Mastering Cybersecurity Execution: How To Avoid An Epic Fail Of...

Mastering Cybersecurity Execution: How To Avoid An Epic Fail Of Your Cybersecurity Program

Ramy Houssaini, Chief Cyber and Technology Risk Officer, BNP Paribas

Ramy Houssaini, Chief Cyber and Technology Risk Officer, BNP Paribas

Cybersecurity is an ongoing concern for global organizations, especially at a time where we are witnessing an acceleration of the digitization of several industries and an increase in the sophistication of the attacks. Under the influence of the C-suite and the Board (and sometimes the regulators), Cyber investments have been steadily increasing over the past 5 years. The increase in the Cyber spend has not always been matched by an improvement in the performance of Cybersecurity. Below are some observations on what makes successful companies more cyber resilient by driving more value from their cyber investments and filling the performance gaps in their programs:

1. Zero risk does not exist: Shift the investment paradigm to Cyber Resilience:

communicating the unrealistic expectation that there will be zero cyber incidents is a sure recipe for surprises. Investments should focus on the capability (and capacity) to quickly detect issues and contain their impact by stopping attacks and finding/fixing breaches faster. In the face of a Cyber event, you should be able to bend but not break.

 

2 ."It's the architecture, stupid":

Create a defensible environment by shrinking the attack surface and formalizing a strategic Cybersecurity Architecture: throwing technology solutions at the problem is not going to make it go away nor is it a sustainable approach. By some count, organizations are reporting the use on average, of 60 plus different security products. This introduces complexity and creates opportunities for coverage gaps. Additionally, it dilutes the focus of security operation teams and reduce their individual end to end understanding of the issues due to the fragmentation of the operations. Understanding and governing the attack surface/digital footprint of the organization and working tirelessly on shrinking it along with enacting effective architectures to cover the different scenarios is the right approach. Concentrating your security supply chain is an important consideration.

3. Speed is the name of the game:

Integrate Cybersecurity telemetry to enable Operational Speed: boost digital protection with data intelligence, razor precision and turbo charging technology. Detection speed is an important consideration when building the technology stack required for analyzing weak signals in the environment. Organizations should invests deeply in analytics and move to predictive models vs. reactive ones. This can only be done if the basics are also mastered operationally.

4. You can (but shouldn't) spend your way into security:

Scale existing investments and rigorously manage/fight unsustainable cost increases: Quantifying return on risk reduction is important in order to routinely obsolete expensive controls that can be of low value and replacing them with risk (and cost) optimized ones. Additionally, focus should be maintained on automation and achieving scale. I am in favor of having annual operational efficiency targets to keep the security operations in a continuous improvement mindset.

5. You can (but shouldn't) spend your way into security:

Scale existing investments and rigorously manage/fight unsustainable cost increases: Quantifying return on risk reduction is important in order to routinely obsolete expensive controls that can be of low value and replacing them with risk (and cost) optimized ones. Additionally, focus should be maintained on automation and achieving scale. I am in favor of having annual operational efficiency targets to keep the security operations in a continuous improvement mindset.

6. "When the roots are deep, there is no reason to fear the wind":

invest in talent diversity, depth and strength to cover the unexpected: ensuring that you have the right mix of talent in the team with coverage for the different domains is a critical consideration. Diversity is important to create a healthy challenge culture within the team and creates the conditions for effectively managing today and tomorrow's threats and issues. Agility and adaptability is also an important consideration when hiring cyber talent to respond to shifts and evolutions in the threat landscape.

7. Make the people that hired you (cyber) smarter than you:

Equip your General Management and board with the appropriate training and understanding of the issues to properly challenge you: A robust challenge from your general management and board is what would create the intellectual stimulation required to continue to continuously transform, innovate and anticipate issues. For this important feedback loops to be effective, it is important that you invest the time to train them on Cyber security issues and their evolution and expose them to different ideas and perspective on the topic to nurture critical thinking, fight group think on the topic and ensure the right diversity of the mindsets.

8. Hello, I am ...Accountable:

embrace end to end accountability for the topic and don't generate excuses for only covering what you can control: Let's face it, the accountability span of a CISO far exceeds her/his control span. That will never change but should not be an excuse for not pushing for cross collaboration and not influencing the relevant areas wherever they might be. Additionally, security should be everyone's responsibility. Working on training and effective awareness will always pay dividends and improve the contribution of the human firewall.

9. Compliance is not security:

make regulators happy...but don't consider the job done when they are: This is especially true in highly regulated industries (eg. Financial Services). Passing examinations and meeting regulatory requirements is important but it should not be considered as a definition for the success of a cyber security program. If you are spending a substantial amount of your resources on regulatory compliance (versus the rest), something must be fundamentally broken.

10. Don't outsource your thinking: security frameworks are Okay but they are not business context specific:

Mechanically deploying a security framework (eg. NIST) without curating the controls to the business context creates a significant risk for both value and effort dilution. The careful selection of the most important controls with resilience in mind as the primary driver along with the focus on control automation is a far more effective approach. Ambient controls that can be easily embedded operationally in the ecosystem should be preferred.

 

Weekly Brief

Top 10 SD-WAN Consulting/Service Companies - 2020
Top 10 SD-WAN Solution Companies - 2020

Read Also

The Proliferation of 5G in Telecommunication Industry

The Proliferation of 5G in Telecommunication Industry

Jon Ford, Regional Head of Partnership Distribution, Chubb
Networking Companies are Restructuring Civilization

Networking Companies are Restructuring Civilization

William Davidow, Investor, Mohr Davidow Ventures
Challenges over the Past 18 Months

Challenges over the Past 18 Months

Marc Ashworth, Chief Information Security Officer, First Bank
Ensuring Diligence in the Technology Era

Ensuring Diligence in the Technology Era

Carlos Renteria, CISO, Southside Bank