Beginning a more mature conversation about cybersecurity

No system is invulnerable to breaches. So how can businesses withstand any storm and thrive regardless of a threatening landscape? Creating institutional cyber-resilience is ultimately more important than any other measure a company can employ.

IDGConnect_conversation_security_cybersecurity_shutterstock_1798108960_1200x800
Shutterstock

This is a contributed article by Kanwar Loyal, Regional Sales Director, UKI at CrowdStrike

Ransomware is rife. Attacks are becoming increasingly sophisticated, sometimes planned over months or longer, or burrowing deep into trusted components. Millions of working identities and passwords can be found on the Dark Web. New vulnerabilities in operating systems and applications are discovered continually. And while software vendors and the development community are normally very vigilant, of course, it would be unwise to assume any connected device is entirely protected.

Given an undiscovered chink in the company’s armour, together with luck, skill and determination on the part of adversaries, no system is invulnerable to breaches, no matter what technology is in place. This might seem a bleak prognosis, especially from a cybersecurity provider, but it’s factually accurate, and recognition of the fact is required for companies to develop the resilience they will need to withstand this perfect storm of hazards.

As professionals in cybersecurity, we should not be thinking about instilling fear in our customers — though that remains a popular marketing tactic in the industry — but rather about enablement. How can we help ensure that businesses can withstand any storm and thrive regardless of a threatening landscape? While with cybersecurity, like everything else, prevention is better than a cure, developing a cure or effective treatment is eminently sensible regardless.

Creating institutional cyber-resilience is ultimately more important than any other measure a company can employ. There’s no shame in being breached: as we’ve discussed, that’s part of the nature of IT and the world we live in. Where there might be questions is if there’s no plan in place for responding to and recovering from that breach, or if the plan is not actionable because the necessary pieces aren’t in place. There’s less emphasis on technology, miracle products and three-letter acronyms in this approach to cybersecurity, but more on ideas like a journey towards preparedness, the outcomes we wish to achieve, and the programs (in the sense of organisational initiatives, rather than computer software) that will help deliver those outcomes.

Roots of resilience

Thoughts around the importance of establishing operational resilience have been gaining ground since the financial crisis of 2008, when it was established that many financial institutions had taken on more risk than they were able to cover. The resilience-reaction to that event has sought to create the opposite environment, that organisations have more checks, safeguards and back-up plans than the risk environment can possibly threaten. In the UK, the Financial Conduct Authority, the independent regulator for the country’s 48,000 businesses in the financial sector, issued new requirements for operational resilience in 2017, which will come into force in April 2022. These rules are intended to address any form of service disruption, and so are equally applicable to cyber-resilience as to the way businesses might respond to any other form of disruption - like fires, pandemics or earthquakes.

The first step is to identify the business’s important services and establish levels of tolerance, or risk appetite for disruption to those services. How much disruption is tolerable, and in which areas, without it impacting the long-term future of the business?

This can be an interesting test for cybersecurity solutions: often security software adds extra load to the network and endpoints. In some cases, this can add a significant level of disruption itself, both when in operation and in terms of how long it takes and how disruptive they are to deploy. When businesses start to look at avoiding and minimising disruption as their end goal, these more resource-heavy types of security software lose a lot of their appeal. This can be an argument in favour of cloud-based services, which do not create a measurable impact on existing network infrastructure.

The next step is to develop an understanding of how to identify, prioritise and invest in the business’s ability to respond and recover from disruptions as quickly and effectively as possible. Again, the business needs to leverage a combination of people, processes and technology to develop, test and rehearse a range of disaster response and recovery plans, not just one component in this list. People need to establish the processes that allow technology to work.

This type of approach to security has considerably more long-term impact and speaks much more directly to the overall concerns of the business than traditional, rather short-termist and one-dimensional approaches that focus all efforts on protecting the perimeter and guarding against malware. Many organisations will be best-advised to seek external help because well-qualified and experienced security professionals are hard to find and, in any case, the objectivity and experience brought to establishing and testing these processes by a third-party can be a very powerful asset.

A maturity around cybersecurity topics, one that acknowledges the facts around risks and takes a level-headed approach to how businesses can live with those risks and enables them to work through extremely difficult situations with confidence is a future to be valued. These conversations have yet to start, though, for many organisations which have been mis-sold an idea of security that doesn’t really exist. The better news is that the sooner those conversations do begin, the sooner a more positive, enabled, confident future also starts.

Kanwar Loyal is the Regional Sales Director, UKI at CrowdStrike. Working in enterprise technology for over two decades, he is a seasoned business professional with a unique blend of extensive channel and enterprise sales management experience. At CrowdStrike he leads a team to build a world class client experience, ensuring clients meet their goals with the best possible outcomes.