Once considered an operational expense and parked under the IT department, cybersecurity should now be considered a strategic risk to the business. Recent cyber attacks have shown that the impact of those incidents extends beyond IT systems. As such, even non-IT senior leaders should be prepared for a cyber attack.
Richard Addiscott, senior director analyst at technology research and consulting firm Gartner, says: “[Apart from the chief information security officer (CISO) or chief information officer (CIO),] executives must recognise that they have skin in the game when it comes to the potential impact of a significant cybersecurity incident. The downstream impacts of these events affect things like revenue; cost positions; profit and earnings forecasts; brand and customer satisfaction/confidence and trust; and enterprise compliance position that impacts their ‘licence to operate’. In some instances, [those incidents can also impact] consumer and employee safety and the environment. The key performance indicators (KPIs) associated with these objectives aren’t usually assigned to the CISO.”
He continues: “If the premise is that the business executives are accountable for managing any risks — like personnel, physical, safety — that could impact the business KPIs they’re responsible for achieving on behalf of the organisation, then that has to include taking accountability for ensuring that all reasonable steps are taken to minimise cyber risks.”
Many organisations have yet to take a collaborative, enterprise-wide approach to cyber resilience. Nearly three-quarters (72%) of CEOs say they were uncomfortable making cybersecurity decisions and often delegated the responsibility for cybersecurity to their IT teams, according to a recent study by ISTARI, a Temasek-founded global cybersecurity firm, and Saïd Business School at the University of Oxford.
There is a disconnect between CEOs’ confidence in their cyber defence strategies and their actual capabilities.
Most CEOs [we surveyed] rated their organisation’s preparedness relatively high. But therein lies a problem; those who had endured a serious cyber attack told us that they, too, had previously believed their organisation was well-prepared [to face a cyber incident.
Manuel Hepfer, head of knowledge and insights, ISTARI
Gartner’s Addiscott adds that executives in an organisation tend to have varying levels of cyber readiness due to various factors. “The more regulated an industry is, the more likely senior executives have developed greater levels of cyber literacy and understand the benefits of being proactive in their approach to cybersecurity and working with the CISO to deliver a more effective enterprise-wide response. It also depends on the experience and ability of the CISO when it comes to their executive stakeholder management skills and being able to influence them to be more heavily involved.”
“Irrespective of their risk appetite, an organisation that has a consistent and mature approach to risk management will be better prepared than one with a little more laissez-faire view of cyber risks,” he adds.
Preparing for cyber attacks
One of the significant challenges of responding to cyber attacks is the predominant feeling of loss of control. According to ISTARI’s study, the CEOs who endured a cyber attack said it was “intrusive and caused people to panic and run around like headless chickens”.
“A devastating cyber attack takes an emotional toll on CEOs. They have to make existential decisions based on imperfect information under extreme pressure. Some CEOs described it as the grimmest experience of their career. In such a high-pressure environment, it’s easy to jump too quickly to conclusions or solutions that are unsustainable in the long term,” says ISTARI’s Hepfer.
Engaging in tabletop exercises can help leaders be sufficiently prepared to avoid making rushed and perhaps bad decisions when responding to a cyber attack.
In a tabletop exercise, business decision-makers role-play a breach response. Practising this response as a team allows leaders to identify and address gaps, gain familiarity with what will be expected of them in the event of an attack, and ultimately reduce the likelihood of panic in the event of a real incident.
Steve Ledzian, CTO, Mandiant
To stay ahead of the latest tech trends, click here for DigitalEdge Section
He adds: “The questions to ask during a breach are usually obvious: Did the attacker steal any data? How much data did they steal? How much privileged access to our systems do they have? Even questions as fundamental as who the attacker is and why they are attacking us will quickly surface in the event of an attack. However, the questions organisations ask before an incident can often benefit them the most.”
Christian Fam, research manager for Cybersecurity Services at market intelligence firm IDC Asia/Pacific, agrees. He believes leaders need to ask the following questions to come up with a methodological and process-oriented cybersecurity approach for their organisation:
- What is our organisation’s risk appetite and risk tolerance towards cyber risk?
- What is the potential impact of cyber threats on our organisation? What data, systems, and processes are at risk?
