Commentary: Stop playing the blame game in a cybersecurity breach
Companies react badly when a cybersecurity breach occurs but forward planning between business executives and IT professionals within the organisation can help address threats decisively, says RSA’s senior technical consultant.
SINGAPORE: Every week, we observe major cyberattacks against organisations of all sizes, from banks, healthcare organisations to even schools.
Just in October, Yahoo announced the most shocking revelation about its August 2013 breach – that saw all three billion of Yahoo’s user accounts exposed.
When such an attack occurs, who’s to blame? There’s no denying that cyber attackers should be held responsible.
However, within each organisation, there is an excess of finger-pointing within the c-suite. Case in point, BAE Systems recently reported that 50 per cent of IT decision makers would blame their c-suite bosses in the event of a breach, and business leaders expect their IT department to take full responsibility for such incidents.
Blame games can continue – the root cause is that both business and security teams are not aligned. They struggle to speak the same language and connect security incidents to business context to assess the business risk fast enough to make the right decisions.
This is what we call a “gap of grief” situation, where IT professionals are interested in understanding how a breach happens and how it can be prevented in future, whereas business leaders care about the incident’s overall impact to the organisation. As a result of this disconnect, organisations are unable to detect and respond to the highest priority threats to the business fast enough to contain the damage.
Against the backdrop of an evolving cybersecurity threat landscape, how can organisations close this gap of grief and manage cyber risk to protect what matters most? Here are the three steps to help bridge this gap.
BUSINESS AND IT NEED TO WORK MORE CLOSELY TOGETHER
First, business and security teams need to come together under a business-driven security approach. Security incidents are both an IT and a business problem. In fact, the cost of security failure is growing exponentially, with cybercrime expecting to cost businesses over US$2.1 trillion globally by 2018.
To create a business-driven security strategy, both teams need to align on their strategies and priorities order to determine which business systems and assets are most critical, and where they are most vulnerable to attacks. This will help assess the risk to the business in the event of a cyber breach, and prioritise resources to remediate the situation appropriately.
Risk and value are difficult to justify in security and most IT professionals are poor at communicating both to the business leaders.
Many CEOs are baffled by the prospect of investments for a breach that has yet or may never occur because of inadequate explanation of the potentially catastrophic business risks involved. They need to understand the degree of impact on business continuity, intellectual property and reputation in an event of a security incident, among other things.
This is why IT professionals need to engage with the boardroom by using relatable business language, not technical jargon, to convince the board of the value of cybersecurity investments.
Likewise, business leaders must ensure that their IT departments fully understand the objectives of their business to have a clear sense of the organisation’s security posture as well as their security infrastructure needs and requirements.
After all, it has been proven time and time again that a siloed approach to security does not work. For a business-driven security strategy to succeed, security needs to be driven by the business, not just IT.
EYES OVER EVERYTHING
Second, the security team needs to have visibility of the enterprise at all times, across business processes, networks, devices, people and transactions.
With mobile technology, cloud computing and the Internet of Things creating new openings for cyber threats, organisations are at greater risk than ever. Yet, organisations today do not always see an attack coming, when in reality there is one every 39 seconds.
About half of IT executives surveyed also shared that keeping up with new threats and understanding the full scope of attack were key challenges when it comes to threat detection. Many organisations simply cannot accurately identify their highest risks and react with better detection and response to minimise the impact of a security incident without full visibility of the IT infrastructure.
Having comprehensive visibility is therefore necessary for businesses to assess risks and take appropriate action against advanced attacks. Only then, there will be less likelihood of a damaging cyberattack.
DON’T UNDERESTIMATE PLANNING AHEAD
Third, organisations need to have a response plan that allows security teams to detect and respond to the real and high priority threats.
The impact of cyberattacks typically amplify if left undetected.
Yet, 90 per cent of organisations are unsatisfied with their response time when it comes to tackling cybersecurity attacks; 74 per cent have inadequate systems to quickly recover from an attack; and only 11 per cent say they can investigate threats quickly.
Organisations need to plan ahead, identify gaps in understanding cyber and business risks, as well as have visibility between various internal functions.
While these gaps exist, issues like securing sufficient investment in cybersecurity will continue to be a challenge for several organisations looking to beef up their cybersecurity defenses with advanced technologies.
Organisations should take a phased approach to address the gaps, but they need to start now. They need to first prioritise their assets, know their vulnerabilities and the impact to their business in order to build a defence strategy that can streamline cybersecurity operations and compliance.
Most importantly, organisations should ensure their approach is holistic, not just by looking at its technology and processes, but also the people involved – most often the weakest link in the chain. Educating and building a security culture amongst employees is probably the best defence against cyberattacks.
As we sit on the cusp of a fourth industrial revolution, a business-driven security approach rather than a one-size-fits-all approach to cybersecurity will help organisations mitigate cyberattacks that have become bolder than ever.
Budiman Tsjin is senior technical consultant, Asia at RSA.