Issue Twenty Three

March 2023

The latest and most comprehensive National Cybersecurity Strategy was announced and made public this week. We will be sharing Silent Quadrant’s dedicated analysis of the new priorities and what to expect within a Special Release as plans for implementation begin to unfold.

As it relates:

We’re seeing business leaders, global cybersecurity leaders, and the Federal Government calling for action.  The message is clear: We cannot maintain the status quo and expect to catch up to national and global threats.  Collaboration and automation are common themes within the discussions – in large part to combat the massive increase in threats, but also to address the impact of the talent shortage on the industry.  

The war in Ukraine is serving as a force multiplier in the search for a more widescale, proactive approach to geopolitical events that spawn nation state attacks introducing economic implications worldwide.  Collaboration, via intelligence and resource sharing, is leading the conversation for strategic implementation.  How this unfolds is yet to be seen, but there is clear momentum and energy behind the priority.

How this translates to executives and stakeholders:

The time is now for business leaders to begin laying the foundation of governance as the driver for preparation of what’s to come.

“Effective cybersecurity governance must address the people, processes, technology, operations, and culture across the enterprise so that an organization is not only prepared for and mitigates against cyber threats and other vulnerabilities, but also demonstrates resilience in the face of the inevitable.”

"Cybersecurity is no longer a function of the business; it has evolved to become the ecosystem in which the entire enterprise landscape must operate within."

This month’s issue of Target Lock dives deeper into exactly what cybersecurity governance means and what we’re witnessing in the global cybersecurity landscape on whole.  Enjoy.

ZEROING IN

Cybersecurity Governance – an Enterprise Risk Imperative

Silent Quadrant

Effective cybersecurity governance must be driven by an organization’s decisions makers and integrated throughout strategic operational goals and objectives.
 
Effective Cybersecurity Governance
 
It is easy to get confused by what constitutes cybersecurity governance. No surprise that there is an absence of consensus on the topic. Effective cybersecurity governance should be risk-based, holistic, and ensure visibility and accountability for everyone in the organization. To be effective, cybersecurity governance must be driven from the senior-most, decision-making levels of an organization and integrated throughout strategic operational goals and objectives.
 
Cybersecurity governance is not just for large organizations with significant financial budgets and personnel resources. Small to midsize businesses comprise the majority of US businesses with more than 95% having fewer than 500 employees and employing nearly half the U.S. workforce. Each face the same information security challenges and cyber risks as do larger organizations. Yet, whereas a larger business is likely to rebound from a data breach or cyberattack, a smaller business may not. This underscores the importance of cybersecurity governance regardless of the size of organization.
 
Cyber threats can imperil any part or all of an organization. Therefore, effective cybersecurity governance must address the people, processes, technology, operations, and culture across the enterprise so that an organization is not only prepared for and mitigates against cyber threats and other vulnerabilities, but also demonstrates resilience in the face of the inevitable.
 
An Enterprise Risk Management Approach
 
Digital transformation productivity is essential to remaining competitive in a global economy. However, the expanding digital landscape exposes business and individuals to the likelihood of a cyberattack with resulting financial impact, reputation damage, and diminished sustainability. As attacks proliferate and costs to business and society continue to mount, it seems that cyber risk and cybersecurity must be viewed from a different perspective.
 
Technology is built into every facet of an organization’s operations and most everyone in an organization relies on some form of digital technology to effectively perform their job. Moreover, the increasing severity of cyberattacks requires that enterprises ensure that cybersecurity risk is receiving appropriate attention. To that end, the governance of the enterprise and its digital environment cannot sit below or alongside the digital environment; it must be viewed and acted upon from the enterprise level. By doing so, organizations are better equipped to identify, assess, and manage their cybersecurity risks in the context of the broader mission and business objectives.
 
I am an ardent advocate of enterprise risk management (EREM) that includes and integrates cybersecurity and data protection. ERM provides a comprehensive view of organizational challenges to help leaders prioritize and manage the interrelated nature of risks rather than looking at risks in silos. And in the cybersecurity context, ERM allows an organization to effectively assess and analyze how technological developments may impact the corporation’s profitability and prospects for sustainable, long-term value creation.
 
Effective Enterprise Risk Management Programs
 
Effective ERM programs balance goals and business objectives with available resources and considering risk tolerance and appetite. The ERM Playbook, while focused on federal agencies, offers valuable insights into ERM, and identifies ten principles of an effective ERM program. Of particular note:

1. Identify a governance cybersecurity framework, or establish a risk management roadmap, that enables key decision makers to make informed decisions to meet the organization’s objectives, i.e., not just shareholder value.

2. Cybersecurity is an ERM issue because managing cyber risk is everyone’s responsibility. An organization is only as strong as its weakest brick in the human firewall.

3. Transparency and openness is vital for creating a strong cybersecurity risk management culture where everyone is safe and encouraged to raise cyber risk-related concerns to management.

4. ERM should be integrated into every organizational process such as cybersecurity strategy planning, cybersecurity investment, and performance management.

