Businesses need to categorize, prioritize and standardize their business requirements in terms of cybersecurity
The CISO is the person who is capable of taking business risks with the CRO and also able to discuss technology with the CIO. Thus, the onus in no small extent falls on the CISO to map cybersecurity risks to those of business.
Recently, one of the most prolific social media networks in the world, Twitter was hacked. Hackers who used what is called as a "coordinated social engineering attack" on some of the most high-profile accounts like Barrack Obama, Jeff Bezos, Elon Musk, Bill Gates, Mike Bloomberg, Kanye West and so on. The message was cryptic and short, "I am giving back to the community. All bitcoins sent to the address below will be sent back doubled. If you send USD1000, you will get USD2000. Only for 30 minutes."
Generally, this message should have alarmed the Twitterati, but some twits (pun intended) really fell for it and actually sent money on the link. In a quick jiffy, the scammers made up more than USD120,000 in untraceable bitcoin payments before the hack was revealed. The Twitter hack was an eye-opener of sorts. While, the hack was spectacular in the eye-balls it generated, but technically it was not very sophisticated. According to Twitter, the hackers were able to convince some of the company's employees to use internal systems and tools to access the accounts and help the hackers defraud users into sending them bitcoin. In short, it was nothing but an indiscretion of a few employees or more.
Companies like Twitter invest billions of dollars in security measures and technology, and yet, they are not invulnerable to cyber-attacks. This is the harsh reality of life, something that I have experienced first-hand in the security space. Generally, when categorizing risks that an organization faces, business ones are considered differently than the IT risks. The increasingly digital nature of businesses, the overlap between the two has been on the rise for the past many years. While cybersecurity is considered as a subset of IT risks, it now has a direct impact on the business. A compromised server or a hacked database is not merely an IT issue; it has a direct impact on the business.
Not only businesses but the hacks can also be costly to the economy. Back in 2013, a false tweet from a hacked account owned by the Associated Press (AP) stating that President Barrack Obama was injured in a bomb-attack, sent financial markets into a tailspin. According to experts, the Dow Jones Industrial Average dropped 143.5 points, and the Standard & Poor's 500 Index lost more than USD136 billion of its value in the seconds that immediately followed the post. One Tweet and USD136 billion were lost.
The COVID-crisis has only increased the vulnerabilities of the enterprises. With a majority of employees working from home, this is the most opportune time for hackers to exploit enterprise vulnerabilities. I recently chanced upon a piece of news information that since January-end to now, some 1200 new domains have been registered daily, that more than 5,00,000 domains. What could be the purpose of such a high number of domain registrations, if not for malicious attacks?
Evidently, hackers are taking an active interest in the current crisis and trying to benefit from it.
Mapping Cybersecurity to Business
The topic of cybersecurity must seem very pertinent in our current crisis. But, the fact remains; the issue has found much resonance in the corporate space in the past few years. The top management is keenly aware of the threats that are posed to the organizations and are pretty clued on it. There's hardly any board meeting that does not end with a discussion on the mitigations of cyber-threats. The increased awareness has coincided with the increasing threats that are posed by hackers. In the past, the attacks on corporates would be made by an individual or a group of them, and it would primarily be random. But not anymore, cybercrime is a whole industry in itself, with many dedicated firms working in the shadows to inflict financial damages. Most of the attacks that are conducted today are ransomware, derived from coercing the company into paying up. The most famous attack in that regards was the NotPetya in 2017, in which companies like Merck lost as much as USD1.3 Billion in damages resulting from the hack.
Little wonder then corporates are very conscious of any laxity that can result in an attack. Yet, many times companies miss the wood for the trees. In their pursuit of security, they are more focused on the technological aspect, investing in solutions and systems and not mapping them back to the business. Cybersecurity is a holistic issue that needs to be viewed on a broader level. A piece-meal approach to security, wherein, you safeguard different enterprise infrastructure at different times can be counterproductive. Companies need to understand that technology is not the end of cyber threats. Businesses need to categorize, prioritize and standardize their business requirements in terms of cybersecurity. The mantra to a good cybersecurity infrastructure is simple, "if you don't implement it in the right, it won't help you in any way."
There are times when businesses realize that adopting a new cybersecurity technology, either it is too early or not really the right fit for the organizational needs. The approach needs to shift from a tech-centric view to a more business-oriented one. And this is where the CISO comes into play.
Evolving Role of the CISO
Over the past decade or so, the role of the Chief Information Security Officer or CISO has undergone much change. The contours of the engagement for the CISO have dramatically changed. Earlier, the CISO was a technology-oriented profile that looked at the security aspect from a limited view. But not anymore, CISO is no more a tech guy; he or she is the one that maps technology and security together based on business requirement. The CISO is the second line of defense within an organization, the first being IT. Evaluating any new technology or solution is the purview of the IT function, CISO considers the fallout of each action, whether it will increase the cyber threats or not.
In many ways, the CISO is the bridge between two functions in the company: IT and risk. The CISO is the person who is capable of taking business risks with the CRO and also able to discuss technology with the CIO. Thus, the onus in no small extent falls on the CISO to map cybersecurity risks to those of business.
So what are the steps to map business risks and cyber threats? Here is a simple guide on how companies can go about doing that:
- Understand the business requirement to close the gap between the business and cyber risks: The first step is to understand the business functions and their needs and create a heatmap of the cyber risks that are faced by the business.
- Stop assuming and start measuring: Many times, within the company, certain things are assumed and hence taken for granted. For instance, if there is a patch that needs to be updated, the CISO will expect that the IT function would do it, and vice-a-versa. To avoid such type of confusion, it is vital to have a clear delineation of duties between the different stakeholders.
- Calibrate and automate: Companies need to realign their cybersecurity strategies to meet business requirements frequently. Ideally, one of the best ways to a secure scenario is to automate. Today there are many exciting solutions in AI and ML that can streamline the processes.
- Evaluate and implement the right security: Once the heatmap is ready, and all the calibrations are done, it is now time to evaluate and implement the right security solution.
- Create an actionable: Once all these processes are done, it is crucial to get everyone in the company on-board with the security infrastructure. Departments should not be working in silos. All the functions should come together in a cohesive mix.
This, in short, outlines how business and cybersecurity risks can be mapped. The threats that are facing enterprises are maturing and evolving every day, and so should our response. In the latest "2019 Internet Crime Report," the Federal Bureau of Investigation (FBI) has stated that the number of cybercrime complaints from both individuals and business organizations reached a staggering 467,361. The total cost of those reported crimes was even more mind-boggling: over USD3.5 billion.
With the way things are in 2020, the numbers will go up. My humble advice to all corporates and my colleagues is, simple; stay vigilant, stay safe.
The author is a renowned technologist and currently, the CISO at Future Generali India Life Insurance Co