First and foremost, people and relationships are key to information sharing when it comes to anticipating threats to operational resilience. Other groups in the organisation know their areas better than my team ever will.
They also know what the business impact will be. Labelling ‘happy path’ thinking has been very helpful to get the team to step back and consider what doomsday scenarios would ruin their plans and make it impossible for them to operate.
We established standard design patterns and team norms to mitigate those doomsday scenarios. Design patterns can be in the form of standardised technical architectures, requirements or operational processes. Team norms are usually in the form of cross training, established roles, modes of communication and escalations.
The biggest benefit from our proactive approach was realised in March of 2020, when the company was forced to go fully remote, indefinitely, on short notice. In 2019, due to conversations with other teams across the organisation, we had realised that we had four big problems with our IT infrastructure that would severely limit our resilience.
To address the risk of extended outages and the need for a better remote work experience, we made the decision to migrate all our internal IT infrastructure to cloud-based services. When the shift to full-time remote work happened, we weren’t caught unprepared.
From my years in the medical sector, I witnessed how security resilience can enable an organisation. In particular, when my team had to deal with a very sophisticated malware strain that was designed to target a specific brand of widely used intensive care units (ICUs).
ICU medical devices (ICUMDs) are used to closely monitor, stabilise and treat ICU patients who are often unconscious and rely almost solely on these devices to survive, and the malware affected the syringe pump (used to administer a specific quantity of medicine) and the pump monitoring functionality that could result in threat of life.
When we assessed these devices, we identified both current security weaknesses and future threats. It became clear to us that we needed to handle key areas like software updates, patching and access with a very different approach than with other IT-related devices. We implemented a very refined process across the Identify, Detect and Response phases of our security resilience strategy.
In doing so, we identified the malware in an isolated testing environment. It was revealed that the malware was introduced through a compromised patch that was released by the vendor. At that time, no endpoint protection software was able to detect this malware, and if we followed the typical security processes, we would have placed the lives of hundreds of patients in danger. No one ever thought that someone would design something so malicious that could cause the loss of life.
For many security professionals who work on the front lines, security resilience indicates the ability of an organisation to adapt to known and unknown threats. Non-stop business transformation at the time of a crisis is a key strategy for building enterprise resilience.
Procuring solutions is just one part of the trilogy of People, Process and Technology. Having staff to support the solutions is just as critical. Often, organisations fail to keep their cybersecurity staff because they have no current salary data, and have no way to understand the exponential growth of those individuals in the field and their market value. There needs to be a closer relationship between cybersecurity, finance and HR in order to build and support security programmes.
In a prior role, implementing a flexible, modular GRC was the most impactful solution. However, what made it effective towards gaining interest from multiple departments was the ability to be cross-functional, covering vendor management, vendor risk management, policy management and IT risk management. It provided a centralised solution for risk management, but also provided a repository for the enterprise policies.
In providing a vendor management solution, it also provided a vendor risk management solution where critical vendors could be risk-ranked. Risk profiles for individual vendors could then be determined, as well as the overall third-party risk profile. The cost/benefit of such a solution is easily justified when reviewing the manual processes included in each of the use cases.
The GRC solution started off with one module and, over time, expanded to four modules with other departments seeking access in order to centralise their documentation or to use it for their core processes.
A couple of years ago, I worked with a retail company that had huge risks with their third-party supply chain. Supply chain attacks have been a popular method of attack recently. However, this is not a new phenomenon, and I was called to help that company after it had quite a big data breach. The breach was not a result of their own defences, but a weakness in one of their primary suppliers.
I led a third-party supplier review, assessing areas such as who were their critical suppliers (they had about 200 suppliers). Then, we needed to examine which ones they were exchanging personal and confidential data with. We then proceeded to break all the suppliers into tiers, based on the classification of information.
We then audited all the tier-one suppliers. The way that helped the client was that it gave them a truer understanding of which of their suppliers were risky. As a result, we saw a marked improvement in the way that the company chose their suppliers. It wasn't just based on the quality of goods; it was based on security principles as well. Another important piece of resilience is the ability to not only identify when something isn't quite right, but also do it quickly. These are concepts known as mean time to detect (MTTD), and mean time to respond (MTTR).
Threats exist and incidents happen. Resilience is achieved when both the likelihood of an incident occurring is reduced, and the impact caused is minimised.
Working in the cyber threat intelligence (CTI) industry in the UK is always going to require an elevated alert level. Fortunately, we have architected our infrastructure in such a fashion as to reduce the attack surface and exposure of vulnerable services.
This commitment to ‘best practice’ architecture also provides a comfortable degree of resilience. For us, it’s all about having knowledgeable developers who pride themselves on the creation of secure code and ensuring it’s properly deployed with rigorous adherence to ISO 27001 compliance.
As a nearly virtual company, our data and email are all contained within Software-as-a-Service (SaaS) clouds for the ultimate in accessibility and data protection provided by those top-tier providers. Working in the CTI world, everyone in the company is acutely aware of the threats that all organisations face, including our own.
We have a chief compliance officer who works with us, and all layers of the company work against threat actors in the physical and virtual world on a daily basis. This promotes a strong security culture, as well as effective resilience.
“For us, it’s all about having knowledgeable developers who pride themselves on the creation of secure code and ensuring it’s properly deployed with rigorous adherence to ISO 27001 compliance.”
One example of building resilience is from my days as Cisco’s first chief privacy officer. When it came time to draw up contracts, we measured a pattern of distrust and confusion when customers wanted to buy collaboration or other privacy sensitive products. Long negotiations covered basic questions such as “Where is data stored?” and “Who manages the sign-on data about our employees and customers?”
I was at the London Transport Museum exhibit when the solution hit me: the simplicity of the maps to the London Underground was perfect! What if we could show customers what data was in question, and where and for how long, in a simple to digest infographic?
That’s what we created and published in the Cisco Trust Center, and the results were immediate, measurable and lasting. When people can visualise systemic, complex issues, they can plan, commit and build together.
My current company is PrivacyCode, Inc. We provide a platform that allows stakeholders who must create and enforce complex legal and policy requirements to effectively translate them into consumable, measurable and action-oriented tasks for technical teams.
In a world with constant change and growing complexity, clearly communicated and granular-level leadership creates and reinforces resilience. I am always seeking simple and easy-to-engage steps to solve monumental challenges.
“In a world with constant change and growing complexity, clearly communicated and granular-level leadership creates and reinforces resilience.”