CISOs and security professionals are in an unenviable position: they deal with relentless cyberattacks from across an expanding attack surface, some regulations may at times appear to conspire against ever meeting compliance, and the plethora of solutions can render inexperienced practitioners to freeze from the sheer variety of approaches and tactics to solve the challenges.
Looking beyond the traditional
Vivek Gullapalli, chief information security officer (CISO) for APAC at Check Point Software Technologies, opines that in many organisations, cybersecurity controls have been a band-aid approach of only fixing what’s broken — a reactive cycle.
"In today’s security climate, traditional approaches are simply not sufficient. Cybercriminals are leveraging sophisticated tools to aid their attacks, their methods highly intelligent and coordinated," he added.
While he acknowledges that detection and response are important, he suggests that organisations focus more on the prevention of such attacks. "A prevention-first approach provides organisations with the ability to be proactive and give defenders an advantage over the adversary," he continued.
Concurring with Gullapalli, Synopsys Software Integrity Group's head of solutions strategy, Phillip Ivancic, says real-time information is vital in today’s climate — just like a car alarm will alert an owner if someone is attempting to steal their vehicle.
"However, a car alarm will not make a vehicle safe to go around a racetrack at speed – only a good set of breaks can do that!" he quipped.
"The best security leaders I’ve observed are able to frame their decisions and priorities to invest in business agility in addition to risk reduction," Ivancic commented.
To be effective
Gullupalli noted that the digital era requires an expanded set of leadership qualities, including a broader understanding of the overall business, products, customers, finance, compliance, growth and the direction the organisation is heading.
Ivancic believes that the most effective cybersecurity leaders can link proposed security controls to specific and measurable business outcomes.
Calls for re-evaluating cybersecurity approaches
According to Gullapalli, post a security incident it is important to dig deeper to identify root causes and gaps. The best way to identify the gaps would be to look at the cyber-attack path and determine what controls could have stopped this attack earlier.
"Adopting MITRE ATT&CK or “Cyber Kill Chain” can also provide a deeper understanding of the potential attack path and identify which controls need to be implemented to mitigate risks. Mapping the NIST or ISO 27001 frameworks against Cyber Kill chain/MITRE would provide a good assessment of where the controls need to be enhanced."
Vivek Gullapalli
"Other powerful tools that can help improve the overall defence across the organisation include Artificial Intelligence (AI), Machine Learning (ML), and threat intelligence integration into security controls," he continued.
Ivancic warns that it is expensive to deal with a compromise compared with the cost of early prevention. That’s why “security by design” is important. This means conducting “threat modelling” and “architecture review” exercises early during a project.
"This allows threats to be mapped out and preventative controls to be built into the project straight from the design phase. This has been proven to reduce re-work and improved time to market," he continued.
What needs to happen
“Culture eats strategy for breakfast” and the same is true for cybersecurity.
"When Cyber security is seen as an enabler, business leaders and staff will naturally champion its adoption," said Gullapalli. "People, if given the right opportunity, will identify problems or issues or how to make it better."
He cautioned that these problems or issues could be security gaps and if not remediated, could result in risk to the organisation. However, if the organisation is not open to recognising people for coming forth to raise an issue and instead reprimands them, the culture will shift to ‘be quiet and don’t say’.
"This is extremely dangerous for an organisation. Thus, it is extremely vital for CISOs to champion the security culture shift as a common goal/shared responsibility to protect the organisation," continued Gullapalli.
One global bank Synopsys works with found threat modelling so effective at reducing the cost of re-work and project overruns, they embarked on a large training rollout to ensure the skills required are ubiquitous across their organisation.
"Culture change and skills transfer was a combination of hands-on learning, typically achieved with Synopsys experts shadowing projects as they started their ‘secure by design’ activities and formal instructor-led training courses."
Phillip Ivancic
"All this was underpinned with e-learning modules to support the new skills being rolled out," he concluded.