Cyber threats have evolved and accelerated with digitalization, and attack surfaces are much broader amid a worsening cyber security talent shortage. It is no wonder that publicly reported breaches are going up, with the total number of events in the U.S. through September this year already exceeding the total number of events in full-year 2020 by 17 percent.
Enterprises have started to do cybersecurity differently in the face of this challenging landscape, notes Pei Yuen Wong, chief technology officer at IBM Security ASEAN. Despite years of growing awareness and attention paid to cybersecurity, the swift pace of digitalization means that more needs to be done.
“Even before COVID, the rapid pace of digitalization has caused a lot of organizations to rethink how they need to do cyber security. It is no longer like before, where organizations would only evaluate security towards the end of a new system implementation. Because of the pace of how new systems such as cloud-based systems are deployed, security must be considered throughout the entire cycle,” explained Wong.
The challenges of cybersecurity
“The speed at which innovations and services are being rolled out are increasing as brands scramble to outdo their competitors with more frequent product releases. This becomes a self-reinforcing cycle, and the extreme time pressures mean there might not be enough security-by-design considerations put into place.”
As one might expect, COVID-19 had a profound impact on the cybersecurity front, further exacerbating existing challenges. Part of it is due to how the ongoing pandemic had significantly compressed the rate of digitalization, says Wong.
Then there is the never-ending tussle between convenience and security that tempts organizations not to implement stronger security measures. Wong said: “In this age of the mobile workforce, it is not uncommon to find yourself at the supermarket or while running an errand needing to quickly approve something. But what if you didn’t have your security token with you?”
Poor visibility of computing assets is another potential recipe for disaster: “I'm not sure how many CIOs or CISOs in the world can tell you the exact computing assets they have. And even if they can tell you, is it the complete inventory? Do they have full visibility of the entire digital estate that they have?”
“It’s a challenge to be up-to-date in terms of one’s digital inventory. And the lack of visibility can result in a loss of control. If you don’t know something exists, how can you protect it? This is why we often see breaches happening with organizations through assets that they didn’t know exists.”
Putting security everywhere
Clearly, more needs to be done to secure organizations from the bad guys. But how can enterprises put security everywhere? According to Wong, the security journey starts with a good governance framework. “First and foremost, an organization has to have a governance framework. A good framework must clearly define who is accountable for cybersecurity, either a specific person or group of employees. These will be the ones to drive security as an agenda.”
Wong pointed to the RACI matrix, which is an acronym for responsible, accountable, consulted, and informed, as a handy way to identify overall accountability and responsibility. But while responsibilities are clear in some industries such as the financial sector where the Board or CEO is ultimately accountable for security breaches, he acknowledged that the situation is murkier in relatively less regulated sectors.
“In these less regulated sectors, it is often not the CEO but the CIO or CSO equivalent in charge of security; it is usually the more technical guy. In some unfortunate cases, they are the people getting the blame should something go wrong. It really depends on industry segments and the maturity of the organization itself.”
Finally, the organization’s risk appetite must be identified right from the start. “If the organization is a highly visible brand which cannot afford a single breach, then the investment has to correspond to that. But if they say they have a very low-risk appetite but are not willing to invest in cybersecurity, then that disconnect must be called out. If you are so serious about security, why are you not spending?”
“It's not enough to say I'm very worried about cybersecurity and getting the CIO or CSO to deal with it. There must also be clear guidance in terms of what kind of risk management framework we're looking at, the risk assessments that need to be conducted, the scope, and so on,” said Wong.
Zero trust is a journey
For organizations looking to adopt a zero-trust paradigm, the main thing they must remember is that zero trust is not a product or solution, but a mindset or framework about how cybersecurity should be implemented, says Wong. In a nutshell: “Never trust, continually verify.”
“Zero trust is not just about protecting the organization, but about the entire lifecycle that starts from identifying the threat vectors, the assets, what to protect, how to protect them, and detecting threats and how threat actors enter. This is followed by response and recovery.”
A common weakness Wong observed in organizations would be their response and recovery strategies. “They have backup systems, regular backups, but [do] the backups work when the recovery is needed? In many cases, they don’t work well. It takes too long, or the backup is found not to be working.”
The solution is to conduct real exercises to verify recovery systems and processes, not just tabletop exercises, says Wong, who noted that this is also part of the zero-trust paradigm. While benchmarking an organization’s cybersecurity maturity against those of peers in the industry is useful, an organization’s cyber resilience should be regularly tested using real hacking techniques that cyber criminals would use through exercises such as red teaming and bug bounty programs.
To be clear, implementing zero trust is a huge task that cannot be completed overnight. Wong pointed to research suggesting that it could take as many as 10 years for any organization today to be in mature stages of the journey.
This means getting everybody on board is vital. “Having the key stakeholders aligned on zero trust is crucial. And the number one thing that we need to do is educate everyone across the entire organization, not just the technical people. This must include senior stakeholders such as the C-suite, the CEO, and every end-user using the systems.”
Only then, can organizations, in the words of Wong, “Secure every connection, every endpoint, every user, every time.”
Paul Mah is the editor of DSAITrends. A former system administrator, programmer, and IT lecturer, he enjoys writing both code and prose. You can reach him at [email protected].
Image credit: iStockphoto/spukkato