Читать книгу Beyond Cybersecurity - Kaplan James M. - Страница 9

As recently as seven or eight years ago, cybersecurity was not a priority for many companies. Even large and sophisticated IT organizations spent relatively little protecting themselves from attack and had little insight into the business risks caused by technology vulnerabilities. What protections existed were focused on defending the perimeter of the corporate network, and IT security organizations’ role was to manage tools such as remote access and antivirus software. Managers and frontline employees faced few consequences for violating security policies, and insecure application code and infrastructure configurations were pervasive.

Since then, most technology executives tell us that they have made significant progress in establishing cybersecurity as a control function. There are now true cybersecurity organizations with significant budgets and headed by chief information security officers (CISOs). They have locked down desktops and laptops to prevent end users from unwittingly introducing vulnerabilities into the environment; they have introduced architecture standards; and they review processes to identify and remediate security flaws in new applications.

Establishing cybersecurity as a control function was a necessary step that dramatically reduced risk for a great many institutions, but it is less and less tenable as the threat of cyber-attacks continue to rise (Figure E.1). It places the responsibility for security primarily with the cybersecurity team. It is backward-looking and tries to protect against yesterday’s attacks. It depends on manual interventions and checks and double checks, and has limited scalability. It seeks to inspect security in, just as old-school manufacturing processes futilely sought to inspect quality in. Most importantly, it increases the tension between cybersecurity and the innovation and flexibility craved by the business.

FIGURE E.1 Existing Cybersecurity Models Become Less Tenable as Threats Increase

To achieve digital resilience, companies need to undergo fundamental organizational changes, including integrating cybersecurity with business processes and changing how they manage IT. Specifically, there are seven hallmarks of digital resilience:

1. Prioritize information assets based on business risks. Most institutions lack insight into what information assets need protecting and which are the highest priority. Cybersecurity teams must work with business leaders to understand business risks across the entire value chain and then prioritize the underlying information assets accordingly.

2. Provide differentiated protection for the most important assets. Few companies have any systematic way of aligning the level of protection they give to information assets with the importance of those assets to the business. Putting in place differentiated controls (e.g., encryption or multifactor authentication) ensures that institutions are directing the most appropriate resources to protecting the information assets that matter most.

3. Integrate cybersecurity into enterprise-wide risk management and governance processes. Cybersecurity is intertwined with almost all of an institution’s major business processes. Companies must create much tighter connections between the cybersecurity team and each critical business function – product development, marketing and sales, supply chain, corporate affairs, human resources (HR), and risk management – in order to make the appropriate trade-offs between protecting information assets and operating key business processes efficiently and effectively.

4. Enlist frontline personnel to protect the information assets they use. Users are often the biggest vulnerability an institution has – they click on links they should not, choose insecure passwords, and e-mail sensitive files to broad distribution lists. Institutions need to segment users based on the assets they need to access, and help each group understand the business risks associated with their everyday actions.

5. Integrate cybersecurity into the technology environment. Almost every part of the broader technology environment affects an institution’s ability to protect itself – from application development practices to policies for replacing outdated hardware. Institutions must move from a crude “bolt-on security” mentality and instead train their entire staff to incorporate it into technology projects from day one.

6. Deploy active defenses to engage attackers. There is a massive amount of information available about potential attacks – both from external intelligence sources and from an institution’s own technology environment. Companies will need to develop the capabilities to aggregate and analyze the most relevant information, proactively engage with attackers, and tune defenses accordingly.

7. Test continuously to improve incident response across business func- tions. An inadequate response to a breach – not only by the technology team, but also from marketing, public affairs, or customer service functions – can be as damaging as the breach itself. Institutions should run cross-functional “cyber-war games” to improve their ability to respond effectively in real time.

There are three important points about this list:

1. Technology executives believe that these actions collectively could be game changing in terms of digital resilience.

2. Only two are primarily cybersecurity levers; the remainder require broader IT or business process change.

3. Companies are not making progress on these levers fast enough. On average, technology executives gave their companies C to C– grades on their efforts so far.

The seven levers are discussed in Chapters 3 through 7. Chapter 3 looks at how to prioritize business risks and put in place different levels of protection for the most important information assets. Chapter 4 provides a perspective on how to incorporate cybersecurity considerations into business decision making and how frontline users can help protect information assets. Chapter 5 shows how cybersecurity must be built into the broader IT environment. Chapter 6 describes integrating intelligence, analytics, and operations into active defenses that can respond quickly to emerging threats. Chapter 7 covers the use of war gaming to build incident response skills across business functions.