The “new normal” in today’s cyber era
Where do you see the difference between Information security, IT security, and Cybersecurity and how it defines the Cyber Leader activity space?
There are differences between the terms, but let us start to discuss what is common. Yes, all of them are talking about security, but the main point is the connection between them, and I would even define it as a hierarchy. From my point of you, Cybersecurity is the term describing the broad, inclusive field of all the different modern security domains. Information security is one of them, a security subdomain, that deals with IT systems and processes. The same for information security, another subdomain, that part of it belongs to IT security. Still, other parts of this subdomain are dealing with additional information and data security challenges.
To complete the picture, Cybersecurity is embracing additional subdomains like OT security, supply chain security, and maybe surprising, but physical security, in my opinion, is also part of the game.
The broad definition of Cybersecurity pretty much defines Cyber Leader accountability and his activity space. It practically sets the activity borders to any corner of the organization, any process, and functionality. Sometimes as a decision-maker, sometimes as an advisor, sometimes as a supporter, but always as a Leader.
When speaking the language of business to their boards, are there certain phrases Leaders/CISOs should be using?
Before touching the question about certain phrases, let me address a more problematic language point. Most of Cyber Leaders I met in my long service, didn’t talk to the Board, or other levels of management, in a business or audience-oriented language. Mostly they are using technical and abbreviation saturated language. Yes, from their side, it sounds very professional, impressive. Still, from the audience side, it sounds like a foreign language, and more importantly, the main point and subjects are not explained or understood.
So, going back to the question, specific phrases are situational. Here are some of my phrasing advises talking to the Board. Don’t use an emotional description of the risk or cyber events, use clear deterministic as much as a possible description. Connect your subjects to the Board’s points of interest and their language. Never say maybe, use don’t know, or your estimated probability of happening or not happen. Describe the cyber challenges in the level of board responsibilities and their influence on them. Never say, “We are a hundred percent protected,” it is never right. Use and describe not only your cyber protection maturity. Explain the organization’s resilience and recovery maturity. And most important, talk “Boardish” and not “Cyberish.”
Almost everybody agrees that organizations need a culture of security. How can security leaders facilitate that type of culture?
The culture of security or culture of Cybersecurity is an integral and significant part of the security sturdiness of an organization. It joints the technical cyber part to complete the full integrated organizational cyber treatment. Security culture is dealing with the behavior of the employees at all levels of the organization. It plays a key role in Cybersecurity maturity.
Like any culture, the security culture is based on patterns of behavior, professionalism, and values. It is part of the organizational culture. As we all know, cultural change is one of the most difficult organizational changes. Besides, security is usually not interpreted by employees as a positive action. Security leaders should support and lead the change process of the security culture cycle. To set the baseline, to provide the improvement plan, and to facilitate it, to stimulate the top management support and involvement. They should create employee trust and a positive attitude to the security, by full transparency of the cyber activities, explaining the benefits of their actions to the organization and the employee, explaining the threats and their mitigation. An additional chore the security leader must apply is making the security culture part of the daily life of the organization.
Yes, the security leader job is targeting mainly to lead the security culture of the organization; the rest is easier.
What are the biggest challenges you face in the year ahead?
To chose the top challenges in the field of Cybersecurity is almost a prophecy. It is so dynamic, squalling, changing, surprising, that a year seems like a long period. On the other hand, this is the reason why we, the cyber enthusiasts, so love it. The cyber threat and attack surface is growing exponentially. Increasing penetration of digital technology to all our life processes, automation, autonomous devices, endless connectivity, and globalization creates a fertile environment for cyber adversaries.
So in such a unique environment, my three candidate challenges are just a tiny fraction of many additional ones that should be tackled.
The first one I call the foggy cyber view. We are handling a very sophisticated, complicated, and dynamic environment in any organization. In all of the cyber organizational situations, routine, cyber event, or recovery, the decision-makers, even at the highest level, don’t have a clear situational cyber picture. Even worse, they are unable to control the effectiveness of their decisions in a properly decent level. So the challenge as I see it is to build a near real-time updated “Cyber Battle Picture,” to base those crucial decisions on facts and not on intuition.
