how cyber resilient are we?

9

Upload: cio-academy-asia

Post on 19-Feb-2017

97 views

Category:

Technology


0 download

TRANSCRIPT

Page 1: How Cyber Resilient are we?
Page 2: How Cyber Resilient are we?

CIO Academy Asia and its partner, Fortinet – conducted a series of Cybersecurity roundtable discussionsbetween the month of August and November 2016. A select group of CIOs and CISOs were broughttogether in each of the 5 (five) key cities in SEA, to discuss some best practices and to address differentchallenges faced by the organisations in their effort to embrace Cyber-resilience in this inter-connecteddigital world. This report summarises the key issues discussed during all the sessions:

Discussions Summary

Changing But Persistent Face of Uncertainty

Remarking on the timeliness of the roundtable as we are now operating in a disruptive age, it was noted thatsecurity has become almost synonymous with disruption. As a broad expression of uncertainty, it remainsvalid as an underlying and necessarily persistent consideration as people see technologies threatening todisrupt jobs and lives.

Such uncertainty applies even despite current enthusiasms for disruptive developments like driverlessvehicles, as recent traffic accidents involving such vehicles have led to reviews of their mode of operations.They serve to remind that disruptive tech also go through the hype cycle.

Likewise with social media, it was relatively recent that such technologies have matured and becomepowerful tools for digital marketing. Some among the audience were not even on Facebook until a few yearsago, but its use has since become pervasive even in the public sector. Such changes in usage of newtechnological media reflect the times and are also necessitated by having to keep up with the millennials butthe fundamentals have not changed i.e. cybersecurity has been an issue from the very beginning.

Polling Cybersecurity Concerns of the C-Suite

Four points were highlighted as underlying why cybersecurity is more important than ever, and which serveas useful ground-level context for framing the roundtable discussions, namely:

• Technology platforms like Uber, AirBnB, Grab and other unicorns are now bigger and more attractive andare larger cyberattack targets, the attack exposure is much wider!

• The number of IP devices have grown by leaps and bounds, while the volumes and value of data has alsomultiplied exponentially,

• Today all devices highly interconnected on the internet or otherwise , and• Perpetrators of cybersecurity risks and threats have become ever more sophisticated than they have ever

been before. The attackers are more well organised than the ones defending.

Cyber resilience as a topic has often been covered with different definitions, but the definition proposed bythe Scottish government was raised for consideration i.e. that cyber resilience is the ability to prepare for,withstand, rapidly recover and learn from deliberate attacks or accidental events in the online world.

2016 CYBERSECURITY ROUNDTABLE SERIES

Resilience Through Systematic Readiness

In line with global trends, the Internet of Things is presenting realand present cybersecurity threats, such that traditional mitigationapproaches are no longer good enough, it was shared how 4 keythrusts compared against Gartner’s approach i.e. Predictive,Preventative, Detective, and Responsiveness/Corrective, and howthese mapped to their mandate for driving initiatives.Furthermore, responsive and mitigating actions are undertakenwith digital forensics and data analytics; measures served to enabletheir national cybersecurity crisis management.

Page 3: How Cyber Resilient are we?

Moving With the Times

On the private sector front, McKinsey has remarked how tightly technology and security have become integratedwith business processes. This was compared with the situation about 15 years ago when cybersecurity was stillseen as a nice-to-have, when IP security did not even exist in some organisations or was parked under the purviewof IT infrastructure to handle low level security issues. Security was not seen to be a business issue and threats inthose times were also relatively amateurish. The picture now is vastly different, with state-level attacks as detailedin Project CameraShy and coordinated attacks such as those on Sony as detailed in the Project Blockbuster report.

As the threat landscape changed, the notion of resilience has also changed – when enterprises used to worry aboutviruses and malware, today they are facing threats that could bring down entire organisations. Even the linesbetween cybercrime and cybersecurity incidents are blurring, and attackers are largely motivated by gain.

