Cybersecurity is more than a technical issue as it has legal and financial implications for companies and investors. The recent U.S. Securities and Exchange Commission (SEC) charges levied against SolarWinds Corporation and its chief information security officer illustrates the serious consequences of failing to disclose …
Ask yourself – when was the most recent time you read a technology news article, walked past a conference stand, or saw a billboard loudly advertising “advanced AI capabilities” and inwardly groaned? Oh look, another one.
A running joke in the information technology world is the nearly annual cycle of new buzzwords and catch-phrases, that seem to captivate marketers, journalists, consulting firms, and new startups alike.
Terms such as cloud, blockchain, devops, agile, web 3.0, zero trust, quantum/post-quantum cryptography, supply chain, and most recently, artificial intelligence have dominated recent discussions around information technology. This is nothing new. Web 2.0, PKI, e-commerce, virtualization, big data, gamification, and many more sector- and technology-specific terms, are familiar to anyone involved with the global tech industry in the past thirty years.
Most of these represent legitimate concepts. When one or the other fades out of prominence, it does not mean that it goes away; rather, there is a high degree of probability that the technologies or processes it describes have become a mainstream, integral part of the IT ecosystem.
Unfortunately, buzzwords and the enthusiastic reaction they often generate bear real and significant risks. Whether you are an information security professional, a purchasing manager, CIO, entrepreneur, or investor, you should be aware of these – so that you can ensure neither your security maturity nor your financial bottom line suffer from an excessive focus on trendy ideas.
In this post I take an exceptionally over-simplified, anecdotally formed look at how excessively focusing on over-popularized concepts can negatively impact innovation and responsiveness in an increasingly complex information security landscape – and counter-intuitively, hurt competition.
Vendors and consultants often naturally focus on what customers want. If artificial intelligence is constantly in the news as the current Big Thing, it is understandable for C-level executives to ask themselves whether it will solve all their problems. If you are familiar with the tired, disproven phrase “nobody ever got fired for buying IBM” (or whichever brand you want to insert here), buzzword-focus is a similar phenomenon. After all, if a given topic is omnipresent, who can fault a CTO or CISO for confiding in a seller promising ROI from what all the other cool kids are doing, right?
Their successor, that’s who. Despite increasing regulatory pressure, cybersecurity budgets remain tight – inevitable for what is still a major cost and a frequent obstacle for business innovation. CISOs’ resources for proof-of-concept implementations are limited, making it difficult to identify quality providers in packed industries. Word of mouth in closed trust groups helps, but only goes so far, and it allows for little flexibility when the CEO and CFO ask, why are you not investing in <insert Big Thing here>? After all, this report from Big Consultancy Inc. claims Big Thing is vital to the modern organization.
I am a firm believer that large companies should invest in risky early-stage technologies – better to drop €50k on a seed-stage startup and help shape their development, than to buy a license 5 years down the line for a multiple of that. It’s a great investment, and helps everyone. However, focusing on fashionable technology projects can eat up budget, and hamstring security departments for years, potentially impacting other, more basic operational requirements – not to mention reducing a firm’s flexibility to invest in more forward-looking, green-field projects.
Next, investors – venture capital, private equity, and others – can have very limited due diligence capabilities, and will generally rather focus on what promises returns in the short run rather than long-term viability. This means that investors, whose expertise tends to be more in finance and management, and who frequently rely on a small number of often younger, less experienced analysts, can receive a skewed view of what are “good” technologies to invest in.
The resulting “bandwagon” effect means that currently prominent technologies become crowded, with solid companies pursuing less superficially attractive solutions can become overlooked and starved of funding and clients. It should not be necessary to explain what happens to the likelihood of a successful exit when every investor is chasing the same part of the market.
Worse, those few truly promising firms in packed fields struggle to get their message out – something I have seen first hand with numerous clients. It is a frustrating experience for any consultant working with a promising, smart, motivated firm whose quality stands out above the crowd, just to be met with rolled eyes from CISOs. Oh, good, another company claiming AI somethingorother. When the sheer volume of low-quality competition paying lip service to an idea currently in vogue stifles the ability of strong, promising actors to even get a chance, industry suffers from lack of access to genuinely robust products and services to meet their future needs.
