backup and recovery platforms that assure rapid restoration of critical systems, and other protections can dramatically reduce the likelihood that ransomware will impact your organization's operations.
FIVE TAKEAWAYS
Shao Fei Huang, CISO of Singapore Land Transport Authority, highlighted his top three takeaways for business owners, board directors, and executives, and the stories from Mark Weatherford and Deb Snyder inspired the last two.
The World Will Never Be Immune to Cyberattacks
Organizations and businesses need to ensure that their cybersecurity strategies are centered on people, process, and technology. Traditionally, the focus has been on IT, and even CISO appointments have been given to the IT staff, reporting to the CIO. Aside from this reporting line, which would result in a conflict of interest, it is key for CISOs to carry a large responsibility in the organization and to be given the authority to raise the alarm if something is not right, even if this relates to the actions of their executives or their decisions.
In appointing CISOs, CEOs and boards should ensure that the individual is equipped with qualities such as strong technical expertise in cybersecurity, business acumen, crisis management skills, and a soft skill that has been often neglected: a flair for public speaking, especially to senior executives and stakeholders.
No businesses want to be a sitting duck, which is why it is critical for the CISO leadership to be appropriately identified and strategically placed in the organization. The CISO and team play a huge role in steering and executing the cybersecurity program, ensuring that appointed parties are responsible and accountable. The cybersecurity function (ideally led by a CISO) has to be deliberated at the C-suite and reported at the board level.
Cybersecurity Is a Business Risk Issue
More and more people are coming to the realization that cybersecurity is not just an IT issue. The onslaught of recent cybersecurity supply chain attacks and identity breaches on a global scale is a clear sign that it is not a matter of if, but when, an organization discovers it has undergone a cybersecurity attack, whether directly or indirectly. Boards and executives need to understand the “system” at play in how these attacks and the damaging downstream consequences pan out. They do not just center around the IT departments of their organizations, but impact every member within the organization and externally, including each of their customers.
How the organization reacts, responds, and learns from cyber incidents is very much a reflection of the organization's values and capability.
The Double-Edged Sword of Zero Trust
CEOs and boards need to understand what zero trust is and how blindly adopting zero trust could stand in the way of effective incident response (IR) when cyber emergencies happen. The zero trust approach, by definition, is to “never trust, always verify.”
The concept is not about making a system or network trustworthy. It is about eliminating trust from the decision loop. While useful as a broad cybersecurity concept, boards and executives need to carefully apprise the risks that come with such an approach, especially if their cyber response playbooks require the use of a service, software update, or patch that cannot be verified quickly enough to contain the incident. Often it may be useful to identify trade-offs early on in a risk-based approach and take an approach of pre-verifying “verified” systems, vendors, or partners for situations like this.
Pick the Right Person to Lead the Effort
Mark Weatherford's story highlights the vital need to do your homework when selecting a CISO or other top cybersecurity leaders. Much more on this in Chapters 2 and 4, but it must be emphasized upfront that you need someone accountable for the cybersecurity program with the knowledge, experience, a good understanding of organizational culture, and the authority to get things done.
Beyond background checks and impressive resumes (or CVs), does your CSO, CISO, or other top cybersecurity executive excel at relationships in a 360-degree manner with staff, peers, executive management, clients, and vendor relationships? You can strengthen the leader's effectiveness by surrounding him or her with the right mix of professionals who close gaps in weak areas. Finally, does the CISO's vision of success align with the executive board?
Act and Adjust with Resilience as the Cyber Situation Evolves
The eye-opening stories from Deb Snyder reveal an ability to adapt and remain resilient as cyberattacks grow and become more impactful.
In the next few chapters, we will demonstrate how an effective cybersecurity program with relevant strategies, tactics, plans, and playbooks grew to become best practices and eventually standard practices for cyber defense teams worldwide. Leaders can't wait for a perfect solution and allow indecision in the midst of cyberbattles. Rather, they must act and adapt based on threat intelligence, robust information sharing, and a clear understanding of priorities with the tools available to fully utilize their team's skill sets.
NOTES
1 1. “Flying Blind in Third-Party Ecosystems,” white paper, CybelAngel, https://cybelangel.com/third-party-ecosystem-landing-page/.
2 2. Amanda Fries, “Albany's Repair Cost after Ransomware Attack: $300,000,” Times Union, September 27, 2019, https://www.timesunion.com/news/article/Ransomware-attack-on-Albany-cost-300K-to-14473544.php.
3 3. Manny Fernandez, David E. Sanger, and Marina Trahan Martinez, “Ransomware Attacks Are Testing Resolve of Cities Across America,” New York Times, August 22, 2019, https://www.nytimes.com/2019/08/22/us/ransomware-attacks-hacking.html.
4 4. Lucas Ropek, “Louisiana Declares State Emergency After Malware Attack,” Government Technology, July 25, 2019, https://www.govtech.com/security/Louisiana-Declares-State-Emergency-After-Malware-Attack-on-Multiple-School-Systems.html.
5 5. New York State Education Department, “2019 Data Privacy and Security Annual Report,” http://www.nysed.gov/common/nysed/files/programs/data-privacy-security/annual-report-on-data-privacy-and-security-2019_0.pdf.
6 6. Emsisoft Malware Lab, “The State of Ransomware in the US: Report and Statistics 2020,” Emsisoft blog, January 18, 2021, https://blog.emsisoft.com/en/37314/the-state-of-ransomware-in-the-us-report-and-statistics-2020/.
