I still keep in touch with friends I have made over 20 years
ago when I was in undergrad and grad school.
The one thing we keep asking each other is: “How did we make it back then”? I am talking about the resources we had then
versus to what is available now to get papers, projects, and even theses
done.
Back in my day, there was no Google, and hardly even an
Internet. All computing was done on mainframe machines, and the terminal that
was given to you.
Although it took time to do things (especially the theses),
life was far simpler back then. We
didn’t have social media, cellphones, or even having to worry about
Cyberattacks or Identity Theft. Heck,
even my Purdue ID card had my social security number all over it.
But now, with everything all digital and interconnected with
one another, life has really become confusing (at least for me). It’s hard to keep up with what is happening
out there, and especially so on the Cyber front of things.
There have been so many advances made in terms of tools and technology,
but yet we still cannot keep up with the Cyberattacker. It has become a cat and mouse game of sorts,
and of course, the good guys are falling behind. So, this begs the question: When it comes to digital warfare, which is
better? The quality of the defenses, or
the total number of defenses that you have?
In other words, is it better to have 10 firewalls or 5
really smart threat hunters who are well trained and can keep the hackers at
bay? Well, according to a report by
McKinsey, businesses in Corporate America are spending an annual of 12% year
over year on new tools and gadgets to beef up their lines of defenses.
While this may sound good initially, the bad news is that
security breaches will cost Corporate America at least $10 trillion by the time
2025 rolls around (which is only two years away). This report can be downloaded at this link:
So what is a CISO or even a vCISO supposed to do? Well, according to recent article I found
this morning, here are some key steps to help make the quality stand out versus
the quality:
1)
Watch who you hire:
Yes, there is still a huge shortage
of workers in the Cyber field. This fact still remains even despite the
inflationary fears that still abound and the number of tech layoffs that are
happening today. Also, I have been
advocate to hire really just about anybody who has the passion for Cyber and
willing to take risks to get ahead in the crowd. But, there is yet another group of people you
may want to look at hiring for your IT Security team. These are former members of the US
military. These individuals have been
taught structure, discipline, and how to stick with things when the going gets
rough. Also for the most part, they have
received a good amount of training in Cyber.
So why not look into this pool of candidates? After all, if you really need somebody that
has experience, well, here you have it.
And it is a great way of giving back to our country.
2)
The Zero Trust Framework:
Although this methodology has been
around for quite some time, its adoption has just started to take root right
now. Under this framework, absolutely
nobody is trusted, and all individuals have to be verified over and over again
for every time they need to access shared resources. It sounds extreme, but in today’s
environment, this is all that is left to truly fight off the
Cyberattacker. The motto here is to
never trust, but verify, verify and further verify. Now, the other leg is starting to come out,
which involves continuous testing.
Meaning, you have to keep testing your Zero Trust Framework to make sure
that it is airtight. The logic here is
that you should have a Red Team that is constantly trying to break through your
walls of defenses in order to find out any gaps or weaknesses which are
hidden. This also sounds extreme, but
once again, Corporate America has to go through these extraordinary measure in
order to make sure that their digital assets remain as safe as possible. When it comes to this Red Teaming, humans do
not have to be involved each and every time.
There are tools now out in the market place that will let you conduct
Penetration Testing exercises on both an autonomous and automatic level.
3)
Keep practicing:
One of the main things that
COVID-19 taught us is the need to have a comprehensive set of Incident
Planning/Disaster Recovery/Business Continuity Plans in place. But that is just one part of the
equation. The other part is to rehearse
them on a regular basis, at least on a quarterly basis. Another aspect here is Security Awareness
Training for not only the C-Suite, but for all of your other employees as
well. This is not a one off, it too
should be done on a regular basis as well.
Part of a good training program is to have what are known as Tabletop
Exercises. This is where you engage your
attendees in a mock Cyberattack, and get their feedback as to how they would respond
and try to resolve the situation at hand.
It is important to keep in mind that even tis kind of input can be used
in upgrading your recovery plans.
My Thoughts On This:
Remember that in the end, it takes a combination of both
people and technology in order to have a finely tuned Cyber machine. But even more critical is to have
communications with all key stakeholders, and to keep that line open during all
times, 24 X 7 X 365. Also keep in mind
to keep things simple when planning your Cyber strategies.
There is no need to get into all of the Cyber technojargon,
in the end nobody cares about that. Instead,
take those efforts and funnel them into conducting a risk assessment to
determine which of your digital assets are most at risk.
Then from there, try to figure out how to strategically
place your lines of defenses so that you can get maximum protection without
having to procure additional technology.
Think quality instead of quantity.
Remember that instead of deploying 10 firewalls, try to make use of just
5 of them.
No comments:
Post a Comment