I mention AI because it is (still) the most modish current example of such buzzword-focus, and promises to remain so for some time. I am not in any way claiming that artificial intelligence is just a buzzword. It is a collection of incredibly promising, fascinating technologies, being developed by many highly intelligent people. Like the web, the Internet, and the PC before it, AI and its various capabilities will revolutionize many aspects of how we work with technology, the threats we face, and how we prepare for and defend against them – in the information security arena and beyond.
However, this is a call to action to those in a position to look beyond hype, and ensure that more boring, bread-and-butter technologies are not overlooked. One of the ever-repeated concepts in my business school was the “blue ocean/red ocean” strategy – a fancy way of saying “go where everyone else isn’t”.
I do not expect this message to resonate with vendors. Those who are respectable subject matter experts in any given currently-popular field are unfortunate victims of circumstance, and I only hope that the quality of their work will inevitably speak for itself and help them to succeed. As for the rest – it’s to be expected that vendors go after customer dollars.
The same goes for journalists. In an ideal world, a tech journalist would report not only on what sells subscriptions and views. In an attention-driven economy where views-driven advertising budget can displace opportunities for writing about truly relevant tech issues, it’s fathomable that a publication would rather focus on something attention-getting in line with current trends.
Likewise, while information security leaders mostly have the tools and information to understand what their real needs are, and who is a reliable partner in a congested sector, but they often fall victim to management demands beyond their control.
Those who can make a difference are a) investors and b) senior corporate leadership. Even as less exciting, more stolid technologies become increasingly commoditized and automated, there is important and top-notch work being done by companies focused on less sexy topics – IoT device patching, network security monitoring, legacy code patching…the list is very long.
Senior management should always rely on the CISO and their team for guidance on what their organization’s current information security technology needs are, and not the other way around. As the CISO increasingly becomes a business aligned function, it’s legitimate to expect those who hold the role to have a firm understanding of business needs, abilities, and resources. This will help companies focus on those technologies that are truly relevant.
Maybe more importantly, investors have a major and often-overlooked role to play in ensuring that “boring”, important topics get the attention they need. Most venture capitalists probably don’t care what they invest in, as long as there’s a good promise of return. That is fine – they are in business to make money.
As an investor, ask yourself – where will I make more money? In a jam-packed area where funding is pursuing a few great companies, with resulting exorbitant term sheets (leaving many with the dregs)? Or rather, with entrepreneurs who know that the best way to make money in a gold rush is to sell shovels?
Introduction In a world where cybersecurity threats are not a matter of ‘if’ but ‘when’, the resilience of an organization’s defence mechanisms is paramount. While instances like the Cisco zero-day vulnerability serve as a reminder of the pervasive threats, they also underscore the need for …
Introduction October, celebrated as Cybersecurity Awareness Month globally, is a critical juncture for organisations to reflect on the escalating cyber threats that relentlessly test our defences. As we navigate an intricate digital landscape, the adoption and implementation of diverse yet complementary cybersecurity maturity models and …
As we delve into the intricacies of Cybersecurity Awareness Month this year, the intricate dance between evolving digital landscapes and complex cybersecurity challenges becomes ever more apparent. For every organization, especially those at the CISO, C-suite, and boardroom levels, the magnifying lens on cybersecurity has never been more potent. In the wake of sophisticated threats and complex compliance landscapes unfolding in 2023, there are three primary concerns that mandate immediate and strategic attention.
The first echo of concern resonates with the dynamic and continuously evolving threat landscape. AI-powered attacks, quantum computing, and enhanced phishing strategies are not prospects of the future – they are the pressing realities of today. Ransomware has metamorphosed into multifaceted attacks, leveraging AI to exploit vulnerabilities with unprecedented precision.