Disrupting the Disrupters

The interest now is not simply in having the capabilities to respond to cyberattacks but also to actively disrupt anddismantle attacks. This can be through internal partnerships with departments that share the interest inpreventing recurrence of such cyber incidents, as well through external partnerships with the public sector and lawenforcement agencies to ensure thoroughness in the common approach to shared cyber threats. IT was repeatedlymentioned that the value and importance of public-private collaborations and acknowledged that such approachesmay not be accessible for SMEs, there are strong bases for active dialogue within and across the industry on suchmatters.

Broadening Defensive Approaches

He commented that while defence in depth has looked at security from an end-to-end perspective, there still needsto be greater breadth through cross-unit collaborations, because security is increasingly recognised to be a businessissue as well. As such, organisations’ IT units may know how to respond to cybersecurity incidents but business andother corporate units should also understand their roles and appropriate responses on their part e.g. how to workwith service providers, understand the legal implications and communicate with external parties etc.

Security incident management has likewise also evolved – from IT-driven perspectives e.g. ITIL securitymanagement to an enterprise view involving different aspects of business and corporate dimensions. The businesscontinuity programme will also need to take into account cyber threats and not just focus on the physicaldimensions e.g. disruptions to supply chain. Where required by regulation such as in the financial sector, banks arealso required to conduct regular cyber readiness tests where they are assessed on how well they collaborate in theevent of attacks.

Between Internal and External Threats

It was also noted that much of the attention on cybersecurity has tended to focus on external threats but remindedthat internal security threats e.g. due to intentional misuse or sheer human errors also merit attention, not leastfrom the perspective of balancing security spends and investments. Attention must also be drawn to the spectre ofinvisible threats due to infiltration of trusted third parties with direct connectivity to systems, which enableattackers to gain a foothold and access to the actual intended targets. The example of JP Morgan being attackedthrough their IT asset management system and the First Bank of Taiwan’ ordeal that came about through thecompromise of their London office’s IVR systems.

As such, organisation leaders’ should not only redefine how they view invisible threats but also rethink theirapproaches to risk assessments and business impact analyses by taking into account threats that lie beyond theorganisation’s immediate environment.

2016 CYBERSECURITY ROUNDTABLE SERIES

Page 4: How Cyber Resilient are we?

With regards to industry competition, we should question the use of broad benchmarks and instead organisationsshould be guided by clear understanding of how their risk profiles and context stand and differ from theircompetition.

Smarter Use of Resources

The value of security analytics platforms provide valuable context and which derive intelligence from not only bigdata but also user activity logs, VPN and HR logs, video and CCTV feeds which can provide better insights into threatprofiles. With better understanding and insights, organisations can better respond and lower their turnaroundtime from security incidents, allowing them to better focus attention and the efforts of scarce personnel.

Organisational structure and adequate budgets for security may also have a role in how well they respond tocybersecurity threats but he stressed the greater importance of assigning clear roles and responsibilities, building agood culture that is supported by relevant KPIs, and having clear contextual understanding to determine whatsecurity investments to spend on. Ultimately, it would serve resource-crunched organisations to embracemanaged or cloud security services and to better focus on people development and upskilling.

As such, it would be good to advocate for creating greater awareness from the top i.e. for those who are in theposition to make decisions to be intelligence-led rather than reactionary to the latest threat incident. Beyondawareness and intelligence, there are challenges for the security industry in hiring not only the right skills orexperience profile but also the right qualities e.g. stamina for handling high stress levels and self-motivation amongsecurity response staff, or engineers for the analytics team who can apply the right perspectives and approaches tothe job. Ultimately, cyber resilience is a state of mind that encompasses Patience, Anticipation, Discipline, Stamina,Respect and Defence; this is especially so as recent security exploits have tended to target humans as the weak link.

