By: Jason Gottschalk, Director of Cyber Security Services at KPMG in Africa
Today, it’s not a case of if your organisation is going to be breached but rather a case of when.
The odds are stacked against us, with the industry failing in safeguarding us from the ever-increasing threat to corporate data, systems and applications. Especially with the afterthought “bolt-on security” (rushed through the project phases to meet business requirements and trying to be the business enabler).
However, business is often far removed from the decisions that ultimately impact the security posture of the organisation and therefore, there are a few key questions that the heads of IT departments need to be asking. These include:
- What am I trying to protect? Why am I trying to answer these questions myself?
- Who am I trying to protect it from?
- What mode am I in?
Below, I have outlined critical areas that should be considered when seeking answers to these key questions.
WHAT AM I TRYING TO PROTECT? WHY AM I TRYING TO ANSWER THESE QUESTIONS MYSELF?
One would be surprised how often IT does not engage with business when deciding what to protect. The old mantra of needing to protect everything is simply not feasible. IT has finite budget and man power, prioritise what you apply that budget too. Most are doing it in some manner or form but few are engaging with business to jointly make the decision. By engaging with the Business, one is enabling joint decision making. Very quickly everyone understands the impact of continually cutting the security budget, which ultimately enables a process of budget increase or risk acceptance. Either way it’s a better outcome.
WHO AM I TRYING TO PROTECT IT FROM?
In simple English, who are the attackers? It’s simply not enough to know that the organisation is going to be targeted – and having a deeper understanding of who the likely attackers are is crucial. In the context of knowing what needs to be protected, security control will differ depending on whether it be an internal or external threat against an internal or external system.
Threat modelling is a simple exercise, and if facilitated adequately and jointly attended by business and IT, is a successful way to prepare for Cyber transformation. Key questions that should be considered during this exercise include:
- Type of threat – What type of threat is the organisation faced with? We call these threats Actors. An Actor can be described as Insider, Hacktavist, Syndicate and Nation state (to mention a few).
- Capability – What capability/ resources would an attacker have? Consider the Actors ability to exploit vulnerabilities – where the worst case scenario should be considered.
- Motivation – How motivated are they to attack? Consider factors that would motivate the Actors to launch an attack – and also consider a worst case scenario here.
During the threat modelling workshops, rate the Capability/Motivation on a scale of 1-5. Once completed, combine the capability and motivation (Capability x Motivation), to identify the risk level and then prioritising the Actors (threats). Though it’s important to remember that this is not an exact science and when the exercise is repeated regularly, it will yield improved results and insight to the risks the business faces.
WHAT MODE AM I IN?
For most businesses, controls will focus on prevention, with a very immature detection capability and little to no response capability, where if this does exist it is also very immature. If breach is inevitable, then detection and response controls are equally important to that of prevention. Consider what will happen when your organisation suffers a Cyber attack. Will the organisation be able to respond to the attack and the every feared successful breach?
Implementing a Security Incident Response program (consider ISO 27035 as input to this) will help the organisation respond to a Cyber attack. It’s also important to identify some likely events and prepare “playbooks”, which are work shopped with stakeholders. This enables the organisation identify deficient controls and processes, while offering an opportunity to remediate and prepare for a potential attack.
A Cyber transformation program has four key elements; Protect, Detect, Respond and Integrate – where all of these should be driven by Threat intelligence. Consider identifying the controls across these areas that should be implemented/remediated during a Cyber transformation program. The first step generally begins with a comprehensive GAP analysis of the environment. Identify the “as-is” and work with business to define the “tobe”.
When identifying the “to-be” state, define the actual control designs and measurement for success, as this aids in assessing whether the money spent has actually moved the organisation forward. Don’t try transform to the ‘Utopia’ immediately, but rather start gradually by focusing strongly on the high risk areas. Consider a program that spans three years, thus enabling a foundation upon which yearly improvement are made and measured.
We need to transform in every sense of the word, but to do this, IT and business jointly need to start looking at breaches differently and take the opportunity to learn from the mistakes of others in the market.