Cyber Security Awareness Month // 2020
Among Information Security professionals, the month of October is commonly known as the Cyber Security Awareness Month. In the US, for example, it is commonly referred to as NCSAM, which is sort for National Cyber Security Awareness Month.
Cyber Security Awareness Month is a global initiative to raise awareness on emerging Cyber threats and get to know the best practices to defend against them. The focus is oneducating the public and the private sector on how to tackle cybersecurity challenges within fast-evolving and highly dynamic/scalable digital (and smart) ecosystems.
Cyber Security is promoted at an impressive rate during October, with several awareness campaigns taking place. Typically, these campaigns focus on giving advice around having best-in-class practices when it comes to Cyber Security, sharing thoughts around minimising exposure to unnecessary risk(s) and an attempt to communicate the benefits of having a well-defined Cyber Resiliency strategy in place. Most of the time, the discussions around defence-in-depth tend to spawn recommendations around different cyber products and services that might further help/strengthen an organisation’s security practice.
Despite how beneficial it is to have all of the aforementioned inputs and discussions, it is paramount to have a clear understanding of how to execute a cybersecurity programme holistically, both horizontally and vertically. Cybersecurity is everyone’s responsibility, within any organisation, irrespective its size, third-party collaborations, and liability shifts.
The five steps to cybersecurity from an executive perspective
There are five steps to approach cybersecurity from a holistic and executive perspective which are discussed below. These steps should be taken by every and each organisation to adequately assess:
How well they have adapted to the modern era of cybersecurity requirements, and
What is their overall cybersecurity posture/maturity (at any given moment in time)
The five steps build upon each other in order to allow decision makers and thought leaders to re-examine, re-evaluate and future-proof their cybersecurity initiatives, implementation, and execution.
Step 1) Hiring talent. Many organisations nowadays, post job advertisements and claim that they are actively hiring talent. Very few companies however, have reviewed, updated and redefined their hiring processes to enable this. This has spawned many interesting debates if there is indeed a skills shortage within cybersecurity or a lack in identifying the right skillsets for the right roles.
Depending on the industry/sector an organisation is operating within, the HR department has a mandate and the responsibility to be in a position to accommodate the modern and up-to-date requirements for hiring talent. These requirements, of course, should be in alignment, in agreement, and in coordination with the different hiring verticals, especially when there is a need to think-outside-the-box and innovate. The process of hiring talent (while exploring different backgrounds and skillsets) is highly depended on being able to identify which candidates fall under this category. HR must understand and document prospective talent specialisations, previous experience, valuable skillsets, and personality traits and attributes. Also, they must correlate current openings with evaluated talent career aspirations.
Step 2) Cybersecurity culture. Diversity and inclusion are capable of building strong teams full of new ideas. At the same time, there is a need to understand that each employee’s background, work environment, and personal experiences can be very different. As such, these factors are the ones that contribute towards how the employees perceive security from different standpoints. In other words, their security mindset across an organisation is crucial and very difficult to shape if not given the necessary attention, education, and opportunities to develop further. One of the most important tools available is having and providing opportunities to develop communication skills further using the appropriate language, irrespective if this is horizontal and/or vertical communications. Communication is a core element of the human aspect of cybersecurity while at the same time, it is highly dependent on tangible survivability attributes that need to be always considered and further developed, such as:
Awareness utilizing any relevant bespoke training
Safeguarding against social engineering attacks
Knowing the different types of phishing efforts
Understanding deception techniques
Defending against the exploitation of human curiosity
Step 3) Industry/Sector-specific cyber security challenges. There is no silver bullet when it comes to security, which also means, there is no one solution that fits all. Different solutions should be examined, considered and evaluated under a different cyber-lens and deployed (and fine-tuned accordingly) depending on the industry/sector an organisation is operating within. In this modern era of the fast-evolving threat landscape, a seasoned information security professional leading a cybersecurity practice is expected to:
Be fully aware of the industry/sector-specific cyber-threats
Have threat intelligence inputs across all mission-critical systems
Handle emerging weaknesses among business-critical systems
Keep in mind that a balance between business acumen, soft skills, and technical abilities are essential for security practice leads, especially when they have accepted the responsibility (including the legal obligation) to drive and navigate a whole organisation’s cybersecurity strategy. Cybersecurity challenges can only be effectively and adequately tackled when there is visibility, preparation, readiness, informed decisions, proactive planning and a security-oriented mindset.
