Steps towards cyber resilience

Unrelenting cyber-attacks orchestrated by highly organised cyber threat actors continue to expose the soft underbellies of several vital industries.

Recently, Colonial Pipeline Company — which carries 45% of the US East Coast’s supply of diesel, petrol and jet fuel — was forced to pay nearly $5 million in ransom after hackers unleashed a strain of ransomware that debilitated its computer network.

Unsurprisingly, most business leaders are now seeking deeper insight into their cyber resilience postures, knowing that a single breach could erode their stock performance and dent their legacies.

But despite this rising appetite, most executives and directors still find cyber security highly complex and the language numbing. Cyber security professionals continue to struggle to translate cyber security into clear business risk language.

Confirming this view, the recent ISACA State of Cybersecurity 2021 Survey revealed that the endemic shortage of soft skills (such as communication, flexibility, and leadership) poses the biggest cyber security challenge for organisations.

But this is not a counsel of despair. Based on my experience training cyber leaders from dozens of countries, there are three proven strategies business leaders can deploy to accelerate cyber transformation.

Fix toxic cultural issues

Most data breaches have their roots in poor cyber awareness or toxic corporate cultures, not technology malfunction.

For instance, if executives pay lip service to cyber security by underfunding cyber security budgets, signing contracts with poorly secured third parties, or exporting sensitive data to unsanctioned cloud environments, such toxic behaviour will also cascade down through the enterprise, opening backdoors for threat actors to exploit.

To cost effectively close their material cyber risks, executives must anchor their cyber resilience strategies to people, not technology.

Business leaders serve as important catalysts for cyber transformation by visibly role modelling exemplary behaviours and upholding cyber security policy requirements. Jeffrey Immelt, CEO of General Electric, agrees, “You can’t have a transformation without revamping the culture and the established ways of doing things.”

A logical starting point is establishing a cross-business cyber risk governance committee comprised of senior technology, risk, and business executives. These executives, charged with challenging adequacy of the cyber resilience capabilities against clearly articulated cyber risk appetite, must provide unwavering support to the CISO and consistently engage during governance meetings.

Additionally, this committee must ensure that the organisation maintains a delicate balance between digital trust and convenience, and that cybersecurity acts as a key business enabler, not an inhibitor of innovation or agility.

Business leaders must also promote psychological safety, where staff openly acknowledge mistakes, raise questions, or challenge tradition without fear of negative personal repercussions.

Business unit leaders also have an important role to play, publicly acknowledging cyber heroes within their departments — employees who demonstrate cyber behaviours that far exceed the norm. 

Prioritise crown jewels

According to McAfee, the average enterprise maintains a staggering 464 custom applications. Unfortunately, most organisations still adopt the one-size-fits-all cyber security strategy — applying the same level of protection across hundreds of digital assets, each of varying business significance.

This traditional approach not only wastes corporate resources but also diffuses the effectiveness of cyber security controls, leaving critical assets exposed to excessive levels of cyber risk.

To maximise the value of security investments, business leaders must adopt a differentiated security model that prioritises protecting their most valuable digital assets (crown jewels), a breach of which could undermine the enterprise’s bottom line, competitive advantage, reputation or even threaten its survival.

Examples of crown jewels include payment systems, inventions, board deliberations, trade secrets, proprietary formulas and processes, advanced research, software code, and corporate and pricing strategies.

The next phase includes deploying a set of non-negotiable cyber security controls. These essential measures — such as multi-factor authentication, segmented networks, and data encryption — make it substantially difficult for threat actors to breach high-value digital assets.

The list of non-negotiable cyber security controls must be determined based on business risk appetite, external obligations, and technical constraints. Done right, a highly focused cyber security strategy cost-effectively accelerates cyber resilience.

Validate cyber crisis response measures

No matter how good a cyber resilience framework is, it’s bound to get better if it is regularly tested and refined. Senior business leaders must ensure the organisation has a robust and validated cyber response plan that can be rapidly activated in the event of a data breach.

The cyber response plan must include detailed response measures for high-impact and plausible data cyber crisis scenarios, such as: A distributed denial of service attack that renders core systems inaccessible, core business applications debilitated by ransomware, or troves of personally identifiable customer data stolen and auctioned in the darknet.

Additionally, the cyber risk governance committee must conduct periodic cyber stress testing to build muscle memory and answer important questions, such as:

1. Does the organisation have up-to-date, tested, and offline backups to insulate the business in the event of a ransomware attack?

2. Who is authorised to communicate to staff, suppliers, regulators, the media, customers, the board, or other key stakeholders in the event of a data breach?

3. Has the organisation purchased cyber insurance to absorb direct and indirect data breach costs?

4. Which business functions are a priority if IT resources are significantly constrained by a cyber-attack?

Attempting to make these critical decisions during a cyber emergency can lead to significant missteps, conflicted messages, or internal squabbles, aggravating an already dire situation.

Granted, every enterprise is different — there is no universally right cyber security strategy.

That said, leading organisations actively resist the urge to eliminate every possible cyber threat and instead relentlessly focus on areas of the highest business value and greatest risk exposure.

Phil Zongo is chief executive officer of the Cyber Leadership Institute and author of The Five Anchors of Cyber Resilience. He is also a former director at ISACA Sydney Chapter.