Cybersecurity is an endless process of chasing and preventing known attacks; anticipating attacks; and monitoring, alerting, patching, remediating and implementing solutions. It is becoming a maintenance function that trails hackers and other bad actors.
Cyberresilience refers to the ability to constantly deliver intended outcomes despite negative cyberevents. It is keeping business intact through the ability to effectively restore normal operations in the areas of information systems, business functions and supply chain management. In simple terms, it is the return to a normal state.
Cyberresiliency is the ability to prevent, detect and correct any impact that incidents have on the information required to do business. Examples of the enterprise cyberresiliency goals are:
- Anticipate—Stay informed and ready to expect compromises from adversary attacks.
- Withstand—Continue the enterprise’s mission-critical business operations despite a successful attack by an adversary.
- Recover—Restore mission-critical business operations to pre-attack levels to the maximum extent possible.
- Evolve—Change missions/business functions and/or the supporting cybercapabilities to minimize adverse impacts from actual or predicted adversary attacks; change cybercapabilities for mission-critical business operations to minimize impacts from the actual or predicted adversary attacks.
Cyberresiliency has progressed to enable enterprises to withstand and rapidly recover from cyberattacks that have a criminal intent to induce harm, cripple and extort enterprises. Cyberresiliency is a board-level responsibility with high business content. It is based on initiatives under the auspices of corporate governance, enterprise cyberprograms and supply chain network.
The trend and severity of serious cyberbreaches underscores the fact that enterprises will face a serious breach with intent to harm. The organization and its board of directors (BoD) ought to, in anticipation of such an attack, plan how to withstand it, rapidly recover from it, and how to evolve to reengineer its business and cybersecurity processes.
It is the enterprise’s responsibility to evaluate and measure its current state of cyberresiliency and how to transform itself to strengthen its cyberenvironment to withstand serious cyberthreats.
A methodology was developed to build a cyberresiliency decision model (CRDM). It quantifies and compares the degree of impact of each proposed cyberresiliency initiative on any of the enterprise-stated goals and objectives and develops a road map to the containment of the threats.
Determining the portfolio of cyberresiliency investment and the realized value of such initiatives is highly correlated with an organization’s willingness to articulate the following:
- The risk of potential costs of security incidents that the enterprise is willing to bear
- The level of risk that the enterprise is willing to accept when running its business
- The enterprise’s recognition that investment in cyberresiliency ought to be mapped and prioritized to the desired outcome and types of threats.
Read Robert Putrus’ recent Journal article:
“Enterprise Transformation to Cyberresiliency,” ISACA Journal, volume 3, 2019.
In the past 5 years, the cybersecurity agenda has been raised and discussed and in many forums because cyberattacks have been developed for various purposes, and the number of cybersecurity incidents or data breaches have increased dramatically every year. After major incidents around the world in the past few years, cyberattacks have caused several impacts on public services, business, people and even the accusation of the cybercrime from others. Therefore, many countries, such the United Kingdom, German, Estonia, Australia, Canada and Singapore, have developed and issued laws to take action on cybersecurity, such as the national strategy, guidelines of implementation and reporting. Generally, all cybersecurity acts are focusing on industries identified as critical infrastructure (CI) or critical information infrastructure (CII) of the nations, such as national security, financial, telecommunication, public transportation and logistics, healthcare and energy sectors. These sectors are always the first primary target of cyberattacks and cause the biggest business disruption or impact nationwide.
The Thai government will soon issue the first cybersecurity bill, which aims to level up the cybersecurity safeguard, minimize or control cyberrisk and create cyberresilience in CII organizations. According to the bill, the law will focus on the incidents or crises of CII that have impact on public services or could even cause death or injury, rather than individual computer crimes or monitoring behavior on the Internet. The CII has been categorized into at least 7 groups, which are: national security, public service, financial service, information technology and telecommunication, supply chain and logistics, public utility and energy, and healthcare.