- What is our organisation’s readiness and preparedness to respond to cyber threats? Do we have the necessary tools, processes, and personnel in place?
- What long-term measures and processes can be established to maintain a sustainable cyber resilience programme?
Fam adds: “C-suite executives should also establish the tone for the organisation by fostering a cyber risk-centric culture that promotes awareness and best practices amongst all employees. In addition, they should continue to stay informed about the latest cybersecurity threat landscape and take a risk-based approach to investments and decision-making. By integrating risk into all facets of a digital business, C-suite executives can stay well informed about risk factors while emphasising the importance of risk management throughout the organisation.”
Echoing him, Ravi Rajendran, vice-president for Asia-Pacific and Japan at Cohesity, a data security and management platform provider, explains: “Cyber resilience is the ability to continue delivering business outcomes, operate, or generate revenue, despite an adverse cyber event occurring. If cyber resilience becomes the overarching objective of a security posture, there’ll be a focus shift from simply complying with regulations to conducting the business securely. This redefines an organisation’s security posture requirements, wherein it needs to ensure the business can still function when an attack occurs.”
Steps to strengthen cyber resilience
With cyber threats constantly evolving and advancing, today’s cyber resilience programmes must go beyond response and recovery efforts. “Business and technology leaders must have a shift in mindset to realise that cyber resiliency is the ability to anticipate, withstand, recover from, and adapt continuously to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources,” says IDC’s Fam.
Achieving those capabilities, states Gartner’s Addiscott, calls for leaders to have a good understanding of their cybersecurity risk exposure and the potential impacts a significant cyber attack will have on the business’s strategic objectives. Next, they should develop a clear, actionable risk appetite and a mature cybersecurity performance measurement framework, which helps guide the levels of investment needed to achieve an agreed level of protection. “Make sure the agreed and tested business continuity plans that are in place have been formulated through holistic business impact analysis work. As for security investments, they must be appropriately balanced between controls that minimise the likelihood of a successful attack and those that help detect and respond to attacks to minimise their impact when they occur.”
Modern data security and management platforms are among the solutions organisations should consider deploying to be more resilient against cyber threats.
The key data protection challenge for organisations is managing and protecting data to ensure their core systems, business processes and operations are not disrupted [even during a cyber attack. Modern data security and management platforms can help] by providing immutability, end-to-end encryption, artificial intelligence and machine learning-based anomaly detection and threat intelligence, automated recovery at scale, and data isolation vaults. Those platforms can also easily integrate into the organisation’s existing cybersecurity systems and processes.
Ravi Rajendran, vice-president for Asia-Pacific and Japan, Cohesity
He shared the example of Origin Property in Thailand, which managed to prevent and recover data from a cybersecurity incident by deploying Cohesity’s data security and management platform. “Although they deployed our platform as a proof of concept, they could completely recover from a ransomware attempt within three hours, compared to their previous backup window of 20 hours, and got their data back without paying the ransom. They also managed to lower their total cost of ownership within their IT and cybersecurity environment.”
Organisations should invest in their people too.
Besides ensuring they have a right-sized cybersecurity workforce — or cybersecurity capability if leveraging third parties — they must also ensure everyone across the organisation knows why cybersecurity is important and why they should care. After that, they can look at fostering a more security-conscious corporate culture that helps promote and embeds more certain behaviours and practices into their day-to-day work.
Richard Addiscott, senior director analyst, Gartner
To help organisations ensure their leaders are security conscious, Mandiant’s executive intelligence briefings provide the latest observations and analysis of the threat landscape. "By staying up-to-date with what is relevant to their industry and geography, leaders can make informed decisions before, during, and after a cyber incident," says Mandiant's Ledzian.
Similarly, ISTARI’s annual CEO cyber resilience forum shares the latest threats landscape developments and guides what CEOs can do to enhance their organisational cyber resilience. As for senior cybersecurity and technology leaders, they can join ISTARI Academy’s Navigator programme, which aims to help them fortify their organisation’s cybersecurity posture.
“Cyber threats are unlikely to reduce in the future, so it is all about how organisations deal with them. Therefore, companies should move away from cybersecurity protection and instead focus on building cyber resilience,” concludes ISTARI’s Hepfer.