Leadership’s role in mitigating these risks involves a nuanced understanding of these advancements. Strategic investments in AI defence mechanisms, employee training, and adaptive security protocols are essential. Leaders must foster a culture of continuous learning and adaptation to counterbalance the evolving threats effectively.
2023 has ushered in a new wave of regulatory complexities. Data privacy and protection laws have expanded and morphed, responding to the ongoing explosion of data generation and sharing. GDPR, CCPA, and emerging global regulations are setting stringent standards, and non-compliance is no longer an option.
It is incumbent upon organizational leadership to meticulously understand these evolving standards. Effective governance, risk management, and compliance frameworks should be intricately woven into the corporate strategy, ensuring seamless adaptation and alignment with legal and ethical standards.
In the interconnected digital ecosystem of 2023, brand integrity is intricately tied to cybersecurity. The contemporary customer is informed, vigilant, and values privacy and security. A single breach can trigger a domino effect, with reputational damage, loss of customer trust, and substantial financial losses trailing behind.
The C-suite’s role in safeguarding organizational reputation is paramount. Promoting a culture where every employee is a sentinel of the company’s integrity, armed with the knowledge and tools to mitigate risks, is not a choice but a necessity.
As the curtains rise on the complexities of 2023, integrating cybersecurity into the organizational DNA is an imperative. It extends beyond technological defences, encompassing an informed leadership, a vigilant workforce, and an adaptive organizational culture.
Cybersecurity Awareness Month is a poignant reminder of the collective responsibility to elevate security protocols, enhance awareness, and fortify defences. In the face of 2023’s complexities, a proactive, informed, and adaptive approach to cybersecurity is the linchpin to not only survive but thrive in the intricate digital tapestry of the modern business landscape.
The journey ahead calls for unity, vigilance, and strategic foresight. Each stakeholder, from the boardroom to the operational levels, is a custodian of the organization’s integrity, resilience, and security in the face of evolving threats and opportunities. Every action, decision, and strategy sculpted today will echo in the cybersecurity narrative of tomorrow.
In our previous discussions, we delved into the multifaceted role of cybersecurity as a strategic business asset. We highlighted its pivotal role in safeguarding revenue, fortifying customer trust, and enhancing operational efficiency. In this discourse, we will dissect why unified cybersecurity has become more crucial than ever, amidst an escalating backdrop of cyber threats targeting Operational Technology (OT).
The fabric of modern society is interwoven with computer-controlled devices that influence the physical, not just digital, sphere of our existence. From delivery robots and intelligent buildings to shipping and transportation, OT permeates our daily activities, revolutionizing the factory floor, managing advanced buildings, steering ships across oceans, and soon, supplanting human drivers on our roads.
While OT presents a goldmine of opportunities to extract data that can be converted into profits, it also harbors a plethora of technical debts that amplify cybersecurity concerns. These concerns pose a threat to neutralize the potential gains and potentially precipitate enterprise-wide catastrophes. The convergence of Information Technology (IT) and OT realms is upon us.
The global stage was first introduced to OT security in 2010 when the notorious Stuxnet virus infected the Programmable Logic Controllers (PLCs) governing the centrifuges of an Iranian nuclear weapons facility. This incident disrupted Iran’s weapons program and inadvertently spread far beyond its intended target, infecting thousands of devices worldwide and spotlighting the threat posed by OT. Fast forward to recent times, Russia orchestrated attacks on insecure UPS devices during its conflict with Ukraine, once again casting a spotlight on the vulnerabilities in OT security.
Securing OT presents a daunting and intricate cybersecurity challenge, compounded by four interrelated issues:
In environments where OT solutions are deployed, uptime is paramount. Any downtime translates to halted production, adversely affecting customers and revenue. This necessitates multiple 9s of availability, overshadowing requirements such as patching or dynamic protections. To avert operational outages, manufacturers often resort to extreme measures, including stockpiling and cloning obsolete equipment like Windows XP PCs to circumvent accommodating dynamic elements in the environment. Hence, the adage “Cash is King” in the Wall Street parlance translates to “Uptime is King” on the manufacturing floor.