The new cybersecurity agency created by the bill will be responsible for enforcing, cooperating with other regulators and international organizations, supporting, responding to cyberincidents and regulating the CII organizations. The law contains the obligations and several penalties for noncompliance. In addition, the law also contains details of how CII can be compliant with this law, which relates to risk base management concept and 5 functions of the US National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) version 1.1 (i.e., identify, protect, detect, response, recover). Therefore, all CII enterprises are now facing the challenge of complying with the law and other coming regulations, which will provide more implementation details for the bill, especially the operation technology (OT) and public services. The OT is claimed to be in the closed network system (no external or Internet connection) for a long time, while public services sometimes focus on the service and avoid the security issues due to the service volume. These areas must be improved as fast as we can by using the NIST framework as the implementation guideline or other IT security standards, such as International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 27001 or European Union Agency for Network and Information Security (ENISA) guidelines. The area of the cybersecurity development or improvement in the organization must be covered all aspects of people, process and technology.
Last but not least, for the implementors or compliance, ISACA has published the Implementing the NIST Cybersecurity Framework to enable practitioners and enterprises to gain an understanding of the CSF and its implementation.
Read Nipon Nachin, Chatpong Tangmanee and Krerk Piromsopa’s recent Journal article:
“How to Increase Cybersecurity Awareness,” ISACA Journal, volume 2, 2019.
Organizations have diverse understandings of what digital security is and is not. As a consequence, they wrestle with who is responsible and who is accountable for digital security. This further complicates the question of whether the chief information security officer (CISO) position ought to be considered and instituted. CISO positions and responsibilities are greatly unsettled because digital security crosses many aspects of enterprise transactions, challenging if it is even possible to place boundaries on the responsibilities of the role.
Do organizations expect the CISO to be a technology wizard, business savvy or a hybrid of both? Do organizations expect the CISO to be the responsible and accountable person in securing the computing environment and informational assets in the enterprise? Should the CISO be part of the executive team, or should the role be confined within the IT group?
The subject of digital security within an organization creates a dilemma within the executive team with regard to defining the CISO role within the organization. There are several key gaps between what senior management may want or expect from the cybersecurity function and how far-reaching the responsibility of the CISO role ought to be that can be identified, and it is important to understand how to bridge and mitigate those gaps.
The CISO can be involved in a wide spectrum of responsibilities depending on the organization’s size and/or the lens the executive team looks through for digital security.
In my recent Journal article, I stated several gaps of understanding by CISO professionals as to how they perceive their role and what is the experience expected of them. The following are a few critical gaps:
- Gap 1: Should the CISO transform from having technical focus to a business focus?
- Gap 2: To whom should the CISO report?
- Gap 3: How does the CISO justify a digital security portfolio?
- Gap 4: Do organizations fully understand digital security functions?
- Gap 5: Is the CISO an IT function?
- Gap 6: Do the cloud and mobility present challenges?
Since the CISO position is being promoted to report higher in the organization chart, a greater emphasis is being placed on the CISO role and the expected skill level of those filling the role. It has moved the skill of the CISO from technical implementer of technology to one of business focus and the ability to oversee digital security as a vital business unit to justify its relevance and demonstrate the return on investment to the enterprise’s bottom line.
Additionally, enterprises are evolving to become risk-based organizations. This requires transformation of the enterprise culture to a risk-based culture, where digital security is the responsibility of all the employees of the enterprise.
However, such cultural transformation has put greater pressure on the CISO to be a trusted advisor who operates as the integrator of the enterprise business units and a relationship builder. Digital security is becoming the bridge to integrate the enterprise products and services with the enterprise business functions.
Read Robert Putrus’ recent Journal article:
“The Role of the CISO and the Digital Security Landscape,” ISACA Journal, volume 2, 2019.
