Developing a nimble and sustainable cyber risk strategy

The pandemic has ushered in a new wave of cybersecurity attacks, adding to the complexity of the CSO’s role and elevating the security conversation to the boardroom. Achieving greater resilience in their organisations is top of mind for IT leaders as they review their cyber risk strategies.

At a recent IDG roundtable event with BitSight, CSOs and CIOs discussed how they are tackling the threats that are emerging as companies move to hybrid working environments. Also present was IDC Asia Pacific associate research director Cathy Huang, who provided insights into what organisations are dealing with across the region.

Since COVID-19 there has been a huge rise in ransomware and phishing attacks as cybercriminals target those now forced to work from home. According to various security lab reports, there have been over 1880 malicious domains using the words ‘corona’ or ‘covid’ in their names, since the pandemic began.

“COVID-19 is expanding the attack surface, and the number one priority for the enterprise is security solutions to ensure remote working doesn’t compromise the organisation, this is followed by security management in the hybrid/multi-cloud environment,” Huang says.

The focus on security isn’t new, as Huang notes in the past three years the General Data Protection Regulation (GDPR) in Europe has influenced regulation in Asia Pacific, but what is changing is the level of investment and corresponding interest from senior business leaders.

“IDC’s 2019 CEO survey showed that digital trust programs are the most important agenda item in the next five years. What the pandemic has done is fast-track these programs,” Huang says.

Understand the expanding attack surface

BitSight co-founder and CTO Stephen Boyer says the attack surface that CSOs are dealing with is expanding, this is due to risks associated with working from home as well as third party risk and supply chain risk.

“We’re finding that compared to ‘traditional’ corporate networks, work-from-home networks are 3.5 times more like to have malware present, and 7.5 times more likely to have large numbers of malware families present,” he says.

Boyer says it’s important for CSOs have visibility into the security approach of the organisation’s vendors and partners.

“Digital resiliency is achieved by continuous measurement and improvement; this is true not only for your own organisation but also your third-party ecosystem. We’ve seen organisations have a lot of success engaging and collaborating with third parties to improve their security,” he says.

Huang echoes this view, noting that digital resiliency is an enterprise’s ability to quickly adapt to future disruptions while maintaining continuous business operations and safeguarding its people, as well as its business customers and suppliers. She highlights three interlocking capabilities that enterprises need to focus on — resilient infrastructure and operations, resilient workforce, and resilient relationships.

CSOs and CIOs attending the roundtable noted that being honest and transparent about their own experiences with cybersecurity can help lead to better conversations with vendors and partners.

Justice Health and Forensic Mental Health Network CIO Fred Lusk says that in Australia the size of the market enables closer interaction on security at the network level. “With Telstra, Optus and TPG being the only wholesalers of data links in Australia, that I am aware of, we are very much across the security controls and response capabilities of the providers,” he says.

“The ISPs as retailers rely fundamentally on the cyber security capabilities of the telcos. New South Wales Government works closely with the wholesalers leveraging their capabilities and knowledge to mitigate some of the cyber security risks associated with home-based networks.”

Deploying a resilient and sustainable cyber risk strategy

Huang says an effective cyber risk strategy should focus on detection and mitigation, as well as prevention. This involves continuous monitoring and undertaking regular cyber drills. Employees need to be constantly made aware of cybersecurity risks and this can take the form of enterprise-wide awareness training and boardroom education on cyber risks.

Roundtable participants noted that good cybersecurity practice involves effective user education and having an understanding that it is about creating a business culture that cares about cybersecurity. Lusk says that the information his organisation holds, the health records of prisoners, is highly sensitive. “I’m struck by how much the people in this organisation care about our clients, and that extends to taking cyber security extremely seriously,” he says.

In addition to creating a better cybersecurity culture, CSOs can also take advantage of security innovation, says Huang.

“Last but not least, from a technology perspective, CSOs can embrace innovative solutions. The financial services sector in particular has been an early adopter of many security innovations, such as DevSecOps, and AI and machine learning-driven security, which have boosted the maturity and efficacy of this vertical,” she says.

Communicating with senior management on cybersecurity

Huang says IT leaders such as CSOs and CIOs have always been key members of their business teams “but the continuing onslaught of global disruptions, coupled with the rapid digitisation of business and markets have cast their role in a new light, that of key business makers.”

Lusk is part of his organisations executive team, and he says this makes it easier to get across the importance of investing in cybersecurity to senior management. While others attending the Roundtable noted an increase in interest in security from senior leaders, there could sometimes be a reluctance to match that with investment.

Boyer says CSOs and CIOs that effectively communicate their program and can justify their budgets — especially in the current economic climate — are the most likely to succeed. “Use your resources wisely, the era of the unending budget is over.”

Benchmarking your organisation’s cybersecurity investment and profile with industry peers can also be useful when communicating with non-technical business leaders. Roundtable participants noted that IT sector analysts can be valuable in presenting an independent view of the sector.

Building an effective digital trust program

IDC defines trust as the ability of two or more entities to achieve a level of confidence in their interactions that allows for transparency as well as the acceptance of uncertainty.

“Trust is an up-levelling of the security conversation to include attributes such as risk, compliance, privacy, social responsibility, and even business ethics. These elements transform the conversation from what “must” a company do to prevent negative outcomes to what “should” a company do,” Huang says.

In addition to trusted governance which mitigates enterprise risk and the trusted ecosystem which manages collective risk, there is trust-enabled commerce. Huang says this third sphere of trust “empowers companies to drive revenue by delivering highly differentiated experiences.”

Boyer says BitSight’s customers globally are keenly aware that their cybersecurity reputation is critical. It isn’t only senior management and the board taking an interest — customers, investors and business partners are also taking note, and CSOs that communicate their program effectively are driving better business outcomes.

“Being able to represent your cybersecurity performance to internal and external stakeholders is critical to building trust within your organisation’s ecosystem,” Boyer says.