A Change in Mind-Set: Shifting from Cybersecurity to Cyber Resilience

It is not a matter of if, but when, your organization will suffer a cybersecurity-related incident. How will your financial institution continue to operate and recover during a cyber-attack?

Most financial institutions are focused on defending against cyber-attacks. Despite the time the organization has spent building infrastructure, investing in technology, and initiating many cyber defense solutions, institutions are resigned to the fact that they will still suffer data security incidents in their environments. While not every security incident is a data breach, every incident has a material and most times, significant impact on how their business operates.

For far too long, the mindset and investments in cybersecurity have been focused heavily on defensive strategies leaving institutions ill-prepared to respond to inevitable and volatile incidents. It is time to shift that mindset from cybersecurity to cyber resilience to keep the threats and capricious threat actors at bay.

This applies particularly to the financial sector, which has been and continues to be a target for many years. It is a constant game of cat and mouse with threat actors who have greater sophistication, increased funding, and larger attack surface areas to compromise organizations and complete their objectives. Attacks can vary from financial fraud, insider threat (e.g., insider trading, market manipulations, intellectual property data theft, critical services disruption), software supply chain attacks, physical asset theft (e.g., an executive laptop stolen from a hotel room), theft of Personally Identifiable Information ("PII") which is leveraged in other attacks, web application compromises, distributed denial-of-service ("DDoS") disruptions, and more. Attackers will constantly try to find new ways to gain unauthorized access and information to financial instructions for one reason: this is where the money is.

Regulators across the globe have taken notice. The laws and regulations vary from country to country but generally focus on establishing and maintaining an information security management system ("ISMS") which defines the controls in place to manage organizational risk around confidentiality, integrity, and availability ("CIA") of information. However, having an ISMS program is just the start. Regulators ask that these programs are frequently assessed for efficacy and compliance with new standards and that organizations promptly report cyber-attacks. This means that firms need to have more than "check-box compliance" risk management programs. Organizational leaders are faced with owning and managing the risk across the enterprise. They must develop robust cybersecurity programs that orchestrate compliance, legal, privacy, and business operations across people, processes, and technology.

Making matters more complex for leaders and regulators are technology advances such as Machine Learning ("ML") and Artificial Intelligence ("AI"). The increased adoption and use of these technologies in capital markets and trading can dramatically change the way firms manage, trade, and invest assets. However, these technologies also introduce risk at scale in ways the world has never seen before. Organizations need to be nimble and adapt to an ever-changing landscape of information technology that supports critical business functions.

To have a cybersecurity and risk management program that effectively balances regulatory requirements with business efficiency while adapting to the rapidly changing landscape of technology, organizations need to change their programs' design. Cybersecurity programs designed heavily on defense are no longer enough and, in many ways, slow down business operations and innovation. For cybersecurity programs to effectively enable business, they need to integrate with critical functions and provide continuity of operations seamlessly. Firms cannot simply stop operating when a cyber event affects the business. Companies need to be cyber resilient.

But what is cyber resilience? Cyber resilience is a strategy that accepts there will be incidents in your environment. It means adopting a mentality of not if but when a cyber-attack will occur in your business. However, the success measurements for a cyber-resilient program are not measured in how many attacks you stop. Instead, it focuses on how fast you can detect, alert, respond to, and mitigate incidents. This is a fundamental change in the mentality of trying to stop or slow down every attack and then being paralyzed to respond when threat actors overcome your defenses.

Companies that evolve to cyber resilience focus their priorities and investments on detection and response capabilities. This allows for more effective security operations that enable businesses to continue to operate while events are triaged, incident response is performed, threats are mitigated, and the recovery of business-critical functions is uninhibited. In essence, it means having the people, processes, and technology to withstand cyber incident stress to maintain business continuity.

Regulators are also keen on the concept of resiliency to mitigate cybersecurity risks to the financial services industry. The Securities and Exchange Commission of the US (SEC) and their Office of Compliance Inspections and Examinations (OCIE) have taken notice of cyber resilience programs in the US securities market. Additionally, the United Kingdom, the E.U., Singapore, and other internationalx regulators have all encouraged and, in some cases, proposed operational resilience frameworks to their respective sectors.

In 2015, the United States and Britain conducted joint exercises to test how they would respond individually and together to cyber-attacks against financial markets and institutions. The Securities Industry and Financial Markets Association (SIFMA), a United States industry trade group representing securities firms, banks, and asset management companies, has been conducting a biennial cybersecurity global readiness exercise since 2011 called Quantum Dawn. Its latest exercise, Quantum Dawn V, was completed in November 2019 with more than 800 representatives from over 150 financial firms and more than 50 regulatory authorities, central banks, government agencies, and trade associations across 19 countries. The goal was to allow participants to exercise their capabilities in a coordinated response to a global cyber-attack and share ways to improve their individual and collective programs' resiliency.

So how do you become cyber resilient? The process of cyber resilience must be a journey, not a destination. Your institution will never be one hundred percent secure from all cybersecurity risks and attacks. However, your organization can have the security controls to maintain operational fortitude when an attack inevitably occurs. It also requires integrating security functions into business processes. Cyber resilience is like brakes on a car. Brakes are not meant to stop the vehicle from moving forward. They are intended to allow the vehicle to drive as fast as it can at safe speeds. Frame cyber resilience similarly: to enable the business to operate safely, as quickly as possible, even in the face of dynamic and sophisticated adversity.