According to the Ponemon Institute/Accenture Ninth Annual Cost of Cybercrime Study, the number of cyberattacks each enterprise has seen has increased, and these incidents take more time to resolve while the cost of cybercrime continues to rise. In the last year, the report notes, there have been many stealthy, sophisticated and targeted cyberattacks against public and private sector organizations. Combined with the expanding threat landscape, organizations are seeing a steady rise in the number of security breaches—from 130 in 2017 to 145 in 2018. Indeed, there has been a 67% increase in the number of security breaches in the last 5 years.
At the same time, ISACA’s State of Cybersecurity 2019 Report—Current Trends in Workforce Development notes that technically proficient cybersecurity professionals continue to be in short supply and difficult to find. This fact is compounded when coupled with the realization that the greatest skill needed in the field is business acumen. Currently, the most-prized hire in a cybersecurity team is a technically proficient individual who also understands business operations and how cybersecurity fits into the greater needs of the enterprise.
So, what can be done? In my opinion, we in the audit profession need to step up. We have the required business skills, but we need to develop complementary cybersecurity auditing skills. I discuss how to perform a cybersecurity audit including the tools, training and resources that ISACA has made available in my recent ISACA® Journal column, “Auditing Cybersecurity.”
Read Ian Cooke’s recent Journal article:
“IS Audit Basics: Auditing Cybersecurity,” ISACA Journal, volume 2, 2019.
As a follow-up to our recent ISACA Journal article, “NIST’s New Password Rule Book: Updated Guidelines Offer Benefits and Risk,” we wanted to provide some additional thoughts on the password dictionary concepts. As our article suggests, organizations should place appropriate controls around the establishment and maintenance of the password dictionary. Under the passphrase approach advocated by the latest US National Institute of Standards and Technology (NIST) guidelines, the dictionary becomes the primary tool for enforcing complexity and uniqueness in user authentication credentials. As such, it is integral to ensuring secure access to IT resources.
With respect to initially establishing the password dictionary, it can be difficult to build a comprehensive and highly secure dictionary from scratch. Enterprises should remember:
- Open-source lists of bad and commonly used passwords are publicly available and may provide a sound starting place. Commercial services have spent considerable time and resources researching and compiling password dictionaries and may be worth the investment.
- Implementing a standard dictionary alone is not really enough. It would not include prohibitions specific to the organization and its context. Involve organization leaders and/or interested users in contributing names and terms associated with the organization, its brand image, close affiliations, products, lines of business and people. Be sure to block known (or suspect) compromised credentials and consider using the dictionary to also block use of employee-specific information (such as names and usernames).
It is important to note that a password dictionary should not be considered a “one-shot and done” task. Organizations and the environment they operate in are dynamic, and the password dictionary will become obsolete over time. Organizations should consider the following:
- Regularly refresh the standard dictionary as lists of bad and commonly used passwords evolve. Customized dictionaries of prohibited words and phrases need to be reevaluated, augmented, and updated periodically.
- If a breach occurs (or is suspected), the password dictionary should be quickly updated to prevent the potential use of compromised phrases.
Maintenance of the dictionary should become a routine and continuous process for the organization. Establish an appropriate owner of the dictionary maintenance process (for example, a leader in the IT security or compliance functions), and put controls in place to ensure periodic and ad-hoc maintenance of the dictionary. In highly sensitive applications, consider a periodic independent audit of the dictionary and its use. The organization needs assurance that the effectiveness and robustness of the dictionary does not erode over time.
Read Bachman Fulmer, Melissa Walters and Bill Arnold’s recent Journal article:
“NIST’s New Password Rule Book: Updated Guidelines Offer Benefits and Risk,” ISACA Journal, volume 1, 2019.
In the wake of the high-profile information security breaches that have made headlines over the past few years, leaders in the security field have been coaching organizations to make 2 fundamental changes in the way they have traditionally handled breaches. First, instead of focusing solely on impenetrability, organizations should accept that breaches are going to happen and place greater focus on detection and management. Second, organizations should be prompt and transparent when it comes to notifying impacted stakeholders about the impact of a breach instead of, well, doing the opposite.
