Business Technology, for the Win - Cybersecurity

As a CIO, one of the most challenging duties that you face is to balance driving value-creating initiatives with keeping systems running smoothly without interference. Managing an IT strategy is like playing a chess game where you are carefully making decisions today that will have critical ramifications tomorrow. You have to think multiple moves ahead to ensure that your efforts will maximize company value over the long term. Some of those moves will be immediately obvious, while others are part of a larger strategy where the value won't be realized until some point of time in the future.

One of the areas where long-term thinking is paramount is cybersecurity. The world continues to be a dangerous place to do business, with malicious characters working to act as disruptors to businesses of all types. Investment in cybersecurity today could have incredible dividends, but they are often not realized in the most obvious ways. The payoff of cybersecurity investments today could mean that a future disruption is averted tomorrow. This ability to avoid a cybersecurity incident has the future value of not having to allocate resources toward triage and clean-up efforts. Developing a return on investment analysis based on a what-if scenario like this is a challenge faced by all CIOs.

When we talk of malicious characters, the definition of who the attacker is can widely vary. It can span from individuals, either inside or outside the organization, to groups, loosely or tightly organized, to nation-states intent on harming their enemy nation-states, which are ultimately made up of businesses. These attackers vary in the level of skill that they possess, the tools that they have at their disposal, and their intent.

The goal of these attackers is often to disrupt. This disruption can be in the form of activity meant to slow or halt business operations, but can also be in the form of stealing valuable data that has the potential of degrading your users' trust and disrupting your efforts to generate business value.

With so many attack vectors and so many ways that the business can be disrupted, it can seem overwhelming about where to start. Here are some moves that you can make today that can set your business up to win in the future.

• Executive Cyber Education - As a CIO, you are uniquely positioned to be able to communicate to the executive team the value and importance of cyber security investment. To take full advantage of this, it is important to become a storyteller. You need to be able to paint a picture of what the future could look like if the current investment is neglected. To be effective, this story has to be grounded in fact but crafted to generate a sense of urgency amongst your peer executives.
• Phishing Awareness - The main attack vector that adversaries use is to embed malicious content in seemingly benign messages or to impersonate well-intentioned actors in an effort to get the employees of your company to perform activities that put the business at risk. Leveraging a tool like KnowBe4 can create a culture of recognition among your workforce. By teaching them what malicious phishing messages look like and the tell-tale signs that they can look for, your users will recognize real phishing attempts when they come and shut them down before they do harm.
• Intrusion Detection & Response - As an organization, you have multiple endpoints that are exposed to the public that could be attacked. These include the devices inside your network perimeter - your servers, your desktops, and your mobile devices. The idea behind intrusion detection is to monitor these endpoints and escalate suspicious behavior. As these events are investigated, patterns of behavior can be assessed and further responses can be taken to ensure that the endpoints are not compromised. Leveraging a managed service, like Arctic Wolf , can be used to perform this service even if you don't have the in-house expertise to run your own intrusion detection and response program.
• Patch Management - With your endpoints, it is important that you keep them current on their patching. Whether this is an operating system on a desktop, server, or mobile device, or firmware associated with your network appliances, keeping these up-to-date with the most recent versions from your vendor will help mitigate the risk of a malicious actor using a known zero-day exploit to attack your systems. Tools, such as Syxsense, An Absolute Security Company , can help manage your endpoints and ensure that they are current on their patching levels.
• System Hardening - Having pre-defined hardened system configurations for your desktops and mobile devices and for your virtual machines can ensure that you don't open up vulnerabilities on your network each time that you launch a new device. This base image can include configurations such as open ports, user rights, and pre-installed software.
• Anti-virus - Establishing a corporate standard for anti-virus and anti-malware software on your devices and making sure that they have the most recent version of virus and malware definitions can ensure that your users are protected. This alone is not sufficient but can act as a backup protection when the education efforts fail and your users inadvertently perform an unsafe activity (e.g. opening an attachment, clicking on a link, etc.). Tools, such as Sophos , can assist you in protecting your systems against viruses and malware.
• Code Analysis - With application and software development, each new release of code into production comes with it the potential that it could open up new and dangerous vulnerabilities. Establishing code analysis as part of the DevSecOps deployment process can monitor for potential vulnerabilities and prevent the code from going to production until they are corrected. These tools are not foolproof but do increase your level of confidence that new code is not being deployed that will thwart the efforts of your other security controls. Tools, such as SonarCube by Sonar , can assist you in your efforts.
• Perimeter Security - Prior to the pandemic, a network perimeter was much more clearly defined. You could use physical firewalls on your office network to monitor the ingress and egress traffic and establish rules by which you could create protection for your key applications and data. With the explosive increase of work-from-home (WFH), organizations have had to figure out how to leverage virtual firewalls or cloud firewalls to protect their employees regardless of where they were physically located. Vendors, such as Zscaler , have advanced the concept of security service edge (SSE) and offer protection at the edge of your network, wherever that exists.

As in chess, IT Strategy, and cybersecurity in particular, is a game of moves and counter-moves. You are doing what you can to create a safer environment, while at the same time the adversary is taking actions to avert those safeguards and inflict damage. The activities above will position you well for your game of security chess and allow you, as a CIO, the ability to not have to redirect expensive resources from your value-creating initiatives to perform triage and clean-up after a future security event.

—————————————————————————————————————

The vendors mentioned in this blog are only examples of possible solutions. If you would like to learn more about each of these domains in cybersecurity, Gartner is a valuable resource and can provide you with detailed information about vendors in each of these areas that could match your company's specific needs. They also have analysts in each of these areas, such as Paul Proctor , Paul Furtado , Jay Heiser , John Watts , Bernard K. Woo, MBA , Tom Scholtz , and Claude Mandy . These individuals can provide more in-depth discussions about these different domains and the associated solutions to secure your environment. I have leveraged their knowledge in the past to give me greater insight as a CIO in ensuring that I was making the right security decisions for the business.