How to Bolster Your Company’s Cyber Resilience—Insights from CEO Tim Eades
The Cambridge Dictionary defines resilience as “the ability to be happy, successful, etc. again after something difficult or bad has happened” which seems particularly apt for the times we are living in. In addition to the ongoing asymmetry of the cyber struggle, and complexities of protecting our business’ increasingly digital operations, we are also faced with the social, geopolitical and economic challenges related to a major global pandemic. With so much going on, where do we focus?
Think About the Bigger Picture—Business and Geopolitical Risks
Focus on Business Risks. The cyber threats to an organization can be overwhelming and it can be easy to become distracted with the latest vulnerability or breach. From a business perspective, we should focus on protecting your areas of highest business criticality (including it’s dependencies, but more on that later), understand risks and potential impacts specific to those functions and construct a system to align controls and architecture with business criticality. Taking a business focused approach lets you avoid being overwhelmed, and it also helps you to align your cyber and technology strategies with your business strategy. That final point on alignment can transform your role within your organization.
Be Aware of the Changes in Geopolitical Risk. The daily news reminds us that the world is becoming a very uncertain and dangerous place. Geopolitical threats from hostile foreign powers extend beyond government and military targets as disinformation and disruption has become a tactic across business and society. We are seeing regulators increasingly focused on understanding dependencies and relationships that extend into hostile regions, and those hostile regions are extending beyond the nations we were concerned about just a decade ago. Understanding global cross-border dependencies across your application relationships and instantiating effective controls and observability is going to become one of the cyber priorities over the next few years.
Of Course Think About Your Operational Risk and Cyber Risk
Build in Resilience as Part of the Architecture. Once you take a resilience-led approach to cyber and operational risk, your mindset and strategy will change. Historically, we have sought controls to allow us to mitigate risk and recover from events, whereas a resilience mindset leads you to consider building-in inherent capabilities within your application and cloud architectures. If you embrace secure development practices, automation, and control planes that ensure your application deployments continue to meet your business requirements for cyber resilience, then the need to bolt-on controls (which add complexity and brittleness) become less important.
Understand Your Dependencies in a Highly Dynamic World and Take Steps to Ensure you Continue Doing So
There is an underlying challenge that all medium to large organizations have experienced in attempting to respond to cyber and operational failures – unknown dependencies and their impact on critical business functions. Enterprises have complex Service Oriented architectures and their applications are highly interconnected. The rapid rate of change driven by automated Cloud infrastructure and CI/CD development practices have only compounded the problem. In order to maintain a resilient posture, organizations need to understand their dependencies in terms of applications, infrastructure, geographic locations and third party service providers at all times. A decade ago, this process was highly manual, expensive and often inaccurate. New tools in the Application Relationship Management space can automate this for you to reduce cost, improve accuracy and ensure that your organization is always prepared to respond to changes to the risk assessment, attacks and failures.
Use the Power of Cloud and APIs to Solve the Challenges of Cloud and APIs. Modern software defined infrastructure and public cloud services have added a layer of complexity to cyber and IT operations. However, they have also added a wealth of services and telemetry that can be leveraged to build in resilience without the complexity of adding a ton of new security products to your architecture. API driven security control planes that can interface to your cloud native security controls while abstracting their complexities and differences allow you to fully embrace the power of cloud without needing to be an expert in every single environment and low-level security feature.
Lastly, Think About Your Most Important Asset—Your People
Simplify and Focus. Cyber security is based upon the pillars of People, Process and Technology and we should reflect upon the unprecedented effects of the past few months on our people. As the home has become the workplace and lines blur between personal and professional we should be driven to think about how we can simplify aspects of working life, to reduce the chances of human error, and to focus efforts on the areas of importance. For security teams, that means focusing on business risk and utilizing tools that simplify and automate repetitive, complex, error prone tasks. How do our tools help our security professionals to focus on risk and business value as opposed to the details of cloud environments and security tooling?
How are they Affected as We Transition to the ‘New Normal’? Events of the past week have reminded us how insider threats can have real impact on even the most sophisticated technology platforms. We must also consider stresses of ‘shelter in place’ and longer term worries are having real impact on our people, at the very moment we are no longer able to meet ‘face to face’. Many organizations transitioned fast to ‘shelter in place’ and many are now reconsidering their threat models to consider the implications of a highly distributed, remote workforce at this time of great stress and uncertainty.
Educate. One of the biggest successes I have found over the past few months comes from the space created to bring our teams together, to communicate openly about the problems we face together, and to educate ourselves around risks, opportunities, new disruptive technologies and new ways of working. By focusing on education and proving that we are here to support and improve each other, we can lay the foundations of increased cyber awareness, a renewed determination to protect what’s important, and the understanding that cyber resilience is everyone’s responsibility.