Many organisations’ plans for digital transformation have been accelerated due to the pandemic. The need to stay agile, while also allowing employees anywhere access, has never been greater, says Bindu Sundaresan, director, AT&T Cybersecurity.
And, as these initiatives gain speed, Chief Information Security Officers (CISOs) will require a deep and accurate understanding about their organisation’s cyber risk – what’s normal, what’s acceptable and, perhaps most importantly, what is unacceptable.
Indeed, increased use of cloud services, edge computing and expanded remote working options have all compounded the issue of cyber risk for organisations in ways that weren’t obvious before. Therefore, understanding the details of the organisation’s cyber risk, what should be prioritised and how to effectively reduce it, is the best foundation to build a holistic plan to manage cybersecurity risks across the organisation. Yet for many organisations, it’s not always easy to see the wood for the trees, as they say. That is, business leaders – even CISOs – may struggle to balance their own business efficiency-oriented goals with a security-first mindset that goes beyond the traditional perimeter-centric approach to security.
Amid this IT complexity, professional security services (PSS) companies are developing holistic blueprints, digital transformation goals, and helping organisations understand their security needs across both private and public sectors. PSS companies could be a good option for many organisations to navigate these new challenges, as their teams attract some of the most highly experienced security professionals in the field. The PSS teams also enhance their knowledge via ongoing professional education to help them keep pace with evolving technology and cyber threats.
So, if this is the path chosen – what should organisations looking to engage with a PSS company be seeking when embarking on this relationship?
First, zero trust is a must. Particularly with new White House mandates that push for the federal government and its contractors to shift the mindset to one that will require state/local governments, and private enterprises towards zero trust environments. While this may appear at face value to be US-specific, any company wishing to do business with these kinds of organisations now and into the future will be in a better position to do this in accordance with their own zero trust framework. Look for a PSS that will begin an organisation-wide risk assessment to identify critical assets, functions, and business processes that need most urgent protection with the aim of achieving a Zero Trust environment surrounding these critical functions.
This is even more important considering Chief Information Officers (CIOs) were forced to significantly accelerate implementations after the COVID-19 pandemic was declared in March 2020. These initiatives were inevitable for every organisation, yet most plans were intended to have two-three-year phased implementations. However, as organisations rushed to enable or expand remote working, these multi-year plans were compressed and implemented in a matter of months to enable continued productivity as offices were closed during the worsening pandemic. Unfortunately, it meant that many initiatives may have been executed without fully analysing the security implications of connecting many different systems and business processes that require detailed planning to provide a well-designed zero trust environment. The result is that most organisations today have authentication and authorisation processes that may not incorporate a zero trust framework approach to security, yet this should be a priority.
Second, ensure the company the organisation wishes to collaborate with has strong threat intelligence. Digital transformation, edge computing, and an organisation’s journey to the cloud are all modern business necessities. However, the rapid changes have attracted organised crime, because where there is IT complexity, particularly in organisations lower on the security maturity continuum, there are opportunities for criminals to gain a foothold in systems. The result is an increasing incidence of damaging attacks like ransomware and DDoS attacks, as well as IP and PII theft. Leveraging a variety of tactics, techniques, and procedures (TTPs), cyber criminals are achieving long lasting persistence in networks as organisations struggle with security alert fatigue. This is also exacerbated by managing security infrastructure across multiple panes of glass that don’t provide a holistic security view. Work with a company that has insights into the threat landscape specific to the organisation’s industry and true understanding of the network to prioritise identification, remediation and recovery from vulnerabilities associated with these common threats.
Finally, never underestimate the importance of governance management. Cyber resiliency is as much about policy and planning as it is about technology, if not more so. Yet, developing a cyber strategy roadmap in-house requires a holistic understanding of the organisation’s cultural challenges, business processes, digital transformation goals, and emerging threats that can impact an organisation, an industry, or vertical market. This can be difficult to navigate from within the organisation, due to departmental conflicts. However, PSS teams by nature can remain above any organisational conflicts, enabling them to work across departments to conduct a cyber risk assessment that incorporates knowledge of current and emerging threats. Armed with that knowledge, the PSS team should develop a security triage plan that enables informed decisions in an organisation that maximises the return on cyber security investments to enable proper data governance management of business-critical data. Moreover, third party PSS teams can more easily bring stakeholders across an organisation together to collaborate on business needs and cyber risk reduction because they aren’t part of a client’s organisational culture and conflicts. In many organisations, where stakeholders from multiple departments have never been brought together, this can be the key to success.
Many organisations attempting to develop a comprehensive security roadmap in isolation tend to get lost in complexity that includes multiple variables. Therefore, engaging a PSS company makes sense, not only for their experience untangling the Gordian knot of holistically securing digital transformation initiatives, but also because their experience has enabled them to provide specialised guidance. In vertical markets such as healthcare, manufacturing, retail, and government as well as in industries classified as critical national infrastructure (CNI), a PSS company can leverage playbooks based on previous consulting engagements to instantly bring years of specialised knowledge that most organisations lack. This unique understanding of threats targeting a particular industry enables PSS teams to help organisations understand actual cyber risk and its implications for regulatory compliance. Organisations need to take all of this into consideration when choosing the right PSS company to work with.
