Cybersecurity Decision Making Demands Guidance
Multidimensional systems and threats test cyber warriors’ abilities to choose the right course.
Managing an enterprise cybersecurity and information assurance program in any company today is a complex balancing act. It resembles an unending three-dimensional chess match entwining business risk, profit and loss, pitting a company’s very survival against myriad global threat actors. An organization’s cybersecurity stance also involves a combination of technology and solid decision making at an organization’s highest levels.
The competition for resources, as well as the analysis and debate about which effort brings the highest return on investment, is extensive in industry and government. Making sound cyber investments is critical to ensuring security managers and businesses are successful. Consequently, understanding their role in enabling not only business survival but also success is a vital security manager skill.
In describing today’s cyber threat environment during a recent Center for Strategic and International Studies podcast, Gen. Keith Alexander, USA (Ret.), former commander, U.S. Cyber Command, director, National Security Agency, said, “We are getting hosed here,” referring to the status of cyber resources versus number of threats. Any battlefield commander knows that to be successful in the fight, overwhelming battlespace awareness is crucial.
What constitutes cyber intelligence preparation of the battlespace in today’s environment can be challenging and well debated, but what organizations face in the cyber domain is no doubt a battlefield. Maersk, Sony, the U.S. Office of Personnel Management, Equifax and countless others would support the premise that navigation in the digital world today is not only a battlefield but also one in which casualties occur each and every day. Companies are extorted, data ransomed, chief financial officers impersonated and networks destroyed.
It is easy to be overwhelmed and confused by the challenges and trade-offs made in this battlespace. Many chief executives and chief information security officers (CISOs) can be distracted by a deluge of cyber sales pitches from security appliance and software vendors eager to meet this quarter’s sales quota. However, even the right weapon or tool placed in the wrong part of a security architecture may have wasted a company’s resources and most likely provided the organization a false sense of security.
Instead, it is foundational to a successful cybersecurity strategy to understand the organization’s cyber battlespace to make informed and sound risk-managed resource decisions.
Today, a majority of companies are data companies whether they have acknowledged it yet or not. Their mission-essential functions are crucially dependent on data: the processing and protection of it as well as the trust in it. Customer records, accounts receivable and industrial control systems (ICS) are all examples of critical elements to corporate survival. Mission-essential functions rely on secure and resilient data networks. Whether the field is health care, logistics, retail or finance, a data breach or denial of access to systems has a catastrophic impact on an organization’s ability to deliver on its mission-essential functions.
In addition, it can be costly to ignore that data integrity and security is a company’s core enabler of its mission. According to a Ponemon Data report, the average cost for a data breach in 2018 was $148 per record. This figure seems low until taking into account the enormity of some recent data breaches, which ranged from 800,000 to 1 billion records. The cost of victim notification alone has bankrupted some companies.
Whether a business is producing dairy desserts, shipping products globally or generating local power, it has critical functions that must take place every minute, hour and day for the business to be viable. However, few companies have done critical analysis of each of the systems required to execute their respective essential functions.
Development and implementation of a mission or business continuity plan is an essential part of any security manager’s job. Organizations that have developed, implemented and tested their continuity plans can trace resource and prioritization decisions directly to those systems, networks and processes that support their respective essential functions. This rigor enables security managers to be good stewards of organizational resources, ensuring that system resiliency is addressed to achieve the highest return on investment. This methodology can reduce overspending on secondary and tertiary functions that often leave resiliency of primary and most critical systems unaddressed.
Another common challenge across business sectors today continues to be the lack of an in-depth understanding of the organizations cyber terrain. In the cyber battlespace, Sun Tzu’s emphasis on the importance of an organization knowing the enemy and itself is applicable to protecting business operations.
With a marketplace packed with configuration management tools and scanning software, it is troubling that many chief information officers and CISOs have a less than complete understanding of their organizations’ entire cyber domain, including an intimate understanding of places in their architectures that are directly accessible from parties outside their organization.
This is troubling given that the livelihood of the company is immutably tied to the confidentiality, integrity and availability of their cyber assets. Organizations are making multimillion-dollar information technology investments based on a fuzzy understanding of their cyber terrain. This situation calls on chief information officers and chief information security officers to ask if they are truly assets to their organizations if they are spending corporate resources without complete domain knowledge.
Tamir Pardo, former director of Mossad, stated during the Intelligence Matters Podcast in May 2019 that “between 80 and 90 percent of the vulnerabilities of systems are created by the people working in those systems, and that companies are buying and buying and buying solutions against cybersecurity but not dealing with the mistakes of the people that are building and taking care of the networks.”
Pardo’s assessment is correct. An overwhelming number of breaches, system outages, intellectual property losses and malware infections are enabled by poor data, network and system hygiene. All the investment in cyber tools and state-of-the-art machine-learning-assisted computer network defense can be undone in an instant by system owners’ neglect and uneducated or careless users.
Despite decades of user and system owner education, default settings and passwords are still enabled on enterprise devices. As recent as 2017 and 2018, weekly announcements of large-scale data breaches caused by unsecured AWS S3 buckets were still occurring. After the first dozen of these incidents, system owners should have ensured their systems were configured securely. Yet week after week, critical corporate data continued to be exposed. Education of employees regarding their responsibilities must become a corporate priority.
Over the past year, multiple U.S. cities have been victims of ransomware attacks that have crippled city services as well. Atlanta and Baltimore know the full impact of not keeping systems patched and updated. As stewards of data and tax dollars, citizens would hope that these city managers fully understand today’s cyber battlespace and how to protect data and critical city systems. But the Baltimore event, which was enabled by a failure to patch a two-year-old vulnerability, demonstrates this is not the case.
Many corporations have invested millions of dollars and a large percentage of their operating budget on their information technology systems. However, according to a recent study, more than 85 percent of recent data breaches and business email compromises are because of employees falling victim to phishing attacks.
Today, many organizations expend countless resources chasing vulnerabilities out of fear fueled by daily reports of data breaches, ransomware attacks and complex cyber threat reports. However, these investment decisions are being made with little understanding of their cyber domain, the corporation’s critical infrastructure and where the “most likely” point of attack may be.
Security managers, CEOs and CISOs all have a responsibility to act as good stewards of corporate resources, protect the mission-critical operations of the organization and make resource decisions that support the corporate risk register. These decisions must be based on fact and a thorough risk management program, not on fear and ignorance.
Effective decision making requires the execution of an active and dynamic risk management program to ensure that an organization’s resources are applied in a manner that captures the highest return on investment while managing a wide spectrum of risks. Obtaining a thorough understanding of mission-essential functions, operations and cyber terrain must be a corporate priority. Without these key elements, navigating today’s cyber battlespace will make even the most seasoned managers feel digitally adrift.
Mark A. Spangler, CISSP, is the senior cybersecurity adviser for the TriSept Corporation. Prior to supporting TriSept, Spangler retired with more than 36 years of service with the CIA, having served as the chief information security officer and director of cyber operations for the National Reconnaissance Office. He is a member of the AFCEA Cyber Committee.
You may also like:
RESOURCE LIBRARY: A Mobile Checklist: The Top Ten Threats to Your Enterprise Today