teissTalk host Jenny Radcliffe was talking to Glen Hymers, Head of Data Privacy and Compliance, The Cabinet Office; Ash Hunt, Group Head of Information Security, Sanne; and Tim Ager, VP of Sales – EMEA, Picus Security
The realities of information security on the ground and the underlying reasons
The news of the CISA (Cybersecurity and Infrastructure Security Agency), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) issuing a warning of an increased number of Conti ransomware attacks targeting US organizations is indicative of how vulnerable our information security systems – whether governmental or enterprise – are.
The methods that the hackers used are rather basic exploits including spear-phishing, phone calls, stolen or weak remote laptops not requiring sophisticated cybersecurity tools to protect against. The reasons why sometimes the most fundamental defences are not implemented are numerous, the first one being cost. But even at organisations where sponsoring information security projects is not a problem, system complexity can be challenging with sometimes as many as 40 to 50 security controls being in place.
Moreover, there are huge disparities between industries with more digitally advanced ones such as finance or retail prioritising information security more than others. Similar discrepancies can exist even between the different arms of the same enterprise. Also, sometimes an organisation’s risk tolerance can be higher because they can’t see any secondary risks resulting from a certain type of breach.
New approaches – frameworks, continuous control validation and ML
Traditionally, information security is about detection, remediation and recovery. But instead of being hit by an attack and trying to mitigate damage in panic mode, a more strategic approach is needed. This may involve new frameworks, methodologies and – budgets permitting – the extensive use of ML.
An emerging new paradigm may not leave the role of the information security risk manager intact either. While traditionally this role involves making subjective decision on the severity of various types of security risks and assigning them a traffic light accordingly, its new and much more business-oriented breed thinks in terms of RoI and the effectiveness of cybersecurity investments.
There are new methodologies that rely on quantifying security risk rather than the intuition and judgement of the risk manager which express the utility of information security investments in terms of the potential financial gain or loss under different scenarios. Once risk managers adopt a quantitative approach, they will find it easier to negotiate with management and get the necessary funding from them too.
Continuous rather than point-in-time controls validation is another proactive approach to cybersecurity aiming for continuous security testing to find security gaps before cybercriminals do in a digital environment where threats change by the day. An automated platform leveraging ML capabilities will already have a couple of variants of an existing malware that companies can test their security controls against straight away.
The platform’s dashboard will provide real time information on whether necessary security controls exist or, if they don’t, what threat mitigation steps are being taken. Businesses that can’t budget for automated platforms need to fall back on the onion layers of legacy security systems combining firewalls, proper back-up and training their staff. The first step of any security assurance journey should be the adoption of a framework such as Mitre ATT&CK as a baseline that security controls can be then improved or triaged against.