By Danny Solomon,
Head of International Consulting at BDO Cybersecurity Centre, Israel
Developing and maintaining security capability, user awareness, and a high state of organisational readiness is very management & resource intensive, but this is only one reason why the evolution in industrial cyber security uptake has not mirrored the revolution in security technology. Now that providers of managed security services can provide a simple and affordable route to establishing cyber resilience, what is constraining firms from investing to protect their businesses? BDO’s Head of International Cyber Security Consulting, Danny Solomon shares some insights...
The understanding of ‘cyber’ security has been evolving gradually, not least because of the increasing need for stakeholders and decision-makers to become more cyber ‘literate’ to the point of being able to objectively assess the risk. This is still a distant objective however, because there is inadequate awareness of vulnerabilities, combined with a lack of appreciation of the types of threats that are evolving, and the full potential impact that they can have. Nonetheless, organisations are becoming more conscious of the direct and indirect implications of indemnity, liability, and charges of negligence resulting from disruption of service, loss of data integrity, and the resultant damage to organisational reputations.
Over the past decade, as understanding has evolved, there has been an overriding focus on the importance of business continuity and compliance processes at the expense of investment in proactive security. This is starting to change as there have been increasing calls for investment in ‘effective’ security and more ‘defensive’ measures, which more closely equate to a resilient posture. This is more in line with the profile of current threats which render a reactive approach to security as potentially negligent or reckless in the face of a complex threat, against which, reactive measures are ineffective. In most cases - once struck, the damage is done.
Typical levels of poor resilience combine the failure to implement existing & recognized best security management practises, and more specifically, the failure to make best use of established security technology. Resilience and cyber security ‘maturity’ is most developed where security measures’ adoption rates [SMARs] are highest, and this has been most evident in industries that are under greatest threat and to organisations that have experienced a breach. Furthermore, where organisations have a more ‘developed’ risk management approach that underpins a more comprehensive evaluation of cyber security, there has tended to be greater recognition of the need to invest in security, and more justification for ‘protecting the value in the business’.
The greatest challenge to achieving higher SMARs remains organisational issues that cause barriers to the appropriate allocation of budget and recognition of security priorities, particularly where IT investment in security may be at the expense of investment in IT capacity. This is very much a tactical issue, but the more significant issue behind this is the poor understanding of resilience as a concept. In this regard, there is still work to be done in explaining: a) why static security will always be fallible; b) what value, monitoring, detection & response offers to any firm; and c) how cost-effective it can be to outsource [what are essentially] a complex array of advanced capabilities.
From Readiness to Resilience
As the appetite for risk has changed over recent years there has been a growing appreciation of the need for ‘cyber readiness’, particularly as low-probability events are no longer systematically considered ‘black swans’. This is now changing as experts can build a range of different scenarios to illustrate how any cyber risk could happen. More importantly, technology can translate those scenarios into effective monitoring and detection functions for any organisation.
The development of this technology has given rise to a renewed focus on resilience, because it has made advanced capabilities more accessible and more affordable for nearly all firms. As investment in cyber security tries to achieve more in addressing more complex scenarios, the advent of big data; advanced analytics; cyber intelligence; and the cumulative experience in deploying effective monitoring & detection solutions, can now easily provide the solutions that companies require.
One key challenge to investment is the complicated nature of the threat. Few organisations have the resources or skills to build and maintain the complete set of capabilities required to deliver comprehensive resilience. Indeed, even larger organisations struggle to sustain the capabilities to identify the source of attacks, and to develop predictive or warning mechanisms, or the countermeasures to more sophisticated types of worms, viruses and other malware.
In a financial climate where there has been a reluctance to invest aggressively in proactive security, greater emphasis has been placed on mitigating higher probability risks, and the ability to react rapidly to enact contingency plans effectively. This has started to change with greater investment in IPS/IDS systems, and SIEM systems that monitor firewalls, anti-malware scanners and other security devices. This goes some way towards building an adequate level of preparedness, but does not address the requirements for establishing resilience.
Part of the problem is about making effective use of these capabilities, and this is essentially about skilled security operators who know how to use the technology and manage a security incident. Companies often find that they simply lack the time to devote to simply analyzing their security logs. The other side of the same coin is that hiring and retaining good security operators can be a major challenge. With security from Layer 0 to Layer 7, it is very difficult to find and keep suitable expertise in each area.
In the past, the recognition that an ambitious security roadmap can be a very expensive pursuit has left many a roadmap obsolete and un-actioned, and left companies vulnerable. In parallel, the allocation of budget has been hampered by the perception of ‘over-exaggerated threat’ at board level, and the trade-offs faced by organisations in identifying a cost-effective protection which is proportionate to the organisations' risk. The net effect since 2010 has been that the threat has evolved much more rapidly than the typical ability to counter those threats, although the option to procure capability as a managed service has effectively closed that gap.
Developing resilience must be firmly rooted in the needs of the business, and driven by a risk-informed assessment of the organisation, before defining an appropriate risk appetite, and thereafter a target ‘end-state’ that the resilience-building program will work towards. The role of an incident response capability is absolutely central to any advanced cyber defence concept. While good security requires acute awareness and preparedness, resilience requires the ability to detect, react, defend and recover, with minimal impact to the organisation.
Formulating an overarching strategy is therefore complex as it requires the integration of many components, each with its own considerations, and an open intra-strategy ‘dialogue’, that coordinates and de-conflicts between different work streams. For example, decisions on investment in a Security Operations Center [SOC]; the propagation and limits of ‘cloud’ use, outsourcing and hosted services; and the buy-or-build of detection and response capability, will all have fundamental implications. In turn, those component considerations are likely to impact the overall definition of the overall approach.
If there is a disjoint at any stage from conception to implementation, there is every chance that an organisation will not identify an achievable objective; the outcome will not address the problem; and the organisation will not support the solution. So, not only is the journey an expensive one, but it is complex and prone to failure because developing and maintaining capability and a high state of readiness is very management intensive, and is typically a long process.
The more straightforward route is now to outsource many services, in particular Monitoring, Detection & Response, to a remote provider of Managed Security Services [MSS]. The advantages of doing so are clear for several reasons. Firstly the MSS provider will lead firms through the process of assessment and evaluation, so that expert input from the start ensures the right diagnostic process. In doing so, a hierarchy of imperatives for establishing the correct posture would be agreed, followed by the customisation of a solution that will fill the gaps in technology, procedures and people. Invariably this can combine a SIEM-as-a-Service and a SOC-as-a-Service with all the associated intelligence, hunter, and forensic analyst capabilities that would be required. The essence of the customisation is to best align client needs with the budget, which can be a small fraction of the cost of a self-build.
While most businesses are expected to continually improve their awareness of cyber threats, and many may set suitable risk management objectives, this progress is counteracted by the lack of focus on developing more effective resilience management processes, and measures that will establish and ‘mature’ their levels of capability.
Inadequate risk governance is often central to the current weaknesses of most companies, and effecting a change in attitudes to security investment is central to building greater resilience. Many of the roots of current vulnerabilities have been established by investment decisions taken over the historic medium term. Critically, short-sighted management decisions still have the potential to compound risks & vulnerabilities to the organisation, in the way it invests in capabilities to detect a potential crisis, to respond to cyber events, and to define strategy for a more resilient posture against ‘real world’ cyber risks.
By focusing attention on the true objectives of developing resilience, effective preparation, and encouraging a more informed approach to dealing with uncertainty, organisations can develop a more balanced stance when considering a broad range of cyber risk threats by seeking a managed security service provider to fill both capability gaps and capacity gaps, affordably.
For more information please contact us