What are the barriers to the adoption of cybersecurity best practices?It is apparent that current approaches, policies and strategies make it difficult to implement comprehensive best practices across the digital and operating environments in organizations. Security tools and processes are often set up once and then forgotten, becoming outdated and even obsolete in a continuously evolving threat landscape. Systems must be updated continuously to keep pace with the flow of business activities if they are to protect effectively against newly discovered vulnerabilities. Although organizations have a plethora of tools available to automate security tasks, these tools often aren’t integrated in a fully automated fashion. This results in a complex environment of tools, gaps and vulnerabilities which together increase the attack surface rather than mitigating threats due to the inability to deploy a holistic automated approach. Another major challenge is the sheer volume of work involved in following up on security alerts and incidents that cannot be automated. The reliance on humans to carry out security functions, to assess the more strategic implications of alerts and incidents, is mission critical. However, the well-known problem of cybersecurity talent shortage means this capability is often under-resourced. All too often, to face these demanding challenges, organizations need to consider outsourcing some of the more advanced, complex and onerous services to service providers depending on their risk profile to improve their coverage and service level agreements.
10 Tenets for Cyber Resilience in a Digital WorldThe role of an organization’s cyber resilience leaders is to support the mission of their organization by ensuring that cyber risks are managed at an acceptable level. It is unrealistic for any organization to achieve faultless security. Since no enterprise is immune to cyber threats, organizations need to be prepared for the inevitable, namely, that a breach will happen. Therefore, the end goal of every organization should be resilience, the ability to quickly and efficiently identify and minimize the impact of an incident to allow business continuity as effectively as possible. Having the aforementioned in mind, the World Economic Forum published the “Cybersecurity Guide for Leaders in a Digital World.” The guide bridges the gap between leaders with and without technical backgrounds, and it is intended for senior executives who are responsible for setting and implementing the strategy and governance of cybersecurity and resilience in their organization. Since cybersecurity is everyone’s responsibility in an organization, it is essential that key stakeholders in the C-Suite and other company executive officers understand their responsibilities regarding cybersecurity. The purpose of this guide is to present the key tenets of how cyber resilience in the digital age can be achieved through effective leadership and design. Essentially, the guide offers an excellent cybersecurity playbook for leaders in a digital world. The guide presents and elaborates on 10 tenets based on existing guidance and standards, which are “the fundamentals that an organization must implement in order to embed cybersecurity in the corporate DNA and as part of a comprehensive cybersecurity program in the exercise of due diligence for cyber resilience.” The 10 tenets are the following:
- Think Like a Business Leader to transform cybersecurity from a support function into a business-enabling function, considering that cybersecurity has a direct influence on business reputation, stock value, revenue, brand equity, customer relations and a product’s time to market, among other parameters.
- Foster Internal and External Partnerships. Internal partnerships are required to ensure that business timelines are met while delivering a highly secure and usable product to customers in line with the risk tolerance defined by the organization. On the other hand, external partnerships are important to share information on security-related issues such as threats and best practices to manage the risks associated with cyber threats in a most effective manner. This kind of relationship is built on trust; the more trusted the relationship, the more sensitive the nature of the information that can be shared.
- Build and Practice Strong Cyber Hygiene, because the effective and consistent implementation of strong cyber hygiene could have potentially mitigated the majority of the cyberattacks of the last decade.
- Protect Access to Mission Critical Assets based on the principle of “least privileged access” while building a strong identity and access management system.
- Protect Your Email Domain Against Phishing since email is one of the most valuable and broadly used means of communication and since most organizations strongly depend on it. According to Verizon’s DBIR 2019 report, email is the most common point of entry, with the median company receiving over 90% of their detected malware via this channel.
- Apply a Zero-Trust Approach to Securing Your Supply Chain that does not assume that a company can be made safe and sound within the confines of its own “secure” corporate network. As nearly 50% of companies fail to assess their hardware and software suppliers’ level of cyber risk, a perimeter-agnostic zero-trust approach places control around the data assets themselves and increases the visibility into how they are used across a digital business ecosystem. Cybersecurity is only as strong as its weakest link.
- Prevent, Monitor and Respond to Cyber Threats by developing a robust risk-based approach to measuring risks and responding to cyberattacks that is tailored to the organization’s business context. The security services implemented must be fit for purpose and tailored to the needs of the organization across the dimensions of people, processes and technology.
- Develop and Practice Comprehensive Crisis Management Plan. Crisis management is a critical component of any security program in today’s world. Communicating a security incident in a timely manner is as important as transparency and simplicity to form a solid trusted relationship with customers, shareholders, regulators and other stakeholders.
- Build a Robust Disaster-Recovery Plan for Cyberattacks tailored to security incident scenarios to protect an organization from potential cyberattacks and to instruct how to react in case of a data breach while reducing the amount of time it takes to identify breaches and restore critical services for the business.
- Create a Culture of Cybersecurity which puts users in the first line of defense and recognizes the critical role all employees play in the organization’s security. Keeping an organization secure is every employee’s job.