5. ERM helps identify gaps, develop mitigation plans and prepare for the future, which enables a culture of resilience.

6. Embrace divergent points of view and perspectives. Diversity of thought is greatly enhanced by diversity of people, opinions, and perspectives.

Risk management is NOT risk elimination. The goal of any risk management program is providing decision makers with the relevant threat landscape to inform decisions. Cybersecurity risks are enterprise risks and must be addressed as part of a mature ERM program and not an isolated risk management effort.

SQ Insight: Tony Ogden - President, GRC

Cybersecurity Decisions Don't Really Understand Today's Attackers

CDO Trends

Ukraine’s top cybersecurity leader has called for the creation of a “Cyber United Nations” in response to the increasing frequency and severity of cyberattacks globally.  As detailed, the organization would serve as a hub for intelligence sharing and a security center providing experts the ability to respond to cyber fallout resulting from geopolitical incidents.  Although the establishment of such an organization is a response to the UN's inability to gain global consensus as to how states should operate and responsibly respond within cyberspace, a treaty-bound multinational effort may be more advantageous than a separate organization.  Such an organization could determine essential member criteria, ensuring that certain financial, material, and personnel requirements are met as a necessary precondition before they are allowed to join.
 
“What is not needed is a separate United Nations focused on cyber issues.  Bloated bureaucracy cannot solve issues that happen in nanoseconds and with technology that is continually evolving.  A treaty-bound cyber organization is better positioned to have an immediate impact on the cyber threat ecosystem and the geopolitics that often spawn some of the more disruptive cyber-attacks that have been observed.”
 
Theoretically, the cyber organization would be able to succeed where UN cyber initiatives have stalled.  While the UN struggles to define cyber terminologies and the criteria by which to measure them, a treaty-bound cyber organization could actively implement measures such as identifying cyber thresholds for response, conducting joint defensive and even hunt-forward operations where appropriate, and collecting evidence that could be submitted to the International Criminal Court when the most egregious transgressions are committed by states and their proxies - particularly against critical infrastructures.
 
“Actions taken and the consequences that resulted from them start to shape how future cyber-attacks will be addressed by responsible nations.  And through escalating punitive actions against offenders, red lines will be established without having to expressly declare what they are.  What such an organization cannot be is another forum for discussion of lofty ideals and an exchange of competitive philosophies that will serve only to cause more inertia.  Actions not words may be the only true way to set any type of cyber norms."
 
A Cyber United Nations would be a useful counterbalance to the aggressive global cyber operations of China, the more disruptive and destructive attacks of Russia, the thievery of North Korea, the disinformation campaigns of Iran, or even the rampant cybercriminal ecosystem writ large.  In addition, for those countries frequently targeted by hostile cyber malfeasance, joining – or at least closely allying themselves with such an organization – would provide credibility to the foundational aspects of why the organization was formed in the first place.  A treaty-bound cyber organization is better positioned to have an immediate impact on the cyber threat ecosystem and the geopolitics that often spawn some of the more disruptive cyber-attacks that have been observed recently.
 
In creating a treaty-based multi-national effort that serves as the center for monitoring developing cyber hostilities from regional conflict and crisis areas, a more formalized organization under a treaty like NATO with limited core membership that allows for “pluses” – non-member countries but still major allies to the core members of the organization – might be the more advantageous approach.
 
A cautionary note, however: it would be a mistake for cybersecurity defenders to hold the faulty perception that what they did today can be successfully applied to the future.
 
“When it comes to the dynamism of cyberspace, incorrectly assuming that opponents will not learn and adjust accordingly is destined for failure.”

SQ Insight: Kenneth Holley - Chairman

Cybersecurity Without Automation Is A Losing Game

Forbes

In today's digital age, cybersecurity has become a top priority for organizations worldwide. As technology advances, so do the methods used by cybercriminals to breach systems and steal valuable information. In this context, Jesper Zerlang, CEO of LogPoint, emphasizes the importance of automation in successful cybersecurity practices. He asserts that while humans remain vital in detecting and responding to data breaches, automation and machine learning have transformed cybersecurity practices.
 
Automation enables human cybersecurity and IT professionals to focus on high-level initiatives, optimizing IT staff without overburdening them. With a shortage of over 2.72 million cybersecurity professionals globally, automation is critical for sustainability. Automation solutions such as Security Information and Event Management (SIEM), User and Entity Behavior Analytics (UEBA), and Security Orchestration, Automation, and Response (SOAR) are becoming increasingly popular.
 
Zerlang believes that a holistic Security Operations Center (SOC) can integrate these solutions to streamline processes and enable swift resolution to identify and respond to cybersecurity threats accurately. Without automation, it could take weeks for the cybersecurity team to discover a breach and then days to identify where the impact is, leading to shutdowns that cause further exposure.
 
In addition to automation, Zerlang emphasizes the need for a proactive approach to cybersecurity. Cybersecurity should be a business-wide priority at every level, including education and tools for all employees to identify and report potential threats. This culture of cybersecurity is especially critical at the C-suite level, where funding decisions are made. By embracing automation and being proactive, organizations can mitigate the risks of cyberattacks and protect themselves against potential harm.

SQ Insight: Folden Peterson – Director, Federal Initiatives