2020 has been full of challenges. Organizations were forced to accelerate changes that had been coming for some time due to a variety of external pressures. The Wall Street Journal recently summarized the changes brought on by the COVID pandemic. Remote work is the new normal in many industries, and there is ample evidence that “work from anywhere” is here to stay. Many buying experiences have moved almost entirely online with either home/office delivery or curbside pickup as the means to distribute goods to the end buyer. Many organizations are permanently shutting down offices, intending to maintain partially remote workforces even after pandemic is brought under control.
Within the world of government contractors, the Department of Defense adopted new policies that have demanded better compliance with existing standards and the eventual adoption of stronger means to safeguard government digital information. While there is still debate over the new rules, it’s clear that some sort of 3rd party assessment, either from the DoD itself or through certified accreditors, will be required.
Finally, the recently discovered cyber espionage campaign uncovered by FireEye and Microsoft has shown that even sophisticated cybersecurity protections can be compromised by advanced persistent threats that are well funded. Supply chain cybersecurity is on the front page. All of this has greatly accelerated the need for all companies to revisit (or perhaps seriously visit for the first time) their organization’s cybersecurity program and be prepared for when (not if) they experience a cybersecurity incident.
The good news is that firms of all sizes can prepare for, and fight through, a cybersecurity problem.
Are you ready for 2021?
In our discussions with executives, we find that there are three misconceptions that need to be dispelled before management teams can move forward with developing a comprehensive cybersecurity strategy:
1 – MYTH: “We are either secure or insecure.”
Think about cyber defense in terms of where your organization is and where you want it to go. Cyber maturity is an ongoing process. In home security and maintenance, you’re never just done. How will you parse out and resource the trips to Home Depot that will be required to keep that home maintenance from failing and costing you dearly? Similarly, cybersecurity activities are not a “set and forget” prospect. As a manager and leader in 2021, you need to ask yourself and your teams, “How are our cybersecurity tools being used now and what incremental steps can we take to improve?” Doing something is vastly better than doing nothing.
2 – MYTH: “The threat is simple and fast-moving.”
Infiltration of your systems can be a long, drawn-out process – a set of activities performed by the adversary over time to avoid detection (as seen in the recent infiltration of multiple commercial and government organizations through the exploitation of Solarwinds software.) They may target you to only gain access to one of your customers. Company leaders don’t have to be technology experts to manage cybersecurity, but they do have to be present. Leadership is intrusive, so take the opportunity to talk through the level of threats you are worried about and the response activities you need for your business. Having a mature program means that you have worked with your team so that when indications are found, everyone knows what to do and they can work together to effectively address the threats, vulnerabilities, and consequences.
3 – MYTH: “Cybersecurity is an IT problem, not a business problem.”
If you are a leader, it IS your problem. Today, cybersecurity risk is a brand trust issue and should be a key focus for upper management to ensure they are integrating across their top-notch teams to manage the threats, vulnerabilities and consequences effectively enough to mitigate the risk. The policies that allow your team to successfully fight through a cyber incident have to be decided, resourced, and enforced (through example) from the top.
At Ardalyst, we use the NIST Cybersecurity Framework as a model of how you should think about and prepare your organization’s plan for resilience. At its basis, is the standard framework that consists of a lifecycle of five functions – Identify, Protect, Detect, Respond, and Recover –which over time must “Evolve” to address new threats, vulnerabilities, and consequences.
1 – Identification: Don’t make the mistake of simply counting endpoints and offices. Leaders need to be risk-based in their thought processes and push their teams to think beyond the computers and walls. Your organization’s mission priorities dictate how you manage your cybersecurity program. What is your company’s biggest goals? How dependent are the outcome of those goals on your informational and operational technologies? What is your company’s role in the supply chain? What are the critical functions that must be maintained? How do you govern how your people access networks remotely? How much risk are you willing to take on to make access convenient? These are just a few of the questions that will identify what safeguards you require to effectively protect your company. Find someone who can help you understand how your business operations, network operations and cybersecurity needs intertwine.