Contextualizing & Incentivising Security Strategies

It might well be true that IT security leaders do not take heed and transform themselves from being simplytechnologists to ‘business technologists’. Security resilience is all about contextualizing of security strategies basedon sound understanding of the business and industry, and mapping it across their security requirements.

Threats are constantly evolving with responsive measures seem to be readily countered by attackers, hence theirinterest in ways to respond. From the public sector perspective, there were also concerns over the unpredictabilityof internal threats and thus the interest in consistent and effective security education and awareness building. Howinternal awareness is conducted could also be important, ranging from passive (e.g. information sharing onscreensavers or posters) to more active (e.g. in-person sessions and outreach to top management and the Board)measures.

2016 CYBERSECURITY ROUNDTABLE SERIES

Attune According to Risk Profile

On regulatory and standard-driven strategies, theexample from the banking sector abiding by regulationsis important, it should not be a one-size-fits-allapproach i.e. central banks have different mandatesand risk profiles compared to retail or commercialbanks.

As such, it would be wiser to apply an intelligence-driven approach which goes beyond technical threatintelligence to encompass collective and businessintelligence e.g. having awareness of the widerimplications of organisational M&A activities or largeinvestments and how they might present risks of cyberthreats, or the possibility of geopolitical threats.

Page 5: How Cyber Resilient are we?

Taking Care of External Facing End Points

An aspect of internal threat is the use of shadow IT by business units who may run external-facing applicationswithout the IT department’s awareness, or lack of uniformity in security procedures for separate networks e.g.corporate versus factory systems. Security concerns over legacy systems and devices likewise play into this vein interms of touchpoints with customers and processes for data assurance; this poses as one of the greatest challengesto IT security governance which in turn illustrates a lack of end-to-end or thorough security awareness amongbusiness units. Some ways to counteract this can include pegging of security education, awareness and complianceto the organisational culture and propensity for learning e.g. tests of how staff can be influenced to respond or notrespond to social engineering, and how vigilant they remain in the face of less obvious risks.

The Value of Collective Intelligence

It is also useful to collate the attributes and characteristics of actual or attempted cyberattacks because theyprovide insights into areas of vulnerability that can be redressed. As such, the ultimate goal in cybersecuritydefence is to make every attempted attack as painful, difficult and expensive as possible, as a way to discourageattackers from persisting. Collaborations within an industry, threat signatures and shared intelligence on attackattributes can be useful as evidence and help improve vigilance and resilience for industry members as a whole. Interms of public-private partnerships, the sharing of intelligence can be crucial because a security incident could bea prelude to a much larger broad-based cyberattack.

Higher education institutions and universities could initiate sharing of intelligence among themselves withoutwaiting for the government to sanction or make the first move. However attendees expressed reservationsbecause such moves will require knowledge of priority areas, guidance and adequate confidence that decisionstaken will not have negative or unforeseen consequences. To that end, awareness building among institutionscould help them better calibrate what they should or could effectively do.

Taking the Initiative on Collaboration Initiatives

On possible guidelines or rulebooks for different industries to catalyse collaboration in cybersecurity, CyberThreatAlliance can systematically share threat intelligence with industry competitors, government agencies, the FBI,Interpol and other state agencies to better serve end-users. The collaboration has yielded a substantive body ofthreat information that is beneficial for all parties, and serve to improve the organisation’s solution offerings in thesecurity space.

By extension, attendees were encouraged to consider the power of such initiatives if separate institutions oragencies took up the gauntlet and made the first move. If industries led the way then they would find support fromthe government. By illustration, Bank Negara and StanChart recently signed an MOU to strategically collaborate,share security insights and foster evidence exchange to improve advanced cyber forensic analyses in the financialsector. A further aim was to build capacity and eventually certify 10,000 IT professionals with cybersecuritycredentials - measures that were observed to be relevant and useful for the private sector industries to emulate.

