During our recent webinar, Cybersecurity Resiliency is More than Protection, Executive Director of Cybersecurity at MIT Sloan (CAMS) Keri Pearlson discussed the latest thinking in building cybersecurity strategy and the role of leaders and managers in creating cyber resilience. Simply put, companies cannot invest enough in technologies to protect themselves from every potential cyber threat; they must assume there might be an incident and design their cybersecurity strategy around resiliency.
Why resiliency?
By now, many may be exhausted when it comes to the topic of cybersecurity risks and breaches. Despite (or perhaps as a result of) increased threats, it’s become white noise. It seems like a never-ending and unwinnable game of whack-a-mole creating a valid sense of frustration. However, Keri insists there are still ways to protect yourself and your organization with the right shift in mindset and approach.
We can’t protect ourselves against everything—thinking we can will quickly lead to burnout. (We will never win that game of whack-a-mole.) More realistically, we can put plans in place to help us respond to inevitable threats in a timely manner in order to return to normal operations as quickly as possible. “Protection is about keeping the bad guys out, but resilience is assuming the bad guys will get in and having plans in place to really minimize the damage. Everyone says they have business recovery plans, but have those been tested in the context of a cyber-attack?”
Keri uses a gym membership as an analogy. You go to the gym to build muscles and run faster, so when the time comes that you need to lift something heavy or quickly get away from a threat, you can. If you just join the gym and never go, it’s the same as having a cyber-attack business plan, but never practicing it or running drills. “Have you tested your backups? Have you tried to run your company on your backups? People are hesitant to do this because it causes disruption to the normal day, but it’s necessary. A resilient organization recovers faster and maybe at a higher operational level. You learn faster. You build those muscles.”
Known unknowns and unknown unknowns
So how do we plan for what we don’t know? Some might suggest Artificial Intelligence (AI) can help solve those problems, but it’s still a nascent area of focus. Plus, the minute the larger public figures out how to implement those tools, the bad guys will just as quickly find a way to use that new technology against us. This is why having a general response plan is important.
For example, if (or rather, when) you experience a cyberthreat, who is in charge of communication and PR to the press? Do you have a press release template? Sure, that template isn’t going to address everything, but a majority of the work is already done and you might only have to make some edits. This frees up valuable time. “You should know the kinds of things you may want to respond with. And the more you practice, the easier it is the absorb the shock and get back to normal.”
However, training is not enough.
Cybersecurity is everyone’s job
Decisions regarding cybersecurity are often made at higher levels of the organization or within IT departments. If people aren’t part of those discussions, they may feel it’s not their role—someone else is taking care of it. However, there are weaknesses across your entire ecosystem and it’s important to understand those and what people at each level can do to increase resiliency.
“It’s important to ask questions related to people’s roles and raise awareness and shine light on cyber issues. It’s the most important thing we can do as non-cyber managers. The bad guys thrive in the darkness.” Keri suggests using the NIST framework, which helps you identify the various risks and responses. “It gives you a roadmap of where you might see something. What are the crown jewels in our processes?” Identifying the big risks, with everyone’s help and insights with a qualitative approach, can help decision makers understand how to properly distribute resources for the greatest amount of resiliency.
Cybersecurity and AI: Friend or foe?
While AI has been around for a while, it has only recently taken off and become the favored hot topic of the business world. “AI introduces a new set of cybersecurity concerns. It’s like looking for a needle in a haystack.”
Keri and the team at CAMS are focused on “secure by design” research that looks into the implications of AI. There are new big risks—training data could be poisoned, models may be manipulated, output data may be intercepted and stolen, and there’s also “spoofing.” There are general protections in place, but no widespread models for handling AI at the moment.
Conversations currently being had in the space ask the following questions:
• How can AI help us be more secure?
• How can AI introduce new attack vectors?
• How are people using AI that introduces risk?
"Protection is about keeping the bad guys out, but resilience is assuming the bad guys WILL get in and having plans in place to really minimize the damage."
And don’t forget, even as new models and safeguards are put in place, the bad guys will follow quickly behind to manipulate them. Cybersecurity is not a technology problem, but a business problem. For now, the best advice Keri has is to always verify. “Don’t take anything at face value that seems a little suspicious, especially anything that puts your valuables at risk – financially, personally, reputationally, operationally. If a system is asking for something, question it first.”
And as previously mentioned, talk about it! (Remember, the bad guys thrive in the dark.) “I’m the only cyber person in my social group. However, because I’m constantly talking about things I’m seeing, they’re all a little more aware, too. Now they’re the ones sending me headlines. They’re a little more secure and resilient because I talk about it in a non-threatening sort of way.”
Learn more
Keri teaches in two courses that help individuals and their organizations be more resilient.
In Cybersecurity for Leaders: Managing Risk in a Digital World, the focus is on helping people become knowledgeable participants in the discussion. While the course is aimed at non-cyber professionals, often cyber professionals do take the class so they know how to communicate effectively with their non-cyber colleagues. There are hands-on exercises that simulate a cyber attack and resiliency. There’s further discussion around the NIST mode, building a cyber aware culture, and debunking myths. In the end, participants leave with a personalized playbook with actionable next steps for improving a culture of cyber awareness within your organization.
Cybersecurity Governance for the Board of Directors provides a holistic, enterprise approach to cybersecurity and data privacy. Topics covered include governance, protection and response, law and regulations, and security strategy and culture. The goal of this course is to assist board members, C-suite leaders, and other senior executives in quickly gathering essential language and perspectives for cybersecurity strategy and risk management to better carry out their oversight and leadership responsibilities.
Contributed by Elaine Santoyo Goldman