Know thyself

Knowing that, despite being interested in a variety of fields in IT, cybersecurity is my Achilles heel, I asked my good friend Dr. Aleksandr Zhuk, MEng, CISSP, CISM, CRISC, CGEIT, CDPSE to enlighten me. He knows enough about these things to be a professor of cybersecurity as well as a practicing CISO. We spoke not only about relevant questions and answers, but also about the more fundamental willingness – if not desire – to concern ourselves as mere mortals with future fears over current conveniences. This article is my summary of our exploration. I hope you find it as useful as I do.

Inconvenient asymmetries

The world of cybersecurity is full of asymmetries, such as in the impact of failure, the size of the surface of attack and defense, the duration of deployment of resources, the specialized expertise, and the adherence to ethical and legal constraints. Failures are practically inevitable. True cyber resilience hinges on acknowledging a number of inconvenient truths, both technical and organizational, in order to build a strong defense.

Self-awareness challenges

• Who are we? Are we a bank with billions of customer funds to protect and sensitive customer information to guard or are we a world-famous candy shop whose most priceless asset is the secret candy recipe that has been passed on from generation to generation for the last 500 years and that brings a million tourists to us every year?
• What are we protecting? Is it banking customer records and their money or are we guarding the candy recipe? What systems hold these assets? This includes not only our own infrastructure, but also that of the third-party vendors we may rely on. For example, do we backup the secret confections recipe to the cloud? That’s good, right? Well, maybe. Does our backup cloud provider care to encrypt our data and make sure that not everyone on their stuff has access to our backup? Oh, we didn’t check. Well…
• What's at stake? If we are a bank, we can insure customer deposits against theft, but if the magic candy recipe is out, will our candy shop business fold, even if we get a few million dollars in insurance payout? We need to clearly identify the potential consequences of a cyberattack, and determine which of those are unacceptable.
• Does everyone know who we are? Is everyone on the team aware of who we are and what we are protecting or are some of the people we hired still unsure? Did we tell them and keep reminding them periodically?
• Do we have any defenses? Are they ready? Are they in the right place? Are we not compromising them? For example, remember that candy recipe? Is it not a well-known secret among our candy shop employees that we have a hand-written copy of the recipe on the owner’s desk “for convenience of the night shift candy production supervisor”? OK, so we do have some controls and they seem to be where they should be to mitigate the critical risks we identified, but when was the last time we tested them to make sure that our controls still work?
• Are we all aware? Not only the question whether managers are aware of the risks, but whether there is an awareness of cybersecurity risks throughout the entire workforce. In other words, how much is cybersecurity part of the organizational culture – “how we do things around here”?

Organizational and governance hurdles

• Information Security Function capabilities: We hired a Chief Information Security Officer (CISO) but did we give them staff and budget? How effective is the Information Security function then in addressing the many looming cyber threats? Did we just hire the CISO to check a regulatory compliance box and eventually, when a breach does occur, have the CISO blamed for it?
• Transparency and authority: Does the CISO speak directly and frequently with the business leadership about security risks? Or do they report to a Chief Technologist who is incentivized to maintain the illusion of control?
• Boardroom awareness: Is the board rationally and emotionally aware of the cybersecurity risks, both in terms of the operational realities and the potential reputational damage? Are they aware that they may be held legally liable for lack of cybersecurity oversight? Are they politically able to do the right thing? Have they ever met the CISO?

By confronting these difficult truths, organizations can build a more robust and resilient cybersecurity posture. This hinges, however, on the human desire and ability to “know thyself”.