Productivity is a close second to uptime, as more efficient workers yield more products at the same labour cost, thereby generating more profit. Any friction, such as entering a username and password, is perceived as lost time. Increasingly, standardized automation systems are remotely supported by engineers and designers who do not have physical access to the devices but remotely retrieve data or optimize machine parameters. While this maximizes efficiency for the organization, it simultaneously expands the attack surface for cybersecurity.
Devices in the manufacturing realm are engineered to endure for decades and often carry a hefty price tag. Maintenance on the factory floor typically involves periodically shutting down machines to calibrate sensors, change oil, tighten bolts, or refurbish parts. It does not encompass applying monthly security patches to the HMI or PLC. This oversight is not trivial. The lifecycle of these devices can span 15 to 20 years, unlike the 3 to 5 years of an IT asset, imposing a significant burden on cyber and IT organizations.
The final challenge lies in the exclusion of cybersecurity requirements during the design process. This oversight is not merely a by-product of the technology designed to optimize uptime, productivity, and long lifecycles. It highlights a gap in awareness or understanding of the threat. Contrary to phishing or malware incidents, OT compromises seldom make headlines. They fall into a neglected quadrant of a standard heatmap – highly unlikely but potentially catastrophic – often leaving them unaddressed on the priority list.
Despite these obstacles, organizations have a repertoire of options to mitigate risks. These options must be judiciously implemented, acknowledging that some control is better than none, and excessive friction can be counterproductive. Additionally, it is essential to recognize that OT is distinct from IT. For instance, imposing strong credentials and Multi-Factor Authentication (MFA) on machine operators is impractical. Similarly, your favoured Endpoint Detection and Response (EDR) may be incompatible with a PLC running a custom version of Windows 7. Moreover, a standard GPO enforcing a session timeout may disable a domain-connected Human Machine Interface (HMI).
The most pivotal control to implement is segmentation. To paraphrase a well-known adage from Las Vegas tourism, “What happens in OT, stays in OT.” Demarcating a boundary between the IT and OT environments is crucial for gaining visibility, identifying risks, and exerting a degree of control. This approach mirrors the barrier between a private network and the Internet. It is inconceivable for an organization to permit unregulated access to the unpredictable terrain of the Internet, given its uncontrolled nature and unknown threats. Similarly, considering the hygiene of a typical OT environment, it should be equally unthinkable to allow unrestricted access between IT and OT.
With a robust boundary in place, it becomes feasible to deploy other core elements of cyber defence. In the cyber realm, Visibility (not Cash) is King. It is impossible to defend against invisible threats. Monitoring traffic entering and exiting the OT segment can unveil surprising risks, but also pave the way to controlling those risks. Is there a surge of SMB traffic infiltrating the OT segment? Investigate the cause and the source. Are third parties remotely accessing the OT segment? Determine who they are and their reasons. Are devices signalling out to known Command and Control (C2) sites? Halt those immediately. Then leverage the incident to craft a comprehensive strategy to safeguard OT, spanning from awareness to asset management, procurement to active prevention, and cyber requirements to remediation.
Safeguarding OT is a complex and unique task, dictated by its key drivers – uptime, productivity, and extended lifecycles – but it is not insurmountable. The principles employed by cyber defenders to secure information technology can be adapted to protect operational technology; the tools utilized can be successfully modified. As the worlds of IT and OT converge, a well-orchestrated cyber response can facilitate a harmonious merger rather than a collision.
The escalating significance of unified cybersecurity in a digitalised world cannot be overstated. As the interconnectedness of our world continues to deepen, it is imperative to invest in robust cybersecurity measures that not only safeguard our digital assets but also ensure the seamless integration of IT and OT environments. By doing so, we can navigate the complexities of this digital age, protect our enterprises, and foster a more secure and resilient future.
In our ongoing series, “Cybersecurity: The Unsung Hero of Revenue Protection,” we’ve explored how cybersecurity acts as a strategic business asset, protects revenue, builds customer trust, and enhances operational efficiency. In this final instalment, we turn our attention to the role of cybersecurity in ensuring …
