Читать книгу The Digital Big Bang - Phil Quade - Страница 26

Before you can decide how to best apply your newfound strategic tools, you must know the “why” of the “how and when” you will need to use them. Every business, industry, and organization is different. The reasons you need to protect your organization and how you protect it are important. Why you do what you do feeds into your organizational risk appetite, defines your value at risk, and informs key decision-making points such as the level of accuracy needed versus speed and financial investments. Working through a normalized risk process, or even something as simple as sitting down with your business leaders and discussing the downstream residual impact of cybersecurity failure, will help inform and shape your mission parameters. Are you part of critical infrastructure? Would intellectual property loss ruin your business? Can your business ecosystem outside your control cause irreparable damage? These questions and many others should be the foundational elements of how you describe your “business of security” and what your mission focus is. In turn, as you begin to consider the implication of the speed used against you and the speed that will help you accelerate your effectiveness, a deep understanding of your mission imperatives in alignment with the following five critical areas of planning will ensure your success in the hyperconnected and hyperspeed world in which you operate:

1 Understand your environment. Your success depends on your direct ability to succeed within the environment in which you operate. To do that, you need to understand your environment through transparency, knowledge, and access. This includes crucial elements such as understanding your critical assets, a holistic understanding of the resources and technology deployed through a comprehensive configuration management database (CMDB), and data flow diagrams that detail how information flows through your business. Just as important is the understanding of your third-party ecosystem, your supply chain, and how your services are in effect an integrated component of your customers' supply chains. Your ability to quickly understand the impact of any given event through this level of transparency is a fundamental component to being able to think and act quickly.

2 Drive safely at high speed. Your business success depends on speed to market and speed to respond. Your job is to get everyone there safely. This sense of speed enablement, or acting like the brakes on the car so your business is confident to go faster, requires a mature risk process. Effective risk programs have tiers of risk considerations and actions that create broad bands of flexibility and enable decision making based on preselected and informed risk formulas that serve as guiding principles. Spending time developing those mechanisms and allowing them to mature, educating your business, and just as importantly, educating your team will empower and enable all levels of the organization to recognize and facilitate business-based risk decision making at speed.

3 Plan ahead. Your opposition is well funded, utilizing capabilities and decisioning guiderails that are faster than yours. As in an old-fashioned gunfight, the first one to put lead on the target wins. This means that you need to be comfortable with rapid decision making based on accumulated knowledge rather than absolutes and have a “gun belt” of premade decisions, actions, and plans on your side. For instance, if you have a ransomware incident that is less than x% contained, do you shut down your data center? If you are suffering a financial crimes attack, will you call law enforcement, and if so, what agency and what is their number? Simple efforts such as tabletop exercises or defining preplanned partners significantly add to your ability to react fast in times of crisis. Prepositioned decision making agreed to by your leadership also ensures that your business will understand, support, and expect clear action and leadership from you when needed.

4 See the big picture. You need over-the-horizon threat modeling. I think everyone would agree that seeing a speeding train coming at you is better than getting run over by one. Unfortunately, too many people concentrate too myopically on their own operating environment and never look up long enough to see the train coming down the tracks. The use of intelligence services, information-sharing partnerships, and other mechanisms that give you a view outside your business into adjacent industries, like competitors or aligned ecosystems, are great ways to measure and prepare for the potential impact of issues not yet affecting your business. This greatly enhances your time to prepare, plan, and react to situations and opportunities that too often are missed because of insular behaviors.

5 Make the most of limited resources. Managing a business with limited return on investment (ROI), no profit, and smaller teams takes a different approach. Not every industry has the mission criticality of a nuclear power plant or the financial resources of the financial sector, and most of us never will. But just because we can't build large operating teams doesn't mean there aren't methodologies we can put forth to make us more nimble and adaptable. For instance, sometimes less is more. Often, many of the services we use are not employed on a constant basis, and thus the costs associated with maintaining them or the skills needed to maintain them are wasted. Why not consider third-party contracting support for those services? And that's not just for limited services. If there are opportunities to leverage or utilize an ecosystem of providers to deliver core services at a lower cost, or to use automation and cloud-based services to maintain a more current and manageable portion of your operations, why not consider them? Sometimes, using simplified capabilities rather than an entire offering allows you to have those capabilities most necessary to react fast for the most critical issue, while maintaining a profit and loss (P&L) reasonable for your business.