CEO Insight discusses how companies can manage their exposure to security threats, with Steve Durbin, Managing Director of the Information Security Forum (ISF)
CEO Insight: Cybersecurity poses a huge challenge to businesses and managing the risk is vital for companies to deliver their policies and objectives effectively. The Information Security Forum (ISF) and the National Institute of Standards and Technology (NIST) are partnering in a pilot project to create Online Informative References between information security standards and the NIST Cybersecurity Framework. Can you tell CEO Insight more about this partnership and how it will benefit businesses?
Steve Durbin: We have been working with NIST as part of a pilot project to create Online Informative References (OLIRs) between information security standards and the NIST Cybersecurity Framework (CSF). As part of this pilot scheme, we produced an OLIR between the ISF’s Standard of Good Practice for Information Security 2018 (The Standard) and the NIST CSF Version 1.1. This latest update provides security professionals with assurance of how applying The Standard meets the expectations of the CSF, as with other international and industry standards and frameworks.
“Digital transformation is now top of the challenge list for many businesses and operating in the digital world is increasingly a matter for effective management of risk.”
The Standard addresses the rapid pace at which threats and risks evolve and an organisation’s need to respond to escalating security threats from activities such as cybercrime, ‘hacktivism’, insider threats and espionage. The Standard is used widely across the ISF membership which consists of many of the leading Fortune and Forbes global companies. While the Standard has been designed with large organisations in mind, it is equally applicable to individual business units as well as small to medium-sized businesses (SMBs).
The ISF maintains both an Informative Reference and a detailed cross-reference between the CSF and the Standard. Organisations can use these reference documents to determine which of their current security controls satisfy the corresponding cybersecurity activities in the CSF, and thus demonstrate their alignment. Using this Informative Reference – together with the CSF and the Standard – enables businesses to effectively demonstrate to stakeholders the progress that has been made in establishing a resilient cybersecurity program across the organisation.
CEO Insight: The rapid growth of the internet has resulted in a huge increase in cyber-attacks worldwide. Reflecting this increase, the global security analytics market was valued at $2.92 billion last year and is expected to reach $5.4 billion in 2024. With reference to the high level security alert, how important is it for Boards and CISOs to engage successfully, making cyber a strategic issue, and how does this engagement impact on an organisations ability to take advantage of the opportunities presented by cyberspace while also addressing the associated risk?
Digital transformation is now top of the challenge list for many businesses and operating in the digital world is increasingly a matter for effective management of risk. The focus then needs to be on how being safe in cyber can drive organisational growth and development – understanding cyber risk and building in appropriate cybersecurity from the start are fundamental to success. This requires businesses to implement means of maintaining situational awareness and cyber resilience. This will mean increased monitoring and gathering of threat intelligence.
Overall, it will require businesses to respond to the challenge that cyber is not an IT or purely technical issue and that operating in the digital world is the new business as usual. This will also mean change to the way in which many businesses manage cyber risks and this change will need to be owned in, and driven from, the boardroom to ensure engagement and eventual ownership by business leaders of digital.
While good cyber-hygiene, IT security and operational risk management will continue to be core to being safe in the digital world, cyber is now a business issue and any mitigation and preparation for the risks of the digital world will fail without the buy-in and ownership of business leaders. The onus will fall on them to identify the critical business assets that must be protected and to make the protection of the organisation an integral part of their business strategy and implementation plans.
“In the past, organisations have traditionally relied on the effectiveness of technical security controls, instead of attempting to recognise why people are susceptible to mistakes and manipulation.”
CEO Insight: The threat landscape has evolved dramatically in the last few years. Approaching 2020 what are the main cybersecurity trends and threats facing businesses and how can a business ensure good cyber hygiene? How can IT security leaders prepare themselves and their systems for new kinds of attacks and can you on expand on the new approach known as human-centered security? What role can cyber security exercises play in this?
Over the coming years, a range of damaging threats will materialise. Vulnerabilities will be shared across interconnected systems heightening the need for strong cyber hygiene, defenses and resilience across the extended supply chain; malware attacks will be amplified by superfast networks, critical infrastructure, IoT, businesses and citizens will all offer ripe targets for a wide range of attackers, from nation states aiming to cripple critical infrastructure to hackers spying on private networks.
In the past, organisations have traditionally relied on the effectiveness of technical security controls, instead of attempting to recognise why people are susceptible to mistakes and manipulation. A new approach is clearly required: one that helps organisations to understand and manage psychological vulnerabilities and adopts technology and controls that are designed with human behaviour in mind. That new approach is human-centred security.
Human-centred security starts with understanding humans and their interaction with technologies, controls and data. By discovering how and when humans ‘touch’ data throughout the working day, organisations can uncover the circumstances where psychological-related errors may lead to security incidents. For years, attackers have been using methods of psychological manipulation to coerce humans into making errors. Attack techniques have evolved in the digital age, increasing in sophistication, speed and scale. Understanding what triggers human error will help organisations make a step change in their approach to information security.
