Security : Always too much and never enough!

In fall 2018, I was been told by my advisor at Harvard that I’ve a security course due that is a requirement for the degree. It was kind of surprising because I had already taken courses like Cloud Security, Cyber Threats and Internet Protocols and Big-Data (which covered Data Security) so my candid response to her was…"Oh no, not again!" It wasn’t that I didn’t liked Security as a subject, but my question was what’s new in this course that I haven’t learned in the previous classes. I was really looking forward to taking the Blockchain course that semester but was forced to take up this one. And without arguing too much, I enrolled for the course.

In my first class itself, I realized why Cyber Security is such an important topic and how it was all the more useful for a degree candidate like me whose major was in "Information Management".

After working as an assistant faculty for the Cloud Security course for 3 years and helping multitude of professionals in creating the security structure from the ground-up and also studying tons of other security policies, I still don’t consider myself as a Security expert and would always be like to be known as a Product/Project Management expert first but here are my two cents on the current & emerging challenges of cyber security.

Before I dive deep into the importance of having an incident response policy and the future of AI in security, I would like to share some interesting facts about the current situation of the market in the cyber world. 

According to a survey conducted by IBM, 77% of organizations do not have a formal cybersecurity incident response plan applied consistently across the enterprise. Out of which, only 31% have a sufficient cyber resilience budget in place, and only 29% agree their staffing for IT security is adequate enough to achieve a high-level of cyber resilience. 

It takes 210 days on an average to identify an incident and of the organizations surveyed that do have a plan in place, more 50% do not test their plans on a regular basis, which leaves them vulnerable to risks or effectively manage the complex processes and coordination that should take place in the wake of an attack. Also, 83% of the incidents that have ever occurred have been reported by a third party or a legal group. 

As per 2019 Forcepoint Cybersecurity Predictions Report, “Organizations will be hampered by an ongoing skills shortage and analysts predict a shortfall of 3.5 million cybersecurity jobs by 2021.” 

67% increase in the average number of security breaches has been noted in the last 5 years and the average cost of cybercrime has gone up by 72% in the last 5 years. $11.7m was the average cost in the year 2017 which has now gone up to $14.5m in 2019. 

Few questions to ponder here are: Does your organization have a cybersecurity strategy in place? And with this on-growing shortage of skills available in the market do you think we can make use of AI or machine learning to help automate some of this work? 

“Failing to plan is a plan to fail”

This phrase stands so true when it comes to responding to a cybersecurity incident. But a strategy without tactics is also the slowest route to a secure environment. These plans need to be regularly tested and need full backing from the board to invest in the people, processes and technologies to sustain such a program. 

I feel that technology can help automate threat detection and response can ease the burden on employees, and potentially help identify threats more efficiently than other software-driven approaches but there’s a danger that they will overlook ways in which the machine-learning algorithms could create a false sense of security. 

Automation in this field is still emerging and very few organizations today use automation technologies, such as incident response platforms, identity management and authentication, and security information and event management (SIEM) tools, in their response processes. The cybersecurity skills gap appears to be further damaging the cyber resilience, as organizations reported that a lack of staffing obstructed their ability to properly manage resources and needs. Furthermore, 75% of organizations rate their difficulty in hiring or retaining skilled cybersecurity professionals as very high.

After analyzing several case studies and studying various security policies, my professor once insisted me to study D&B’s policy. I was quite hesitant to do that because the first thought that came to my mind was that what if there are flaws in our policy? What am I going to share in the class? It’s hard when you’re associated with two big brands. And another reason was that since I don’t work closely with this team, how am I going to get hold of this policy? I wasn’t sure if it was even shareable with all employees. When I shared my concern with the professor, he said as I’m already doing this course, I should be studying our policy and should be giving feedback to the organization if there are any flaws. And this one thing I really liked about Harvard, that all the professors always pushed the students to get out of their comfort zones and to walk that extra mile. 

Luckily, we had our Compliance leader visiting to our Boston office the very next week and it was really fortunate that I got to spend some time with him. In our conversations, I shared the work that I was doing outside D&B and asked him if I can get to study our Cyber Security policy. To much surprise, he promptly shared the access to the file. I was even more surprised when I looked at the policy! I got some mind-blowing information that made me feel so proud. So, D&B not only lies in that 33% of spectrum where organizations do have an incident policy in place, but they also have a dedicated team, allocated budget and regular audits done for these policies. I was so happy to see that the policy was much up to the NIST standards and did not have a single flaw or any missing information. Also, they follow agile project management even in the Security department. Now isn’t that amazing for a 200yr-old organization that how they maintain their old legacy and yet uses all these latest technologies? (Trust me, D&B hasn’t paid me for writing this, in fact I haven’t even met our CISO yet:-)

One very important thing to remember is that no matter how strong your current policy is, you still have to be extra careful when it comes to new mergers and acquisitions. Because these hackers are way smarter than you and they already know what companies you’ve been eyeing on acquiring. If they can’t get into your network, they always target those small businesses and wait for you to merge with the new network so that they can get access to all your company’s assets! So, make sure you use your due diligence and go through the network & security policies and don’t end up buying a breach!