The Achilles' heel of Cybersecurity: You are as Strong as your Weakest Link

Many of us grew up with folklore and have heard of the story of Achilles and his vulnerable heel. It was a cautionary tale. Much like Achilles, the world of cybersecurity possesses its own Achilles' heel — a weakness that, despite overall strength, can lead to downfall. While there are various factors that contribute to this vulnerability, it is the unknown unknowns that makes us the most vulnerable. I often refer to the blind spots. Let's take a moment to expore the strategies to bolster our cybersecurity resilience.

The Complexity Conundrum

Cybersecurity controls are designed to protect organizations from evolving threats. However, over time, these controls can become a tangled web of complexity. There are at least two primary reasons contribute to this complexity: reactive enhancements and the pursuit of the best control solutions.

Reactive Enhancements

As risks emerge and technologies advance, risk managers react by enhancing control systems. Although these changes are initially justified and necessary, they can accumulate over time, resulting in a complex patchwork of controls. Sometimes, I refer to these as the "Frankenstein" controls.

The Pursuit of the Best

In the quest for optimal security, organizations seek out the best control solutions available. It's chasing the next shiny thing on Gartner's Magic Quadrant. The allure of cutting-edge technologies and their promised benefits often leads to the integration of current-gen and next-gen systems. While this pursuit is well-intentioned, it can further complicate the cybersecurity landscape.

Simplifying Cybersecurity: A Risk-Based Approach

When I was much younger, one important lesson I learned is that the biggest challenges in implementing security controls is balancing security and usability. Having strong measures in place is important but they should never hinder the usability of the system or application we are protecting. This is where a risk-based approach comes into play, where the level of security controls is determined based on the level of risk associated with the system or application. Here is a suggested step-by-step risk-based approach:

Step 1: Asset Identification

If we do not know what are our precious critical assets and know what to protect, then how do we protect them? What you don't know, you cannot protect. Thorough asset identification will help give you visibility of your assets, allowing you to label or tag those which are considered high-value assets, knows their movement and usage across your organisation. This is the starting point. To be effective, security controls and protection measures should commensurate with the value and classification of the assets.

Step 2: Risk Assessment

Next step in a risk-based approach is to perform a risk assessment to evaluate and identify your organisation's high-risk threat vectors, vulnerabilities, likelihood, risks and potential impact to your high-value assets which you need to protect. Relationships between assets, processes, threats, vulnerabilities and other factors are analyzed in the risk assessment. One method is to conduct a BIA (Business Impact Analysis).

Step 3: Attack Surface

With your asset inventory collected or identified and risks quantified, the next step is to map and undertand your attack surface. You could do a network discovery, focusing on Internet-facing systems, Cloud services, and third-party integrations. The attack surface mapping identifies potential entry points and high-risk areas and is a useful step for any organization that wants to prioritize which are the areas requiring more focus and stronger controls.

Step 4: Scan, Assess & Observe

Next, to find out what are the current security controls or measures in place, review your policies, standards, guidelines, observe processes, perform scans and penetration testing. Leverage on these information sources to create a comprehensive list of controls in place. Those controls that requires significant customization, or integrate with many systems and span organizational silos, or controls which are lengthy with multi-step workflows or procedures to execute, tends to be contribute to the overall complexity. There are also controls that have many upstream or downstream dependencies. This step helps assess and isolate those complex controls. At the same time, this step helps to identify where the gaps are, i.e. the blind spots.

Step 5: Implement, Test, Monitor and Iterate

For each gap identified in the previous step, catalogue these gaps and the missing controls, determine the business impact and prioritize closure of these gaps, guided by their risk scores. It is important to monitor risk factors continually and adapting security priorities and control implementation dynamically driven by the latest threat intelligence and asset valuations.

The Multifaceted Nature of Cyber Risk

Cyber risk encompasses more than just data breaches and privacy concerns. Today, it extends to encompass sophisticated schemes capable of disrupting entire companies, industries, supply chains, and even nations. The economic consequences of such cyberthreats are staggering, amounting to billions of dollars in losses. No organization, regardless of its sector, is immune to cyber risk. However, the key lies in understanding that while cyber risk cannot be escaped, it can be managed, mitigated, and recovered from.

There is concerning disparity between organizations' recognition of cyber-risk as a top priority and their actual response to it. While cyber risk has ascended to the top of corporate risk agendas, many organizations struggle to effectively address it within their broader risk framework. Moreover, while there has been a significant increase in the acknowledgment of cyber risk as a critical concern, confidence in managing cyber-resilience has declined.

Despite the enthusiasm surrounding emerging technologies, many organizations fail to adequately assess the risks associated with their adoption.

While progress has been made in terms of involvement from risk management teams in cyber risk agendas, there is still room for improvement. Yes, there have been greater involvement of risk management teams in cyber risk management in recent years. However, the dominance of IT and information security departments as primary owners of cyber risk management suggests that cyber risk is still largely perceived as a technological issue rather than a strategic business concern.

As businesses become increasingly digitized, the consequences of a successful cyber-attack can be catastrophic, impacting brand reputation, customer satisfaction, and financial stability. To effectively combat cyber-threats, organizations must adopt a holistic approach that encompasses risk assessment, measurement, mitigation, transfer, and strategic planning. The specific combination of these elements will vary depending on each organization's unique risk profile and tolerance.

Conclusion

While cyber risk can never be completely eliminated, it can be effectively managed and mitigated through strategic measures. Organizations must recognize the importance of adopting a risk-based approach to cybersecurity. Only by doing so, they promote a much more tightly coupled alignment with the business. With finite resources, but unlimited cyber threats, a risk based approach objectively guides where to apply controls based on criticality and value of your assets and likelihood of impact. Without risk-based methodology, cybersecurity becomes reactive and ineffective. Bridging the gap between perception and action is crucial, as cyber risk continues to evolve in tandem with technological advancements. Companies must prioritize cyber risk management, involve risk management teams, and allocate resources to safeguard their digital assets and maintain their competitive edge in an increasingly interconnected world.

Remember, cybersecurity is a continuous journey, and the quest for resilience is an ongoing process. By embracing the challenge of complexity, organizations can strengthen their defense against cyber-threats and ensure the longevity of their digital existence.