2 – Protection: This is where you make decisions about what safeguards are good enough to effectively protect your company, based on the risk and governance needs you identified. What people, processes, and/or technology will meet your requirements? What roles and responsibilities will you assign your team and how will you ensure they are empowered to do their jobs? Your team and vendors need to understand the threat, and plan and act accordingly. There are protections that are required for government contracts (such as in the FAR for basic safeguarding and the recently enacted NIST SP 800-171 self-assessment requirements announced by the DoD for Controlled Unclassified Information.) In terms of due diligence and due care, leaders must make resource trade-offs to ensure they are spending their budget in the right way and aligning with their critical priorities. We typically find that this is the hardest part for our customers.
3 – Detection: Your teams – whether it is your indigenous IT team or a hired cybersecurity firm – should be looking for indicators that an adversary is somewhere along the continuum of infiltrating your network. This is not meant to encourage fear, uncertainty and doubt, but if you prepare yourself with the mindset that you are probably under attack now, you will be better postured to build your presence and response appropriately. At any point along this chain of events, the adversary could potentially be detected through continuous monitoring activities. Leaders can and should play an active role in detection by asking what your organization should be looking for, determining the potential business impact, and helping prioritize the protective measures to limit the impact.
4 – Response: If you have a cybersecurity program, you are going to have incidents. Don’t wait to be hacked to figure out how to respond. There is always a moment where you are trying to determine whether it is or isn’t something … whether a series of events is or isn’t an incident … whether the incident is or isn’t a reportable event with your customers and stakeholders. Developing your response plan early on will make for a clear and faster mitigation of a cyber incident when it is uncovered, no matter when it happens … when you’re on vacation … on a Sunday … in the middle of the night or when your kid is having their wisdom teeth removed. Leaders must be decisive and transparent to protect their brand. Make sure you’re ready when the unfathomable happens at an unfathomable time. Panic is your enemy. Plan ahead, know who to call for outside legal and PR counsel and how to activate your notification chain – employees, clients, legal resources, the FBI, etc. Leaders lead, especially in times of crisis. Practice your plan.
5 – Recovery: A faster, smoother response means a lower impact to your brand (and your bottom line) and a stronger recovery. Knowing and planning ahead of time for what is required to continue your lines of business and prioritize the return to normal operations is key to surviving an incident. This goes back to the identification phase. In identifying what you have, make sure you know what things are absolutely critical to your operations. In doing so, you can build up your cyber resiliency and mission assurance.
6 – Evolution: Have a plan to grow and mature your cybersecurity program. Mature your program as your company matures. Regularly check that your program meets your customer needs and expectations, as well as, where adversaries are focusing their efforts (e.g., email is currently the top attack vector, required by CMMC Level 3, but not required by NIST SP 800-171). Understand the cost to improve protections and the potential impact associated with not evolving. Have a plan for professional development, as well as continuous monitoring. Look for outside evaluations of your plans and recovery protocols. We recommend making this part of your quarterly and annual review process. Good decision making is a constant requirement in leadership … just like cybersecurity. In some cases, minimum compliance is good enough, in others it is not. Your role as a leader is to make sure you are evolving with the risks. Start now and mature from there.
Resolutions are often made at this time of year, but wishing and hoping is not strategy. The events of 2020 – a massive increase in remote work, increasingly demanding compliance regulations, and a sophisticated supply chain attack from a foreign adversary – have shown that for business leaders across the country, cybersecurity is no longer an IT function, but a business priority. As a leader, you must communicate your priorities and let them guide you and your team in making integrated risk management decisions for your business that will govern and mature your cyber program that efficiently meets your needs.
Charge into 2021 with a firm grasp of the tenets described above and a willingness to engage. Change can be hard and made easier with a security partner who can guide you and your team on this journey. We believe Ardalyst is that partner for 2021.
Ardalyst is a digital transformation and cybersecurity firm dedicated to helping public and private organizations fight through the unexpected. We work with you to balance productivity with security compliance, cyber resiliency, and mission assurance. By growing your understanding of how to thrive in the challenged digital environment at a price point that makes sense for your business, our goal is to replace your uncertainty with understanding.