How do we quantify Cyber Risk Management in today's ever changing Information Technology environment?
THE WOODLANDS, TX -- When was the last time you considered your own role in cyber risk management? If you’re like most, it probably started and ended with installing basic antivirus software; you might periodically get office-wide emails reminding you not to click on the links in suspected phishing emails; maybe you did click on that link and had to put up with the rigamarole of putting things back to right.
Paul Cunningham wants to change that.
On September 20, Tech Mahindra, which provides information technology services and business process outsourcing to companies, and Maxxsure -- a Cyber Risk quantification and management firm – partnered to host the second in a series of forums on cybersecurity in business. “As a result of this partnership, we are able to better serve our customers providing them with additional functionality to mitigate risks,” Larry Deckerhoff, AVP and Client Partner -Energy/Oil and Gas for Tech Mahindra, stated. According to their website, Tech Mahindra “represents the connected world, offering innovative and customer-centric information technology experiences enabling Enterprises, Associates and the Society to Rise™.” Partnering with Maxxsure proved beneficial for all involved.
Leading the forum was guest speaker Paul Cunningham, one of the leading cyber security experts in the world, who attended on his own behalf to participate and provided his insight on the current information technology environment, and his expertise on mitigating potential cyber security risks.
Mr. Cunningham served in the Navy for over 20 years as a mechanic, aviator, and safety officer among other roles. As a safety officer, Cunningham gained experience determining causal and contributing factors when things went wrong, performing root cause analysis, and developing training programs to decrease the risk of similar events. He also learned the importance of effective communication and operational risk management, reaching the conclusion that organizations face a critical need to change the way they view risk – especially concerning cyber.
After retiring from the Navy, Cunningham transitioned to the private sector. He saw this as an opportunity to look at the business side of risk management. Organizations, whether they’re private or public entities, “can’t simply spend [their] way out of things” without a plan that is both comprehensive and cost-effective. Private entities, Cunningham said, have a “fiduciary responsibility” to directors and stakeholders, which informs the way that spending on cybersecurity is managed. After working in the private sector for a number of years, Cunningham moved again into the public sector, this time for a string of federal agencies, where he married the perspectives he’d learned in the military and with private industry.
What all organizations need in their cybersecurity programs, public or private, is a shift in perspective, Cunningham said. When working for federal agencies and assessing how to best protect federal high-value assets, he began to consider how organizations can understand what is valuable to adversaries and which vulnerabilities they will try to exploit. How can risk management programs work to improve their systems to head off threats before they happen? IT typically tries its best to be proactive but the team doesn’t necessarily have the tools to prioritize investment in and adoption of cybersecurity measures.
That focus on compliance began with the Federal Information Security Management Act of 2002 and continued through the Act’s update in 2014. Computer security, network security, then finally cybersecurity compliance followed the same processes, despite shifting technology and new vulnerabilities, for years. “We were chasing the ball from goal post to goal post,” said Cunningham.
Organizations need to rethink how they approach the entire field of cybersecurity, starting with what kinds of data are collected and how those metrics are put into context. “If you have a fire department and you’re deciding how efficient they are based off of how many miles they drive or how many calls they go on, that doesn’t tell you about how they fought the fire or how efficient they were, or how quickly they got there.” Moreover cybersecurity is an “all-hands evolution,” in Paul’s words; that is, having the bulk of employees behaving unsafely and a small group of people walking around trying to put out the flames is costly and inefficient. “It’s not a defensive game alone,” stated David Holcomb, Chief Data and Analytics Officer with Maxxure. “It isn’t me against my competition, it’s me against the bad guys. We can all get back to our core business and fight competition in the right arenas.”
“We’re at a major point in cybersecurity,” Cunningham said. As consumers desire more information more quickly and accurately (think of your FitBit, smart water meter, or Amazon Echo), there are simply more vulnerable devices in everyone’s lives. Moreover, the adversarial landscape has changed: as the tools to exploit vulnerabilities become more accessible, the level of technical knowledge required to carry out a cyber-attack has plummeted. “We must monitor against benchmark, abnormalities, or known pattern, the only three things you ever monitor against, and at its simplest state can you ever deter that from being necessary,” Holcomb stated. “Think about being ahead of the game; being a little more on the offensive instead of always on the defensive and hoping you’ve detected everything that happens.”
Investing in security is key, but are we investing correctly? What are we doing about cybersecurity debt? We should be investing in the front-end of security infrastructure and training, not just after things go wrong. Just because you haven't had a mishap does not mean you have a good safety program, and if you had an incident, does not mean you had a bad one. Look at the workforce as a whole; make sure there are on-ramps and training; get people prepared for today’s problems and not the problems we had five years ago.
Investments should be based on cost and value. Test your security and record data to make sure you can see the drop and paint a clearer picture of where investment and training is useful and results in the most impact.
Understanding cybersecurity holistically and tying it in as a business value into your mission, financial, into your customer base or reputational base takes looking at more than just controls. Certainly with asset management, you’ve have got to know where your assets are. You have to have a means to reach out and update, resilience is very critical. If something were to happen, do you know which item you’re going to bring up first to restore your ability to provide a service to your customers? If you’re not doing that in a calm environment, you don’t want to have to learn it when it’s actually happening.
Organizations must institute practices of better collaboration and information sharing to attain better cyber resilience. “So many new opportunities; the need for increased attention to risk management and cybersecurity is clear, and people are indeed paying attention,” Cunningham said. “The evidence is in this forum happening and attendance.”.
“As Wayne Gretzsky once said, ‘A good hockey player skates where the puck is; a great one skates where the puck is going to be,’” Cunningham stated, in reference to crafting a cyber risk management strategy that implements the optimal defensive measures while ensuring that tactical offensive strategy adapts rapidly to the ever-shifting threat landscape.
The lunch forum format has been such a great success for Tech Mahindra and Maxxsure that there will be several more informative forums to come within the upcoming year for Tech Mahindra and their partners.