Main content

Cyber resilience - how to achieve it when most businesses – and CISOs – don’t care

Chris Middleton Profile picture for user cmiddleton June 26, 2024
Summary:
Who can we turn to when new research reveals that most CISOs see risk as more attractive than protecting the business from attack?

shrug

First, the good news. Nearly two-thirds (65%) of Chief Information Security Officers (CISOs) now describe their main task as improving business resilience, rather than managing cyber risk or security in the traditional sense. That’s according to a new survey from cloud network security provider Netskope.

The research comes as yet more high-profile incursions have alarmed the world’s media, such as the ransomware attacks on American retailer Neiman Marcus, jeans brand Levi Strauss, Indonesia’s national data centre, and on the US Federal Reserve Board. In the latter case, 33 terabytes of data on US banks, citizens, and businesses are reportedly under threat of being leaked, or sold online, by the LockBit gang, which claimed responsibility this week. However, the data appears to come from the Evolve Bank, and not the Reserve.

In that light, the Netskope research reveals some intriguing findings. For example, just 36% of CISOs see themselves as playing a ‘protector’ security role, defending the organization from hostile attack. By contrast, 59% of CISOs now believe themselves to be ‘business enablers’, with over two-thirds (67%) saying they want to play a more active role in the enterprise moving forward. Indeed, they wish they could say “yes” to the business more often, found the survey.

All this is very on trend for senior managers, who increasingly fancy themselves as strategic thinkers rather than operational 'doers'. But at the core of the research is a truly odd finding in the broader context of cyber and information security: well over half (57%) of the 1,000-plus CISOs interviewed – in North America, the UK, Japan, France and Germany – say that their appetite for risk has increased.

So, what’s behind a statistic that many people will find alarming – one which suggests that risk-taking is now more attractive to security specialists than defending the business? Is security fast becoming yet another industry like banking, where many professionals prefer the idea of becoming high-octane gamblers to doing something worthy but dull for a living?

Questions over the thrill of risk-taking aside – perhaps frustrated CISOs should take up skydiving or free-climbing rather than gambling with other people’s data – some answers to why resilience is taking precedence over security as found in my previous two analyses: my interview with Splunk Chief Technical Advisor Mark Woods, and my first report on last week’s Westminster cyber resilience policy eForum.

To recap, while there may be examples of basic security protocols being ignored – remember the countless hacks a few years ago that found personal data stored ‘unsalted’ on cloud platforms? – the threat landscape has become so extreme and complex this decade that a focus on business recovery, continuity, and enablement is the only sane response. 

That’s especially true in an age in which AI-generated deep fakes, disinformation, and phishing attacks may render even communications from our friends and business partners untrustworthy.

Educating staff about risk and encouraging no-blame breach reporting are essential, therefore – rather than the culture of victim-shaming that still dominates the media. After all, if organizations such as national data centres and the US Federal Reserve can be breached, then anyone can. The question then becomes what to do about it without locking down the business and repelling allcomers – including customers, perhaps.

Security’s groundhog day

That said, there are problems with many security policies, according to speakers at last week’s cyber resilience eForum. For one, most companies don’t care about security at all (more on that later). And for another, some organizations seem to make the same mistakes again and again – errors that appear ingrained in many business cultures and management teams.

Take Britain’s Ministry of Defence – at least, according to George Bathurst, Cybersecurity Consultant with UK security-by-design specialist, Bee.net (.co.uk, and not the Delaware company of the same name).

Speaking on the record but not naming specifics, he said:

Imagine it's 2021 and we're still in lockdown, and the Ministry of Defence has done an audit on its accreditation – strong policies that say everything's got to be improved. But when they audit themselves, they discover that some critical national infrastructure – things that defend the whole of the UK and also support the NHS and other things – simply don't work. And some elements of that critical national infrastructure can be trivially hacked.

They knew they had problems, so I was brought in to try and help address them. One project we worked on was a big network, costing taxpayers over a billion pounds. They used to run this network on BT, but they didn't like BT – because it was expensive, and there were lots of security costs. So, they moved to Fujitsu and spent a huge amount of money on projects there.

But then they discovered that [the specific Fujitsu system] was built on top of BT and was actually just a virtual network. So now they had an even more insecure network than before. And when I was there, there were about to repeat that mistake [with another supplier].

So, organizations should ask themselves some serious, searching questions about why they are driven to keep doing the same thing over and over again – while spending millions of dollars in the process. As Bathurst put it:

Why isn't security by design built in at the beginning of these projects, which are driving people to make the wrong decisions – decisions that nobody wants? Nobody wants to leave us open to attack. And nobody wants our national health infrastructure, for example, to collapse at a critical moment during a pandemic.

Indeed. But at this point, we should remind ourselves that, despite that valuable exercise, both the Ministry of Defence and the NHS have been hacked and/or subjected to ransomware attacks this year. In the first case, via a payroll system, which exposed personal data on thousands of staff, and in the second, via a private pathology lab. The latter incursion revealed patient blood-test data, leading to several NHS hospitals postponing operations and reverting to paper records.