Business-First Security Education

There was a need for cybersecurity education to look in totality beyond the technology or technical infrastructure.A business-centric perspective to education, starting with the IT leaders own transformation from technologist tobusiness technologists. Security leaders need to assume a business hat not least because IT security systemsdepend on the business side of organisations to drive their value proposition; as such, IT security professionalsneed to understand business workflows, the core value proposition of the organisation, and the types of likelyexposures to cyberattacks encountered in the course of conducting business.

2016 CYBERSECURITY ROUNDTABLE SERIES

Page 6: How Cyber Resilient are we?

Doing so will also allow better prediction, management, decision-making and more effective response to securityincidents. It will also better focus the attention of security resources and talent to address the most relevant orimportant aspects during a security incident. Organisations should select security technologies based on a strongunderstanding of their specific contextual needs, and question if certain threats are likely or relevant to the natureof their business.

Know Thyself (and What Motivates Your Potential Attackers)

Less can be more in terms of choice of security technologies, its better to maximise the use of a suite oftechnologies that are designed to work together rather than invest in different best-of-class security technologiesthat may not be as well integrated to work together.

Organisations’ decisions on security spend should as such be guided by good understanding of their valueproposition, the core nature of the business and whom might be likely or interested parties to perpetratecyberattacks. It is also important to know the touchpoints or access points for the business’ core value assets froman information standpoint and how the applications or devices may impact security.

From this perspective, IT leaders will be able to more clearly communicate the possible security impacts of variousbusiness initiatives to top management which may not be see or realise the wider implications. As such, thesecurity purview of IT leaders serves as another layer of due diligence from a security standpoint.

Organisations also need to do a better job of educating their personnel to understand what are the organisation’scrown jewels or core assets to be handled carefully. Organisations could also do more to collaborate and buildtrust – starting with measures at the individual level, with careful management of expectations if collaborations areto grow and develop organically.

A concern related to the use of third parties for address a business’s cybersecurity needs i.e. where a business isdependent on outsourcing, who would regulate these third parties. A suggestion was to have a clear view of thebusiness benefits and risks at the point of procurement, and possibly consider the appropriateness of cyberinsurance. Decision points hinged on business needs and the value to be derived e.g. outsourcing to transfercertain kinds of risks or solve a resource or manpower issue. As such, organisations need to be aware of whattrade-offs they are making between different kinds of risks.

2016 CYBERSECURITY ROUNDTABLE SERIES

It was recommended thatorganisations map their businesscritical assets to identify whatare areas that merit focus andsecurity spend. Business criticalassets may be seen in terms oftheir short term ability to driveprofit or revenue such ascustomer databases, or a corebusiness value such as IP andproduct design. As one way toguide decisions on what are toocritical to outsource, vendorsshould also be able toadequately spell out what theywould do under various threat orcyberattack scenarios.

Page 7: How Cyber Resilient are we?

2016 CYBERSECURITY ROUNDTABLE SERIES

Manila, Philippines31 August 2016, Shangri-La at the Fort Manila

Jakarta, Indonesia6 October 2016, Raffles Jakarta

Page 8: How Cyber Resilient are we?

2016 CYBERSECURITY ROUNDTABLE SERIES

Kuala Lumpur, Malaysia21 October 2016, Nobu Kuala Lumpur

Singapore27 October 2016, The St. Regis Singapore

Page 9: How Cyber Resilient are we?

2016 CYBERSECURITY ROUNDTABLE SERIES

Hong Kong11 November 2016, W Hong Kong

©2016. CIO Academy Asia. All rights reserved. Neither this publication nor any part of it may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical,

photocopying, recording or otherwise without the prior permission of CIO Academy Asia.

CIO Academy Asia would like to sincerely thank Fortinet for the collaboration and partnership in this cybersecurity roundtable series.

*More photos of the event can be found at CIO Academy Asia’s Facebook Page: facebook.com/cioacademyasia

Do show us your support by hitting the “Like” button on our Facebook page!