The MITRE Corporation, a United States not-for-profit organization that provides guidance resources amongst other cybersecurity initiatives published a report in 2015 titled, "Cyber Resiliency Engineering Aid –The Updated Cyber Resiliency Engineering Framework and Guidance on Applying Cyber Resiliency Techniques." The report details the Cyber Resiliency Engineering Framework ("CREF") with four main high-level cyber resiliency goals: anticipate, withstand, recover, and evolve. Anticipate is to maintain a state of informed preparedness. Withstand is to continue mission-critical business functions despite adversity. Recover is to restore mission-critical business functions during and after adversity. And finally, evolve is to adapt functions and capabilities to changes. The goals are supported by a variety of objectives and techniques to achieve the desired business outcomes.

It is critical to understand that the CREF is not the one size, fits all, recipe for resiliency. It is designed to guide system engineers and security architects when deciding which resiliency techniques to apply. It is more tactical than strategic. For CREF to be effective, several other pieces of an overall strategic cyber resilience program need to be established.

First, a cyber resilience plan needs buy-in from C-level executives and leaders. CISOs and security leaders that want to implement cyber resiliency programs need executive sponsorship and support to create a "tone from the top" that security and risk management is an adopted function of the business. Without executive buy-in, any program will struggle to get institutional funding and adoption. CISOs must avoid fear, uncertainty, and doubt ("FUD") when proposing cyber resilience programs. Security leadership must understand the businesses they support and speak business risk management to gain their corporate executives' confidence and support. By explaining a realistic plan in non-technical terms without fearful hyperbole and demonstrating empathy to the organization's strategic goals, CISOs will align with the executives to get the support they need.

Next, a Risk Management Framework (“RMF”) must be agreed upon and adopted by security leaders and executives. The United States National Institute of Standards and Technology (“NIST”) developed the Cybersecurity Framework (“CSF”) with a focus on five functions: Identify, Protect, Detect, Respond, Recover. While initially designed for U.S. critical infrastructure, it is highly adaptable to many sectors and institutions. It has been translated to many languages and is in use by the governments of Israel and Japan. The NIST CSF has gained such popularity and adoption because it is understandable, adaptable, speaks in business outcomes, and is a living document to evolve to new technologies and threats. Additionally, it crosswalks to compliance frameworks and other RMFs, and is respected by regulators. By defining and understanding business risks, you can build resilience around functions that support the business.

To operationalize an RMF and make cyber resilience plans a reality, you have to gain visibility in your environment. To detect and respond to threats, you need to grasp the protected devices in your environment. You can’t watch what you don’t see. A robust and dynamic inventory of devices, users, and applications, mapped to business owners and functions, is the foundation of effective security operations. Without insight into what is standard in the business with established baselines, response to threats becomes exponentially longer, resulting in increased costs and business downtime.

With a clear understanding of what devices you have, what data resides on them, what business function they support, and who has access to them, you need to have an incident response and business continuity plans. These plans are guides on how to respond to events and incidents which impact business operations. Whether it is a cyber-attack or a worldwide pandemic, business operations need to operate unfettered. Having a concise, tested plan of execution will allow your business to work seamlessly in an emergency. These plans are not dogmatic but living documents, updated regularly, and have executive support to function effectively. They outline who does what, when, and where, in a crisis. These are not procedures you want to develop in the middle of an emergency and are anticipatory in nature. Test them at least once a year and ensure they are always up to date with organizational changes.

Finally, implement security operations that allow you to quickly detect, alert on, respond to, and mitigate incidents. Incidents will come in many forms, and you must handle them in ways that keep the business running. Additionally, you will want to incorporate the lessons learned from each incident to increase your resiliency by anticipation by evolving your team to respond and investigate. You can further accelerate your operations' efficiencies by adopting security orchestration, automation, and response (“SOAR”) platforms in your operation centers. SOAR platforms help reduce the waste of repetitive human actions, so you get a more significant time to value with the personnel that staff your security operations. Mature security operations with a focus on resiliency allow for better reporting on business KPIs. What gets measured gets managed, and security leaders' ability to demonstrate in board meetings the return on investment to executives is more readily available in a well-orchestrated security operations environment.

Cybercrime is not going away. It is here to stay. Institutions that accept they are active targets for criminals remain ready to respond to cyberattacks seamlessly. We know the Tactics, Techniques, and Procedures (TTPs) discovered in incidents and cybersecurity research. However, we don’t know the behaviors and threat actors’ behaviors tomorrow, resulting in financial fraud or business interruptions. Companies that stay agile and ready to tackle unforeseen risks with well-thought-out mature programs will stay ahead of the competition. These are resilient firms.

The questions remain. Have you reviewed your plan and program since the start of the pandemic, Solar Winds, or Log4J? ?

Are you cyber resilient?

Resources

Cybersecurity and Resiliency Observations

https://www.sec.gov/files/OCIE%20Cybersecurity%20and%20Resiliency%20Observations.pdf

Cybersecurity Exercise: Quantum Dawn V

https://www.sifma.org/resources/general/cybersecurity-exercise-quantum-dawn-v/

Cyber Resiliency Engineering Aid –The Updated Cyber Resiliency Engineering Framework and Guidance on Applying Cyber Resiliency Techniques

https://www.mitre.org/publications/technical-papers/cyber-resiliency-engineering-aid-the-updated-cyber-resiliency

Cybersecurity Framework | NIST

https://www.nist.gov/cyberframework