that actually prevents you from doing those things. These things usually are underneath the water.
You see the big shiny ‘we’ll buy this new tool and we’ll buy email protection, a WAF or other tools that are really good’, but actually a lot of the investment needs to go into just hygiene factors and actually corporate decisions to decommission systems are probably the most important thing if you are to get a better more secure, the more modern your underlying platform is the more secure you are by definition.”
Moving off legacy systems might improve your security posture, but it doesn’t remove the cybersecurity pressure. There is a misconception about cloud sometimes. It’s a shared responsibility model when it comes to security. The cloud service provider will be responsible for securing the underlying platform and infrastructure, but what you do in the cloud is your responsibility and your accountability.
If you misconfigure things, if you don’t set things up properly, if you don’t have the right policies, if you allow S3 buckets to be published to the open internet and they’ve got personal information in, then that’s your responsibility, so regularly checking your cloud configurations, auditing is a key part of that process. You can get technology that will do it for you, but it is not just plug and play when it comes to the cloud. You have to manage it.
Cloud also brings in a new relationship for IT teams to manage, adding yet another party to the supply chain. You certainly need to be managing your supply chain. You need to be aware of what is in your supply chain. You need to understand what your suppliers’ platforms are. We’ve just had a major global vulnerability that affects hundreds of millions of devices around the world, do you know whether your third-party vendors are affected or not? You have to have that visibility right the way through all the different relationships you hold.
Gaining that visibility can be challenging – though like everything else in this industry, solutions to problems are rapidly being found, in this case in the form of independent validations and registers that declare what they find out about third parties. But internal security assessments remain critical.
We don’t introduce new technology to Tower without doing our own assessment of the security vulnerabilities of that technology. We have a range of tests that we will apply before we put in any new kit. Whether it is our own penetration testing or review of documentation or further conversation with the supplier it is always important for you to be as certain as you can at the point of integrating to a new technology that you take those things into account.
Having a full list of who all your suppliers are is a good starting point. Dark web monitoring sees companies monitoring things like their brands on the dark web. Very often the most common thing that would come up will be someone who has used their work email address to subscribe to another service somewhere, that service has been breached and the email address, potentially password will now be in a data dump somewhere on the dark web.
So, what you need to do is obviously change the credentials on that account because we know people use the same password for everything. It is things like that that will come up many times usually with many organizations, that just give you a head start and get you ahead of the game. And in the cat and mouse game of cyber security, getting ahead of the game is the name of the game.
Find out how we provide the best fit solution for cyber-security and cyber-defense, so that you can more easily adopt new security technologies to stay ahead. Also, get more detailed information about our products and its integrated solutions, discover how we can help our Customers grow their business, and learn about our solid excellent Implementation in a number of Indonesia’s prominent companies.
Contact our Representative Person now.
Posted by : Muhammad Faris, Digital Marketing of PT. Rajawali Adikarya
Implementor ERP di Indonesia Epicor Indonesia Epicor Implementer Epicor Implementation Ellipse ERP HRM Software Application HCM Software Application Syspro Implementer Syspro Indonesia Small Medium ERP Implementer General Construction Software EPC Software Application EPC QAD Distribusi elektronik Oracle Distribusi Elektronik QAD Distribusi elektronik SAP Distribusi medical devices SAP Industri Makanan Minuman Oracle Industri Makanan Minuman SAP QAD EPC
QAD ERP Indonesia
QAD distribusi elektronik
QAD Elektronik