The Expert View: Managing cyber-security in a time of economic turbulence

Recent years have seen much investment in cyber-security tools, but the focus is shifting to what that investment has accomplished, said Fayaz Khaki of Adarma, introducing a TEISS Breakfast Briefing. In a time of economic turbulence, he said, it is essential to ensure that investments in security technology are meeting your needs.

Part of that process involves improving your process for communicating risk, said Kirsty Paine, of co-sponsors Splunk. She told attendees, senior executives from a range of sectors, that she was interested to hear about their companies’ resilience efforts. Is resilience a meaningful concept, she asked, or has it become something companies say they are working towards, without a clearly established goal?

“It’s like running up the down escalator”

It is essential that the organisation has a thorough understanding of risk, attendees agreed. That starts with determining your risk appetite based on what could go wrong. A breach often makes the organisation’s risk appetite clear, one delegate said, but it isn’t the ideal way to find out. It’s better to prepare before the worst happens by planning for specific scenarios and creating processes to respond quickly should a breach occur.

Data literacy is also key in managing cyber-security risks, as it enables businesses to understand the origin of their data, where it is adapted and what kind of controls they have over it, said one attendee. A mature process is one that defines the threat, outlines potential scenarios, and has a playbook for dealing with them, an attendee argued.

The board often thinks of risk as a project that can be completed but it’s more like running up the down escalator, another attendee said. You can slow the rate at which you are going down but can never completely stop. Risk management must be seen as an ongoing process – constant diligence and preparation are needed to stay ahead of potential threats.

“The more senior the audience, the smaller words I have to use”

Getting the buy-in necessary to tackle risk means communicating effectively with a board that is primarily focused on profits, attendees agreed. Security is seen as a cost centre, so one approach is to consider ways to see it as a profit centre – one that enables agility and digitisation, for example. They must also be able to make the case that managing risk effectively will keep the company competitive. Another option, attendees said, is simply to make the message more positive. Instead of emphasising the risks, focus instead on how the security team can avoid the worst and plan for recovery.

This can be a challenge, because boards don’t always understand cyber-security. “The more senior the audience,” said one attendee, “the smaller words I have to use.” Another attendee said: “The biggest risk I face is the executive lunch.” That is, the CEO goes out to lunch with another CEO who recommends a product that has transformed their cyber-security. The first CEO goes back to the office and insists on buying that tool. Attendees suggested training the board, or at least having one cyber-security champion on it.

In regulated industries, compliance can be a driver for change at board level. Senior manager liability in financial services, for example, which means criminal liability for certain executives if they are deemed negligent, has meant that boards are more interested in security, said one attendee.

“Compliance doesn’t equal resilience”

However, simply complying with regulations does not mean the organisation is resilient and security leadership must manage that misconception internally. In fact, for multi-nationals, regulations can add another layer of complexity. As one attendee said: “We’re in 180 countries, so I need to own the Rosetta Stone for all this regulation – CISA meets ENISA, DORA, NIS2, sectorial and so on.”

True resilience must be properly connected with business risk, rather than just a tick-box exercise. Resilience costs money, but it does have value and, for most attendees, is a meaningful concept. For many attendees, however, resilience is not new but something the organisation has been dealing with for a long time. One attendee suggested that it just becomes a priority after major shocks, such as the 2008 financial crisis or, at present, the aftermath of the Covid-19 pandemic.

As with risk, resilience needs must be communicated to senior executives. One attendee said that the board often thinks resilience can be achieved by just buying another product but, as with risk management, it is an ongoing process.

“You have to get rid of the stuff you’re comfortable with”

There are plenty of tools in place to tackle these challenges, attendees agreed, but they must be tied to processes. The question of whether tools are providing value is partly justified because the board or even technologists often believe they can solve the problem with just one more tool.

Properly used, however, security tools can increase the organisation’s visibility of threats and weaknesses and help speed up the response. Attendees were cautiously optimistic about the potential for automation to help, though some warned that there was a danger of automating bad processes, which would only worsen the problem.

For one attendee, automation “is an opportunity that comes with risk” and, for another, something that “will free up smart people to do strategic things”. Ultimately, security professionals don’t have a choice, they said: they need to know what can be automated then communicate that to the board and understand how the automation can be trusted, whether via outsourcing or a tool.

Paine said that a significant benefit of automation is that it delivers consistent responses, rather than the variable responses of humans, and that it can immediately remove simple tasks from the security team’s list of alerts.

“It goes against human nature, as you have to get rid of the stuff you’re comfortable with,” she said, “and leave yourself with uncomfortable things that you don’t know”. It was, she concluded, critical to allow talent to focus on the complex problems that automation can’t solve.

For more information visit ADARMA.