[BreachExchange] How to turn Cybersecurity into a Business Asset

[Destry Winant]

https://www.infosecurity-magazine.com/opinions/how-cybersecurity-business-asset/

World-class organizations recognize that cybersecurity can, and
should, be a powerful enabler for business: they align their
cybersecurity strategy with corporate strategy, they support it with
the right culture and technology, they accurately measure its
performance, and they understand that performance in terms of business
value and return on investment.

What they don’t do is adopt an imprecise, one-size-fits-all approach
to cybersecurity that fails to properly mitigate the risks it claims
to address, like that imposed by the Investigatory Powers Act (IPA)
and the recent calls by Amber Rudd to outlaw strong encryption. These
high-cost, outdated sledgehammers that claim to regulate and improve
surveillance capabilities not only fail to improve security, they
erode the privacy and security of innocent citizens and businesses.

Organizations that want to turn cybersecurity into a business asset
can learn from the failings of successive Government attempts to
successfully legislate against cybersecurity risks. As I see it, there
are four key pillars of effective cybersecurity strategy that enables
a business to operate securely and successfully.

1. Make cybersecurity an integral part of corporate strategy

Successful organizations don’t think of cybersecurity as an IT issue:
they embrace it as a business risk requiring the same degree of
board-level attention as any other. They see the technology required
to secure information assets not as a drain on the business, but as a
means of supporting growth.

Cybersecurity is expensive and organizations can still be compromised
no matter how much they invest in it, but by working with senior
stakeholders across the business to clearly define specific risks and
then prioritizing them, an organization finds out exactly where to
target its spending. Security by design is the only sensible approach.

Organizations must also carefully consider the residual impact of
their security controls. Closing one risk may simply move the same
threat elsewhere. How encryption works is not confidential; to ensure
security and effectiveness, the math behind the common algorithms is
widely published for peer review. Amber Rudd’s call to simply ban apps
that provide strong end-to-end encryption would not prevent malicious
actors from downloading and compiling freely available open source
encryption libraries, or even writing their own implementations that
simply copy the publicly available math.

2. Establish a cybersecurity culture and capability to help drive
business success

There is no room for ivory towers in high-performing organizations:
cybersecurity is everyone’s responsibility. Initiatives such as
user-awareness training, helping non-IT employees to identify
potential threats and question insecure business processes while
encouraging technical staff to engage with their industry colleagues
helps develop internal security talent and foster a deeper
understanding of issues. It is also important to recognize that some
specific security demands may require specialist external expertise.

The role of the CISO is a strategic one. A CISO who is focused on
business strategy and senior stakeholder engagement will be able to
align technical solutions with business needs.

A world-class cybersecurity function comprises a highly capable,
experienced team that engenders a strong cybersecurity culture and
constantly seeks to better enable the business.

3. Focus on key technology areas

Industry-leading organizations are clear about what is required to
protect an IT-dependent business, especially those areas that present
the greatest risks alongside the greatest benefits.

They know how to enjoy the benefits of cloud services while
maintaining control over information assets. They can protect end-user
devices from targeted threats and control ‘bring your own device’
(BYOD) while allowing flexible ways of working.

Successful businesses rigorously monitor the IT estate to spot
vulnerabilities and potential breaches.

These businesses understand that good governance, supported by
effective cybersecurity investment, is paramount. It is poor
governance that puts security, freedom and commerce at stake – which
is exactly what the IPA did in its bid to govern the use of covert
techniques by public authorities.

4. Accurately assess cybersecurity performance

Not only did the IPA legislation, drafted for a different age and
threat landscape, demonstrate the pitfalls of failing to clearly
articulate the problem, it also proved woefully inadequate in terms of
measuring the success of the ‘solution’ it imposed.

Organizations must know precisely how effective their cybersecurity
is, which makes accurate measurement critical. Traditional measures of
accessing cybersecurity effectiveness are not good enough. The
historic ‘nothing happened’ approach doesn’t generate any useful
intelligence on which the board can base cybersecurity strategy, while
volume and compliance metrics only tell part of the story.

Combined, these can create a false sense of security that can be more
damaging than simply admitting to a lack of understanding of
effectiveness.

Knowing the number of viruses removed or spam emails blocked, or the
time taken to detect an indicator of compromise, only reveals how well
an organization reacts to threats. Simply complying with best-practice
cybersecurity control checklists is no guarantee against security
incidents.

Organizations must also look at metrics aligned to strategy:
evaluation of risk, their competence in predicting and defending
against attacks, and their ability to identify and remedy the root
causes of problems.

Including business metrics in the assessment gives the board a more
rounded understanding of cybersecurity performance. Measuring
cybersecurity incidents in terms of cost and impact to business
operations, and demonstrating where cybersecurity initiatives have
enhanced performance or prevented threats from manifesting, reveals
the business value of the strategy.

In terms of cybersecurity for business, the lessons of the IPA and the
current knee-jerk calls to ban encryption are clear: don’t waste huge
resources implementing a strategy that is neither fit for purpose nor
properly measured against the requirement. Getting cybersecurity right
is a job for experts, not amateurs.