So, the lesson here is that, while security by design is essential for critical national infrastructure, resilience in the networked, cloud-enabled age must acknowledge that countless other systems, both upstream and downstream, feed into those critical ones.

That includes back-office functions and systems managed by partners in the wider supply chain. Indeed, those systems may rely on the same core data as others, or allow attackers access privileges into networks that are of national importance.

That aside, Bathurst made another controversial point:

My speciality is at the macro level, helping organizations to fix their problems, and asking why they are not addressing risks effectively. And, what is driving them towards the wrong solutions. Sometimes the answer is a lack of laws [he was referring to rules rather than legislation]. But more often, those laws actually drive the wrong behaviour.

What did he mean by that? He said:

In the MoD, for example, we had brilliant rules, but they were driving people towards a tick-box culture, in which they were actually becoming less secure as a result.

So, what I've been doing is teaching organizations how to use risk management in a positive way, and start to embed it at system level – so you get things built securely by design. And also at the management level, so managers start asking the right questions and rewarding the right behaviours.

Fair enough. However, another speaker alleged that most organizations don’t care about cybersecurity at all. Jessica Figueras is co-founder of board-level cyber-governance organization CxB, and CEO of UK-based security provider Pionen. She said:

Observation number one: most organizations, sadly, don't care about cybersecurity. I hate to say it, but most organizations only care about the thing that they do, which is making money – making profits in the private sector or, for charities, delivering services to their beneficiaries. 

The leaders of any organization have very limited time, frankly, to think about anything else, and cybersecurity is just not a priority.

Ouch. But her point was not solely about some endemic culture of laissez-faire. She explained:

Of course, some organisations do understand the role and importance of cybersecurity, but they tend to be in sectors which are already highly risk conscious – because they deal with safety or, equally, have large sums of money at risk. And those are typically highly regulated organizations.

But it's important to put into context what a tiny part of the UK economy those organizations actually are. Out of a total of 5.6 million companies in the UK [figures confirmed by the government], only about a quarter employ anybody at all. And most of those employ less than 10 people.

So, let's remember that SMEs are most of the economy. And probably well under half of one percent might be considered big and capable enough to mount a considered response to cybersecurity risks. But even so, those organizations still get hit.

This is an excellent point, and one that is not made often enough. While the government tends to busy itself with appeasing the interests of large enterprises, its own figures reveal that a staggering 99.9% of all UK companies [roughly 5.59 million] are SMEs – with most firmly at the ‘S’ end of the spectrum. The old adage that Britain is a nation of shopkeepers has more than a grain of truth: nearly every firm in the country is a small business.

But what has all this got to do with cyber resilience?

The answer is that any number of those limited companies, partnerships, or sole traders may be part of the networked supply chain for much larger enterprises, including for critical infrastructure.

And that means that an overwhelming amount of risk exists in the supplier market, given that most SMEs will have little in the way of a security infrastructure – beyond the firewall on their laptop and the Spam filter on their email, plus whatever public cloud platform or shared server underpins their Web presence.

Figueras rammed home her point:

The majority of businesses and not-for-profit organizations in the UK simply do not have the capability to get to grips with cybersecurity in any meaningful way. They don't have any dedicated staff, and they don't have a budget to spend on solutions.

So, reaching those organizations [with positive messages about risk management and security] should be our priority. That will make a significant difference to the UK’s cyber resilience.

She continued:

My second observation is, we're looking to raise awareness and encourage businesses right across the British economy to invest in cyber resilience. But unfortunately, today's cyber resilience conversation – our national conversation – is not nearly inclusive enough.

Diversity is critical, but also confidence and inclusivity in language. She explained:

Larger organizations with dedicated security teams sometimes can't communicate in non-technical language. So, there's a difficulty in marrying what's happening on the ground, in terms of the cyber response, with what's happening at board level. And that reduces the effectiveness of any resilience policy.

I hate to say it, but vendor marketing is a real problem. And of course, vendors’ modus operandi is to present a particular technical solution […], which really skews perceptions. Particularly where you have lots of VC and private-equity money being thrown at a flavour-of-the-month solution. All of this makes it much harder for non-technical business leaders to make informed decisions.

She added:

Plus, of course, this conversation is very news driven too, it's full of intrigue and drama. But that feeds the belief that you can't take part at all – unless you're an insider with access to specialist information.

But [resilience] is a business activity, not a technical one. It's about understanding the big picture. It's about having really good lines of communication, right down to every member of staff across the business. And it's about prioritising the allocation of resources. 

Boards are often very good at governance, and at strategic risk management, but cybersecurity is often the blind spot. And I'm afraid that situation is going to persist until we have a more constructive national conversation about cybersecurity.

One which stops feeding that atmosphere of fear and intrigue, and instead focuses on the business issues and practical actions that we can take today.

My take

A provocative session which had the added advantage of new research acting as a counterbalance to the eForum’s speakers. Either way, one thing is clear: the time to rethink security so it embraces everyone – especially the majority of non-specialist SMEs – is now. And it is long overdue. Resilience offers the right path into that vital discussion.

Loading
A grey colored placeholder image