Cybersecurity’s never ending challenge
Here’s a news flash for the journalist like me who writes articles about cybersecurity. The idea of good versus evil makes for a sexy story.
But if it’s a long never-ending tale where the bad guys keep winning, your faith in cybersecurity people, process and technology, begins to either dim a little or make you want to dig deeper than the norm.
So, CISOs face a constant uphill task of protecting their organisation’s assets. They share that one of the main challenges they face when it comes to doing their job, is justifying cybersecurity investment to a board of directors, and trying to prove that returns on security investment (RSI), can exist.
Now, to an observer on the side lines and occasional reporter about cybersecurity, brand-agnostic events like the RSA conference can be a go-to ‘bible’ if ever one wants to get the pulse and zeitgeist of the beleaguered security industry.
Whatever it is that whoever on stage says during the keynote speech becomes ‘golden’, and during recent annual RSA conferences in this region, the idea is that the cybersecurity industry aka security teams/CISOs for any business in any industry, would always ‘assume breach.’
If an organisation is to assume that it is already compromised, what exactly should (already limited) security budgets go towards protecting?
The answer is that It’s a business decision.
The business has to have a list of assets in order of priority, that it absolutely has to protect.
Strategy to scare tactics
When it comes to business and IT working together in an organisation, cybersecurity is the domain that seems to be most out of place. It is the also the domain where scare tactics are most often used to obtain budgets.
These were the statements that came up during an informal discussion among like-minded security professionals in the local industry recently. This discussion was informally moderated by Syahril, a long-time cybersecurity expert and industry veteran. If you ever want to get a taste of cybersecurity theory in practice, picking the brains of experienced professionals who are hands-on with it, is the way to go.
And the response towards cybersecurity spending during this meet up was varied. If you work for an MNC in the financial services industry like Tahrizi does, then a fixed budget is usually allocated towards cybersecurity.
He said, “Thirty-percent of the revenue is allocated and set in my environment, to also include projected technologies that need to be onboarded.”
But the downside to having budgets allocated, is that they are driven by compliance requirements. Regulatory compliance is the main justification for getting spending approvals, but that means spending is for just ‘adequate’ security that protects the baseline and not much beyond that.
A cybersecurity veteran called Wing said, “You need strategy to communicate with the board of directors …most times it’s either they don’t understand, or they don’t want to.”
Former money man, Alain Boey does observe that things are better than before. “Now, each director of the board is personally liable if there is a breach. They are taking (cybersecurity) more seriously now.”
Governance, risk and compliance (GRC) functions, are championing security and awareness in the organisation. But, this is more prevalent in financial services, and not so much for other industries.
Wing also opines that risk assessments are predictions at best, especially when it comes to having to prioritise business assets to protect. “As long as an attack hasn’t happened yet, assessment reports aren’t real enough.”
Maninder said, “There were days when security teams would only focus on protection. Now with the ‘assume breach’ approach, one needs to equally focus on detection of and reaction to attacks,” while Tahrizi shared, “Assume breach is good when the board of directors are well-versed in cybersecurity. They know what to spend on, and what not to.”
But it does not end there.
A popular belief is that when there is a security breach of the perimeter; be it real or assumed; the next steps to take are proactive, hunting/ detecting and remediating in nature.
These are steps that would still require resources, be they people or technology.
Which brings the whole cybersecurity/business endeavour to focus and prioritise assets to protect, back to square one – trying to seek audience with the CFO to ask for money.
Last few pertinent points
Wing said, there is only so much FUD and ‘worst case scenarios’ being thrown at them, that the management is going to buy into.
“Fear, uncertainty and doubt (FUD) still works when it comes to garnering support for cybersecurity efforts in an organisation,” Syahril said but he also added, “Many industry players say we shouldn’t use FUD and should take a more strategic approach.”
There are many challenges to overcome though, the main one being that management for the most part, is still resistant to seeing cybersecurity as a crucial investment.
Maninder had mentioned that risk assessments are done by different departments/divisions, and Wing made a pertinent observation that if risk assessments are being done by multiple parties using different parameters, then governance on the risk management across different parts of the organisation becomes questionable.
“If there is no governance of and standards in application of risk methodology, risk assessment reports will come in different colours,” Wing pointed out.
And if so, how relevant and how close to the ‘real picture’ can these reports be, at the end of the day?
Alain echoed this, saying that besides needing independent parties to do assessments, there has to be harder numbers to comply to. “If we run a fraud test x number of times, let us know what the success rate has to be, and have this confirmed by a 3rd-party assessor.”
This would go a long way in helping form governance controls for risk assessments, and he explained, “Regulators need to be more specific about what needs to be done, instead of a generic statement which is up to a bank’s own interpretation.”