So, what can be done? I recommend that organisations identify key risks and threats to the business and/or industry area. Targeted scenario planning and training, such as table-top exercises or phishing campaigns, can then be tailored to improve responses to specific threats and enable employees to better react to stressful situations that may trigger cognitive biases.
CEO Insight: The world is becoming increasingly digitised, and organisations can no longer rely solely on reactive measures when it comes to cybercrime. With heightened global mistrust and rising geopolitical tensions, how can organisations and individuals be better prepared? Additionally, what does the security workforce of the future look like in the face of this evolving technology and AI?
Driven by demands for increased speed, automation and efficiency, organisations are facing a period of significant technological upheaval as they transition into a hyperconnected digital world. Supporting this world will be new, innovative technologies and business models that will create an illusion of stability, reliability and security. However, new and reenergised threats will compromise success and shatter that illusion.
The impact on security is significant as threats become more tailored, specific and potentially damaging. The increase of nation state sponsored attacks in particular will force a more collaborative approach to threat intelligence and threat response between public and private sector. In addition, the advent of AI and machine learning and the very real ways that such systems can create a more challenging environment for attackers of all descriptions may allow security professionals to re-address the balance in favour of the defender.
When looking at AI, we must understand that true AI, as opposed to machine learning, is still in its infancy and we have seen a number of instances where AI has not produced the output or decisions that had been expected. If defensive AI systems are left entirely autonomous and have the power to force-cut connections to suspect devices or shut down critical applications, for example, then the impact of a mistake by the AI could well be greater than from a malicious external attack. Organisations can and should not rely entirely on AI – humans are still the most important piece of the InfoSec puzzle.
Organisations need to establish a series of strategic objectives that provide a foundation for building tomorrow’s security workforce. With clear direction and leveraging fundamental HR concepts, organisations can develop an approach that formalises the structure of the security workforce, harnessing the appropriate talent and skills to achieve the organisation’s security objectives.
As the security workforce matures, embracing the vast amounts of untapped talent with the right aptitude, attitude and experience, the exaggerated myth of a future global security workforce shortage will be debunked. A robust security workforce will also enable organisations to effectively manage future workforce challenges, such as automation, role and functional amalgamation and outsourcing. Our members are already demonstrating success, building tomorrow’s security workforce with the necessary skills and expertise, developing and retaining employees in a progressive and engaging environment.
A sustainable security workforce is essential if the information security function is to become a partner to the business and effectively manage the increasing security burden.
CEO Insight: The ISF hosted its Annual World Congress in Dublin, Ireland on October 26-29. Over 1,000 cyber security experts attended, discussing the key security challenges and opportunities that organisations are facing. Can you let CEO Insight readers in on the key discussions and findings?
Our 30th Annual World Congress featured a series of keynote presentations, workshops and networking sessions from the world’s leading international security experts. These experts discussed the key challenges and opportunities that ISF member companies and businesses will face in the years to come. Topics included: cyber security in the boardroom, Threat Horizon 2022 (due out in March 2020), managing risk and providing assurance, and human-centered security. ISF Member-led sessions provided guidance on the latest ISF Tools Suite, including Information Risk Assessment Methodology 2 (IRAM2), Quantitative Information Risk Analysis (QIRA) and the latest ISF research.
Once again, the topic of cyber security in the boardroom was of great interest to attendees. As we continue to note, an organisation’s board would be very foolish today to say that it had no interest in understanding the company’s security posture and what steps were being taken to protect its critical assets. We live in a world of increasing regulation and legislation with punitive financial penalties for negligent loss of data in an environment where barely a day goes by without another breach being reported. The board has a duty of care to ensure that it both understands the risks the company is operating under and has clearly articulated a risk posture that is understood across the company. Measuring performance and conformance should be key agenda items on the board meeting and indeed are for responsible boards today.
CEO Insight: The ISF is the world’s leading authority on cyber, information security and risk management. What can we expect from the organisation in the new decade?
The ISF serves both our global member organisations and the broader information security community. Working with organisations from the Fortune and Forbes to mid-size, from government to academia, the ISF delivers valuable, independent and actionable insight resulting in a growing membership and sought-after perspective and services from members and non-members alike.
Over the coming years, the ISF’s position as a global leader in the field of information security and risk management will be ever more important as business leaders turn to independent organisations such as the ISF for advice and guidance on cyber issues across the enterprise. Positioning the organisation for sustainable long-term growth with agility and flexibility, building on the sustained investment in our members and staff are also key initiatives for myself and my team. This will allow the organisation to continue to be seen as a thought leader in the information security industry worldwide.
Last, but most certainly not least, the ISF people will determine the success of our business. In a competitive market, our people are our key differentiator. Over the coming years, we plan to substantially grow our workforce and this will mean having to put in place attraction and retention programs that continue to be world class to ensure that our people remain one of the primary reasons members join the ISF and continue to work with us to address their evolving information security and risk needs.
For more information: www.securityforum.org