It’s hard to define the current state of cybersecurity – the growing volume of attacks, the SolarWinds and Microsoft Exchange breaches all show the field is in flux.
While most companies are, to a greater or lesser degree, wise to cyberthreats, the emerging scale of the problem is becoming apparent. Whether it is from a major crippling attack, or death by a thousand phishing emails, we are all at risk.
This constant battle breeds a natural desire for safety, to engineer an impenetrable and permanent security system. Once in place, there will be fewer disruptions and management can focus on other problems.
However, Managing CISO Jordan Schroeder argues that not only is this approach impossible, it is also the wrong goal.
“A lot of organisations are taking cybersecurity seriously,” he said. “But they’re not taking it seriously in a way that’s helpful. They want things fixed. They want the risks reduced, and they want to address those risks, which is great.
“The problem is they want to fix and forget. It’s the ability to be comfortable with technology being a little broken that is, in my view, the key to cybersecurity at the management level,” he said.
Take the recent Microsoft Exchange attack. While the consequences of this breach are still unknown, the exploits in the email systems used by hundreds of thousands of companies could have major consequences across all industries.
“For most organisations running Exchange, it’s a core part of their business,” Schroeder said. “They can’t just shut it down to apply the patches and test it.”
However, as much as companies want to maintain business continuity, it is important to accept disruptions in the name of security. “There needs to be a point where the organisation’s email systems are going down for a day, and they need to be comfortable with that.”
The lessons learned from the SolarWinds breach are similar. When cybersecurity was in its infancy, most solutions were developed inhouse. There was a reluctance to entrust such an important task to outsiders.
However, now all but the largest companies can afford to maintain inhouse cybersecurity developers.
“This was a reaction against the potential for a third-party product or service going awry,” Schroeder explained. “This, of course, is not sustainable, because it requires a very active, adept and skilled internal development department that can rival the conveniences and the skills and the scalability that a vendor can.”
Most companies have no choice but to entrust part of their IT administration to third-party tools. Unfortunately, a breach like SolarWinds or Microsoft Exchange can undermine faith in third-party software.
“At some point, we need to trust a third party, and it goes hand in hand with being comfortable with digital technology being broken. We have to trust people who are going to end up breaking our heart, but the alternative is worse. Without trusting a third party, we don’t get the benefits.”
Vitally, third parties offer different perspectives on cybersecurity risks and how groups react. This ability to gather information from multiple sources is important to ensuring cybersecurity.
“Connect with third parties to learn what they’re thinking and what they know,” Schroeder said. “Connect with a community where you can learn from. It could be a vendor-run community, it could be your peers.”
“You need to have that learning attitude and connecting to people we trust gives us relevant information so that we can adjust what we’re doing.”
Ultimately, risk management is crucial to embracing the inherently broken nature of cybersecurity.
“Risk management isn’t about eliminating risk, it’s about managing those problems, and making sure there are checks and balances in place. That means we can get the value out of the situation while limiting the impact of our use of third party’s products and services.”
Engineering into a Corner
The temptation when confronted with the threat of cyber-attacks is for a company to try and engineer its way to safety. But cybersecurity is not an engineering problem. When creating a building, installing plumbing or wiring, the nature of gravity, water or electricity does not change. Cyber threats, on the other hand, are constantly evolving.
As such, engineering a permanent, static solution is impossible. The only way to build a resilient cybersecurity strategy is to embrace change and embed adaptability at its heart. This is why focusing on the human element is so vital.
“A good cybersecurity strategy accounts for people,” Schroeder said. “People are not reliable, and you can’t force them to be. A reliable cyber security strategy is one that works with people as the centre of the strategy. They’re not something to try and breed out of security.
“The other component that a reliable security strategy needs is nimbleness. We don’t always know what’s going to change, how it’s going to change, or when it’s going to change. That incorporation of uncertainty, and how to manage uncertainty, is what you need in order to have a reliable cybersecurity strategy.”
The temptation to engineer one’s way to safety also runs the risk of pushing responsibility onto the engineers, in most cases, the company’s IT department.
“Safety isn’t the engineers’ problem,” Schroeder explains. “Cybersecurity has an engineering component, but there’s also a use component. Security is what happens when people do things securely.
“From a cybersecurity perspective, it’s about nudging things so there is a greater probability that things will happen securely.”
- Leader Insights | Humanise cybersecurity with UKCSA CEO Lisa Ventura
- Comment | Working with regulators to build public trust in data
- Poor remote working habits creating cybersecurity risks
However, with adaptability comes the need to scale. The days of the lone mischievous hacker are gone. We are in the age of the highly skilled, highly motivated, well-funded criminal and state-backed hackers. Not only do they have far better resources and technology, they have a concrete goal in mind – getting data and getting money.
These hackers are quick to adapt and exploit new technology. As such, companies are stuck in an arms race with them, where scaling is needed to keep pace with the bad actors.
“Step number one for scalability is to automate what you can automate and what makes sense to automate,” Schroeder said. “A machine can do things once or a million times and it doesn’t matter.
“Step number two is work with people so they can learn from each other – how to do things efficiently and how to scale. People don’t like inefficiencies and if they find that someone else is doing something more efficiently, they will naturally adopt those things, and then adapt them.”
Forming and joining communities is an excellent tactic for sharing information and developing best practices. After all, it is also what the cybercriminals are doing.
“They’re learning from each other,” Schroeder warned. “They see this big hack like the SolarWinds attack, and suddenly everybody gets ideas. This is how they operate.”
As threat actors communicate and learn from each other, the technology behind their attacks evolves. There are already concerns about how criminals can use AI in their attacks, from more accurate targeting to using deepfakes to build trust.
Schroeder warned that some ransomware attacks can go from an initial infection to a complete takeover of a group’s network in as little as two hours.
Because the threats are constantly evolving, complacency is the enemy of cybersecurity. This is why accepting that things are broken and need to be developed constantly is the foundation of a resilient strategy.
While cybersecurity tools help provide an edge over attackers, the only true defence is ensuring the entire workforce acts securely.
“The security of my business is on me. The technology helps me do that.”
Join the Debate | Scot-Secure 2021
Creating a resilient and scalable cybersecurity strategy to face an evolving cyber landscape will be a key area of discussion at the upcoming Scot-Secure Cybersecurity Conference on March 24-25th.
Hear from leading experts from across the cybersecurity sector and explore the crucial issues.
Register your free place now at: https://www.scot-secure.com