Step 4) Asking the right questions. Cybersecurity initiatives can only be supported when asking the key, and most importantly, the difficult questions. Usually, these questions remain within the sphere of IT and its derivatives, while one of the most important lessons learned is that cybersecurity applies to all aspects of any organisation. For example, consider the following questions:
What is the current holistic security posture of the organisation (including outstanding high-risks) and its overall cyber-risk exposure and, how it is performing when compared against peers?
What is the current state of readiness in responding to emerging threats and different types of security incidents? What are the current capabilities to identify, protect, detect, respond, recover, including containment when/if necessary?
What is considered 'Best Practice' when it comes to defending against cyber-related threats (internally and externally, intentional and unintentional).
What financial investment is currently needed (if it is needed) in order to have in place an actionable Business Continuity Plan (BCP), that in not only well-defined but, it is also robust and mature across all business functions.
What are the current gaps in cybersecurity and compliance across the different teams and Business Units beyond IT systems, such as but not limited to, human capital, legal, marketing, communications, physical security, cybersecurity culture/training, etc.
Taking this a step further, consider for a moment what a list would look like when compiled with the ten most important questions the legal department needs to answer when it comes to cybersecurity. It is not a straightforward task, but it is indeed a mandatory task, especially when these questions need to be bespoke to address potential gaps within the context of the organisation.
Step 5) Trust, but verify. Building upon the previous four steps, there is a need to understand that:
(cyber)security is a “game” of trust
What is meant by that is that there is a plethora of dynamics to be taken under considerations, such as but not limited to, risk tolerance, risk appetite, budget limitations, emerging cyber threats, a fast-evolving threat landscape, compliance and legal aspects, and several human-driven factors.
Whatever the structure and the approach is, there is one important factor that no organisation should fall short in considering. That factor is ensuring there are no conflicts of interest. Despite how things have changed and progressed nowadays, numerous organisations still insist on Information Security to be part of (or even under) IT. At the same time, there is confusion around the need and role of an IT Security function, what is the focus, reachability and responsibilities of internal audit, why a CISO cannot also be the DPO, to whom the information security and cyber security practise reports to, and what processes are needed to be in place and followed in order to independently verify there is no wrong-doing nor ill-intention. All involved parties have a responsibility to act at the best interest of the organisation and actively demonstrate the results due to Management’s investment and commitment (buy-in/trust) in cybersecurity.
‘Security’ (Information Security, Cyber Security, Application Security, etc.), is the enabler for evolving and scaling up (i.e. an asset, a service, a business, a Digital Ecosystem, etc.) in a secure manner, while minimising the risk of it being affected at an irrecoverable level.
To conclude, all teams within an organisation need to see the value of conducting any appropriate assessment(s) necessary, without perceiving this as someone is marking their work, but rather, as an opportunity to identify unknown risks and become better for the good of the whole organisation. In other words, the more seriously cybersecurity it was taken across an entire organisation (in its all aspects), the more jobs are protected, and inevitably, more jobs are created as the organisation scales-up and grow in a secure manner.
Conclusions and next steps
Each of the aforementioned steps is composed of several security initiatives that need to be a) already in place, b) introduced, or c) even planed for the near future. In the same way, the UAE IA Standards assessment provides an entity’s scorecard against security initiatives and overall compliance.
The idea behind this five-step high-level approach is to provide decision makers with the necessary food-for-thought around cybersecurity from an executive perspective. In addition, given the cybersecurity awareness month, it is indeed a great opportunity to share this article among colleagues and peers, in order to spawn interesting conversations around perceptions, perspectives, and initiatives. Hopefully, the discussed five-step approach will act as a lever for driving a 360 approach in cybersecurity thought leadership.
In Digital14, we are always happy to discuss further and have a thought-provoking session(s) with you in person regarding the above. Do not hesitate to reach out to Cyber Advisory Services and more specifically to engage now. Let’s have today a discussion around any challenges your organisation is facing and use our proven expertise within the way you are driving your decision-making processes.