The second challenge is concern about the OT (operational technology) world. It is no longer just a challenge of the critical infrastructures and industrial sectors. It is becoming, and I expect the coming year even more intensively, the challenge of most of the modern world. Our environment, social, functional, and cultural is embedded with sophisticated, interconnected control systems and devices (IoT) – the hart of the OT world. The control systems are more and more based on commodity technologies, and exposed to many additional vulnerabilities that were not part of the legacy systems. There are still organizational barriers between the IT and the OT units and activities. We must remove them. I am claiming for a long time, “The target of the adversaries are the OT systems, the highway to reach them are the IT systems.”
The next one is tightly coupling of the cyber technologies with smart analytics and deep learning. It will be needed not only to overcome the vast mass of cyber events organizations are struggling, but it will also be required to create a clear cyber battle picture. Additional domain joined the IT/OT playground, and I call it VT – Virtual Technology. It deals with social biasing, “Fake News,” network scams, and indirect cyber attacks. In my opinion, this domain will become most attractive for the adversaries, and only a high level of information analysis, enrichment of sources, and sophisticated intelligence methods will be able to challenge the new candidate.
How do you make sure you know what new projects, processes, products, or services are on the road map and that security is baked in from the process side?
About six years ago, I started to talk about CBD – Cyber By Design. I know, today, it is a concept that is heard from all over. But six years ago, it was not so acceptable or understandable. The main point is that even today, in most organizations, it remained a concept. It didn’t mature to a model, plan, policy, procedures, and real actions to deploy the CBD idea.
We have developed a full-scale CBD model, and I will detail some of its main principles. The CBD is starting in the first stage of any process, system, or activity, the design stage. This principle is based on the well-known one, “Consider different issues in early stages makes the system better.”. Where should CBD be used? The model assumes everywhere, based on my perception that cyber is everywhere. Yes, we have developed measures to filter what activities should be included, but everything is checked against these measures. The organization must cultivate and implement process modeling culture. It is a basis of real ability to analyze any process, test what-if dilemmas, and simulate the cyber consequences and steps needed starting at the design stage and controlling threw the whole life-cycle. Last but not least, it must become part of the daily work procedures enforced by proper policy and procedures.
So that is the answer to the “How do you make sure.. ” question.
To summarize, this is my quote six years ago. ‘”Cyber by Design” means “Resilient by Design.” On the other hand, I call the current behavior “Cyber by Luck,” which means “Defective by Design.”
How might we address the perception of Cybersecurity holding the business?
Let’s be fair. This perception has some factual basis. Many of cyber activities and precautions we put in place to protect our organizations are of some disturbing nature. They put a burden on different resources, including financial, they are causing different inconveniences of various services. It is hard to analyze them using methods we are used to, like TCO or other models.
The only problem to stay with the “holding the business” perception is, it doesn’t contribute or brings any solution or relief to the mentioned hurdles. The fact is is that cyber is here, and it’s here to stay. To say it more explicitly, the cyber is the “New Normal”!
The only attitude I am familiar with, and I suggest to my colleagues to adopt it, is to look to the bright side of the situation. The cyber brought many new advantages and opportunities. Where adequately deployed, it improved significantly different aspects, like the quality of IT/OT systems, different corporate procedures and policies, it brought to catalyzation of creativity and innovation, it supports the entrance of new, advanced computer science technologies and additional benefits. When talking about opportunities, many organizations take advantage of their cyber experience and know-how, to diversify their core business portfolio, adding cyber products and services—in other words, making “Lemonade from Lemon.”
Cyber is one of the most disrupting issues of the modern world. It is the “New Normal.” It sometimes brings the security/cyber leaders to the edge, but in parallel, it creates new opportunities.
The security/cyber leaders should be curved from a micture of leadership, smartness, creativity, and strong nerves. Above I pointed out the next cyber challenges. The security/cyber leader has one leading challenge – to balance. To balance between the cyber sturdiness and the ability of the business to fulfill its destiny