The Greek philosopher Heraclitus of Ephesus once said, “πάντα χωρεῖ καὶ οὐδὲν μένει.” If you’re getting the blue screen feeling, it’s probably because that’s Greek to you. Here’s the translation: “Everything changes and nothing stands still.”
While that quote was said 2,500 years ago, you wouldn’t be faulted for feeling it describes today’s state of cybersecurity. Most security professionals know they live in a constant state of flux. Some new tactic or piece of threat intelligence can change an entire protective strategy, meaning that if your cyber resilience planning isn’t keeping up with the latest trends, you may find yourself, post-incident, looking up some Plato, who said, “Good people do not need law to tell them to act responsibly, while bad people will find a way around the laws.”
Plans Are Useful, But Planning Is Indispensable
If this article is beginning to feel like a greatest hits of wisdom, look for the common trend: Upon reflection, the lessons of these quotes are obvious. Believe it or not, as hard as cybersecurity is, cyber risk management, upon reflection, is also quite obvious:
- Define the risks that impact you;
- Determine the amount of risk you are willing to accept; and
- Develop a plan to mitigate the risk you have accepted.
There you have it: the three Ds of cyber risk management. Some of the best cyber resilience planning in 2019 comes from simplicity, beginning with the National Institute of Standards and Technology (NIST)’s Cybersecurity Framework (CSF). The clearly defined functions — Identify, Protect, Detect, Respond and Recover — help you make heads or tails of what you’re dealing with. No matter if you are a small or large organization, the NIST CSF really needs to be your foundation, because, at worst, it will give you a starting point to assess your security posture.
The good news is that, slowly and surely, the NIST CSF is catching on. In 2015, Gartner research estimated 30 percent of U.S. organizations were using the framework, anticipating a 50 percent adoption rate by 2020. If the NIST CSF is not part of your cyber resilience planning, you have some work to do.
You Don’t Have a Plan Unless You Test Your Plan
Compliance documents and reports may look pretty come audit time, but a stack of paper is going to do little to stop that advanced persistant threat (APT). Testing your plans and networks has generally been a laborious, expensive and time-consuming task. But with more entrants in the cybersecurity space fueling competition, and more innovations and economics of scale in technological developments, vulnerability assessments and penetration tests are no longer reserved for the large enterprise.
In fact, there is some commoditization happening in these areas, with service providers offering these services for flat fees. For organizations that have been shying away from conducting these assessments and tests, commoditization should be welcoming news.
Perhaps the tricky part here is deciding how often to conduct these services. Your decision will almost certainly be based on your risk tolerance, but it’s not unreasonable to assume that annual assessments and tests will become a type of recurring “cyber checkup,” akin to a doctor’s visit. The short version is this: If you’re not conducting some sort of evaluation on your systems, at least annually, you’re quickly chipping away at your cyber resilience.
Remember what Heraclitus said about everything changing. What you thought was “good” in 2018 may be far off from what “good” is in 2019. If your cyber risk management is not dynamic — and the only way to be dynamic is to know what your current state is so you can adjust accordingly — you may be exposing yourself to a digital knockout punch that will leave you sending emails the same way ancient Greeks did.
Give a Person a Phish…
Whether it is having the acumen to spot a phish-y email or staying on top of system configurations, if your people are not receiving some sort of regular training or updating of skills, sound the alarm. Security technologies, such as endpoint protection solutions or security information and event management (SIEM) tools, are great — and necessary — but they will always be one piece of the puzzle.
The other piece of the puzzle will always be the human, whether they are a technologically illiterate end user or an off-the-charts proficient IT administrator. While we consistently hear about the malicious link that unleashes ransomware, or the successful business email compromise (BEC) case, remember that even the most highly skilled employees require ongoing training.
Therefore, if your staff is not receiving regular training and is not being regularly tested, your cyber resilience strategy has a gaping hole in it. You’re just taking on risk that you can’t afford, but can also be easily wiped off your ledger with some elbow grease.
While implementing some sort of artificial intelligence (AI) to help out with your staff burnout may be one reason to adopt the technology, another is that threat actors have weaponized AI to unleash a new breed of cyberattacks. Understandably, the use of AI or machine learning (ML) can be cost prohibitive — unlike vulnerability assessments and penetration tests, AI and ML have not reached the commoditization stage yet — and some still have concerns about what AI and ML will actually do on their network.
These are legitimate concerns, but widespread AI and ML implementation is on the way, so your cyber resilience planning should find a place for them, if not today, in the very near future.
If You Can’t Measure It, You Can’t Manage It
Or is it that the important stuff can’t be measured? It’s sometimes tough to tell, but before we decide which, let’s recap what we’ve already touched on:
- Risk management
- Industry frameworks
- Planning and plan testing
- Vulnerability assessments
- Penetration testing
- Security awareness training
- Artificial intelligence and machine learning
All of this seems so straightforward, doesn’t it? Well, if it’s all straightforward and not particularly novel, why are breaches still happening? It’s likely because we have not implemented all these basics yet, and that should be the greatest takeaway of all. Cyber resilience in 2019 needs to include all of the things mentioned above and, candidly, not all of us are. These are your cyber risk management baselines, your basic “must dos” if you want to protect yourself today.
If you haven’t begun to institute all of the measures mentioned above, you should. And make sure you can measure your success along the way. Identify your gaps, track your progress and come up with metrics that can improve your information security posture. All of this is doable, manageable and measurable. After all, a breach is an important thing, and the cost of it, sometimes, can’t be measured.