Online predators are relentless and unforgiving. One slip-up, and your enterprise can be brought to its virtual knees. That’s why it’s not only important to build strong, resilient safeguards and practices, but to make sure that they’re working effectively. Failure definitely isn’t an option when it comes to cybersecurity. Keri Pearlson, executive director of cybersecurity at the MIT Sloan School of Management, believes that enterprise leaders must shift their focus from protection to resilience. “We need to assume the bad guys are going to be in our systems, find new ways to hack us, and continually innovate to reach their goals,” she explains.
While strong protection remains important, leaders also need to think about how their organization can absorb an attack, recover, and move forward. Pearlson envisions a future world in which an organization experiences an attack that results in zero-damage to its systems, reputation, assets, organization, and supply chain. “In short, they are resilient.”
Pearlson advises organizations to build security skills, processes, and procedures in a way that will allow them to notice, stop, respond, recover, and improve. “Being resilient means having a dynamic approach to cybersecurity that continually adapts to changing conditions so that when an attack happens, organizational operations aren’t affected,” she says.
Kayla Underkoffler, lead security technologist at security services firm HackerOne, advocates greater use of coordinated vulnerability disclosure — the public disclosure of newly-identified cybersecurity vulnerabilities. She notes that while the concept is already an accepted best practice, many organizations are still reluctant to step forward. “Remaining transparent and collaborative when disclosing patched vulnerabilities benefits not only the organization disclosing, but the security of the entire Internet,” Underkoffler says.
Only by acknowledging and sharing the vulnerabilities and mistakes that lead to breaches can security be improved for all organizations. One way to embrace transparency is by adopting a vulnerability disclosure program (VDP) that provides a plan for how vulnerabilities should be reported. “At its core, it’s a ‘see something, say something’ policy,” Underkoffler says. “This helps organizations coordinate with security researchers through clear guidelines and avoid premature or accidental publication of vulnerabilities that may still pose risks to an organization.”
Operations and Risk
Alisa Chestler, chair of the data protection, privacy, and cybersecurity team at law firm Baker Donelson, urges organizations to stop viewing security planning as a strictly cyber issue. She notes that protecting enterprise assets is actually an operations and risk issue that requires careful, detailed planning with the entire management team.
Limiting security planning to just the enterprise’s IT team completely misses the point and exposes the enterprise to significant risk, Chestler warns. “Failure to plan for a wide variety of potential actions and events that can befall the organization means the business is wholly unprepared for the range of events that can occur,” she states.
Chestler recommends creating a strong governance program, one that requires regularly scheduled management team meetings devoted solely to security issues. The team’s initial mission should be mapping risks and then working to mitigate vulnerabilities, she advises. Once an appropriate governance program is in place to review and analyze security issues with operations, IT, legal, and finance colleagues, an enterprise can begin to seriously focus current and potential future threats, she explains.
One of the biggest barriers to implementing a working governance program is enterprise culture, particularly resistance from less-informed management team members. Chestler believes that winning management support for strong security governance can be achieved through persistent knowledge sharing. Continuing to present news about current cybersecurity events is one way to move management to understand how critical their role is in the continued effort to reduce risks to the organization, especially to new threats as they evolve, she recommends.
Perhaps the biggest cybersecurity mistake an organization can make is becoming overconfident in its ability to respond successfully to today’s sophisticated, wide-ranging attacks. “Threat actors are constantly evolving their tactics and techniques to circumvent defenses,” explains Phil Quitugua, a director at technology research and advisory firm ISG. It’s impossible to be too alert and prepared.
Keeping pace with the threat landscape and performing regular assessments should be table stakes for enterprise cybersecurity. “A continuous improvement approach to cybersecurity is key to avoiding overconfidence,” Quitugua says.
Additionally, validating that security controls are behaving as expected should be a never-ending process. “Taking it a step further, the business should understand their overall resiliency capability through a cyber range exercise,” Quitugua advises.