These 2 pieces of organization-level advice can, and should, also be applied to individuals in the context of security awareness training, which was the topic of our recent Journal article.
In a 2017 blog post for NS Tech, Steven J. Murdoch and Angela Sasse write, “Companies often tell employees not to click on links or open attachments in suspicious emails. The problem with this advice is that…for many employees their job consists almost entirely of opening attachments from strangers, and clicking on links in emails. Even a moderately well targeted phishing email will almost certainly succeed in getting some employees to click on it.”
From a training perspective, of course organizations should educate their employees to help them avoid risky behaviors that could threaten security. But organizations should also reassure their employees that they understand that employees cannot do their jobs without encountering some type of security risk. Assuring employees that the organization expects them to encounter threats sooner or later empowers employees to take the appropriate action when that time comes.
Read Randy Pierson, Kevin Alvero, and Wade Cassels’ recent Journal article:
“A Heightened Sense of Awareness: What the Internal Auditor Should Know About Information Security Awareness Training,” ISACA Journal, volume 6, 2018.
The cyberworkforce gap is well documented. When we look at it from a macro level, it seems straightforward. Studies show between 1-3 million job openings over the next few years, unfilled due to a lack of talent. As schools pump out new cyber grads and push them into the workforce, our prayers are answered, right?
When we look closer at the problem, we see how woefully inadequate the macro view really is. The uncomfortable truth is this: We cannot close that gap by throwing bodies at it. The speed of change in the cyberarena means that new skill gaps are created daily, even on established cyberteams. In other words, every day our teams are not learning and applying new skills, they are a little less prepared for what may come at them.
This perspective shifts the arms race from buying the most talented cyberstaff to creating programs and cultures that foster development, teamwork, and a focus on continuous and persistent learning.
Success in such an environment requires a level of discipline many organizations are not used to. But something must change if we, as an industry, want to overcome the challenges in front of us. Here are just a few of the key strategies to prepare a cyberteam to be mission-ready at all times:
- Today’s tech workers are looking for growth opportunities, but this does not always mean moving into management. Mapping roles within the team and the skills and capabilities required from each position give a clear picture of what individuals need to develop to get ahead, both technically and professionally.
- With knowledge, skills and abilities defined, arm your teams with consistent development opportunities so the staff have adequate training to achieve peak performance. The training must be highly relevant to both the organizational environment and to the threats facing the organization.
- Put the skills to the test with cyberchallenges that push the limits of what the team can do. It is better to challenge cyberteams to respond to threats simulated on your own terms than to expect them to fend off a real attack without firsthand experience.
- Recruit for those who have a lifetime love of learning, a passion for the industry and belief in what they are defending. The technical skills can be learned and honed, but passion cannot be taught.
Discipline around workforce development can be daunting, but those that embrace the culture of learning and growth will outperform in recruiting, retention, and ultimately performance against the threats to come.
Read Philip Casesa’s recent Journal article:
“Growing a Cybersecurity Career: Five Questions for the Next Job Interview,” ISACA Journal, volume 6, 2018.
Healthcare has many parallels with information security since both are based on prevention, monitoring, diagnosis and correction to avoid negative results. If medical success, however, were measured only by prevention of death, doctors would be the worst professionals in the world. After all, we are all going to die one day.
Moreover, if we take that same rationale for information security and measure its success or failure only through incident prevention, we will see some successes, but, eventually, there may be failures, perhaps catastrophic. Does this sound familiar?
Instead of waiting for these extreme results, we must track indicators (or risk factors) that can positively affect our situation. AS in healthcare, there are risk factors beyond our control, such as gender, age and family history, and behavioral factors that can have a significant impact on our health, including diet, physical activity level and use of tobacco products.
Some decisions about which risk factors to address have already been made in your organization—if not scientifically, at least through common sense. The decisions to implement any defensive technology such as firewalls, antivirus software or web filtering were made based on the risk factors inherent to your business—in most cases, to act on something that you cannot control (threats).
So, what should you measure to improve the health of your information security? Although the evidence may not be as conclusive as in the case of healthcare, there are many good sources of good practice provided by ISACA® and groups such as SANS, the US National Institute for Standards and Technology (NIST) and the International Organization for Standardization (ISO). The most important thing is to pay special attention to the factors you can control: the processes in place and, in particular, the management of the technologies you have already implemented.
To continue the analogy with healthcare, this can be compared to physical exercise and heart disease: It may not be easy to get off the couch, but the risk of not doing so is high and the benefits are proven. However, measuring these indicators alone will not protect you. We need to cultivate good behaviors—in other words, choosing to "get off the couch" and apply good security management practices (factors that you can control) will have a dramatic effect on your organization and your health as well.
Read Julio Pontes’ recent Journal article:
“Automation, Governance and Security in a Software-Defined World,” ISACA® Journal, volume 6, 2019.
The amount of data accumulated by 2020 worldwide is predicted to exceed 44 zettabytes (or 44 trillion gigabytes), and the data growth rate is about 1.7 megabytes per second for every human being. To manage and understand it, artificial intelligence (AI) was developed, and its use has been increasing at an rapid rate. We see this in the products that are coming to market.
This new technology is affecting us in many ways:
- How we live (e.g., digital home assistants such as Apple’s Siri and Amazon’s Alexa)
- How information is obtained (e.g., sensors, chatbots, automated data searching)
- How we communicate (e.g., language translation)
- How we react to security and privacy attacks (e.g., network anomaly detection, fraud detection)
- How we get around (e.g., driverless vehicles)
- How we detect and prevent crimes
In my recent Journal article, we look at where the data come from (e.g., sensors, data files, audio and video information), how AI is used, the software technology behind it (e.g., machine learning, virtual agents), the areas of knowledge needed to apply it (e.g., mathematics, computer science principles and techniques, software programming, analytical skills) and where we can get the training (e.g., online, college, universities). Once we have this understanding, we review the current job market, the AI position descriptions (e.g., business intelligence developer, software engineer, data scientist, solution architect) and associated salaries.
The intent of this article is to enlighten the reader about personal AI skills and requirements and additionally to provide guidance on how to go forward with this knowledge if you are interested in becoming someone who molds our future. From the information I have gathered, it has become clear that AI technology can be a benefit to auditors (e.g., when finding internal instances of fraud), aid information security in detecting and responding to cyberattacks, and help privacy professionals look for data breaches.
I encourage you to read the article and share any insights and knowledge you may have on AI as a career path.
Read Larry Wlosinski’s recent Journal article:
“Is Artificial Intelligence a Career Path for You?,” ISACA Journal, volume 6, 2018.
At this period of time where IT driving “business transformation” is the order of the day, ensuring IT security is not in conflict with business is a very critical concern. Instead, IT should enable the business in realizing value without compromising the expected level of security. This is of paramount importance. Any compromise in IT security citing operational efficiency could result in legal implications to the business, including damage to the enterprise’s reputation, revenues and profits, and even imprisonment.
One area to look at very closely is special access (also called privileged access) that few identified IT operations stakeholders have in making sure required IT systems are operated seamlessly, enabling business to realize its intended value. It is critical for management to have confidence in whomever has special access carries out the activities in line with the expected intent in a transparent manner.
Management can have trust in privileged access policies if:
- Only intended people have privileged access
- Special access is used in accordance with the expectations of the enterprise
But again, in the name of ensuring assurance, IT should not impede business efficiency; rather, applying common sense and avoiding rigid approaches to privileged access benefits IT and, thereby, the organization holistically.
My recent Journal article touches upon a few best practices I have explored and successfully implemented in my work, helping my organization realize greater value.
Read Sundaresan Ramaseshan’s recent Journal article:
“Effective Interactive Privileged Access Review,” ISACA Journal, volume 5, 2018.