Webinar: A CISO panel on weaving security into the business strategy

I had a lot of fun participating in a panel discussion with fellow CISOs exploring the link between cyber security and business strategy. It’s a subject that is very close to my heart and I don’t think it gets enough attention.

In the course of the debate we covered a number of topics, ranging from leveraging KPIs and metrics to aligning with the Board’s risk appetite. We didn’t always agree on everything but I believe that made the conversation more interesting.

As an added bonus, my book The Psychology of Information Security was highlighted as an example of things to consider while tackling this challenge and to improve communication.

You can watch the recording on BrightTalk.

How to secure a business in decline

Many business have felt the economic impact of the Covid pandemic. Depending on the industry, some managed to adapt and pivot to new models and ways of working, but not all were successful.

As a result, some companies were unable to continue to operate profitably and entered administration. The cause of financial troubles, however, doesn’t have to be pandemic-related to pose new security challenges.

In this blog I would like to share some of the priority areas for a security leader in a business in, sometimes rapid, decline.

As the business is failing, the leadership might not treat cyber security as their top priority. However, the organisation still has obligations to its customers who entrusted the company with their data and comply with relevant laws and regulations. It goes without saying that previously identified cyber security threats and risks are unlikely to disappear either.

If there is a chance of survival, a poorly managed security incident can be the last straw.

How should security teams adapt? What should they focus on?

Broadly speaking, there are two main areas a CISO can support the business: securing a potential rescue deal and managing the decline.

There are investors specialising in distressed businesses and part of the administration process might involve looking for a capital injection or an acquisition of a failing company.

Potential investors would understandably need to know what they might be buying which normally involves conducting due diligence on the target. Although circumstances are different, the process itself is very similar to an M&A scenario or a startup acquisition.

As a security leader, it’s your job to provide transparency on the matters related to data protection, past breaches and existing security controls and processes. If done right, it presents the business in a favourable light as a well-governed enterprise, increasing investors’ confidence and therefore chances of a successful rescue deal.

In many ways, this is comparable to overseeing a divestment. A lot of such conversations are confidential, so raising awareness of what can and can’t be shared externally (including on social media), and maintaining appropriate need-to-know access controls is paramount.

Some things, however, are outside of our control and sometimes all we can do is to make the best out of a bad situation.

There are a few key areas to pay attention to when it comes to embedding security for a business in downturn.

People. There will naturally be a lot of leavers, so having a robust joiner-mover-leaver process is key. All access permissions should be timely revoked when no longer required. In addition, data loss prevention controls and broader insider risks should be considered as the morale in the company worsens. On a positive note, people and a culture of security can significantly contribute to the company’s security posture, especially in the conditions of scarce resources (see next point).

Resources. Investment in security is going to understandably diminish. Some of the top talent will leave, so you will have to learn to do more with less. If your desired control to mitigate a particular risk is no longer affordable, what is the next best thing? Can this be done cheaper, or better still, for free? Business leadership should be made aware of the potential consequences of risk acceptances, and there will likely be a higher than usual number of these.

Data. There also might not be enough money to pay for non business critical systems and services. These should be decommissioned in the way that ensures that sensitive (including personal) data is destroyed securely in line with company’s retention policies. Having data maps and asset inventories is invaluable to maintain visibility.

Sustaining operational resilience in the face of cost pressure is challenging but not impossible. For many, it’s a unique learning experience regardless of the outcome.

Cyber incident readiness

As many organisations are recognising and experiencing first-hand, cyber-attacks are no longer a matter of if, but when. Recent cyber breaches at major corporations highlight the increasing sophistication, stealth, and persistence of cyber-attacks that organisations are facing today. These breaches are resulting in increased regulatory and business impact.

More

Cyber security in the Oil & Gas industry

Energy

Oil & Gas has always been an industry affected by a wide range of geopolitical, economical and technological factors. The energy transition is one of the more recent macro trends impacting every player in the sector.

Companies are adjusting their business models and reorganising their organisational structures to prepare for the shift to renewable energy. They are becoming more integrated, focusing on consumers’ broader energy needs all the while reducing carbon emissions and addressing sustainability concerns.

To enable this, the missing capabilities get acquired and unwanted assets get divested. Cyber security has a part to play during divestments. preventing business disruption and data leaks during handover. In acquisition scenarios, supporting due diligence and secure integration becomes a focus.

Digital transformation is also high on many boards’ agenda. While cyber security experts are still grappling with the convergence of Information Technology (IT) and Operational Technology (OT) domains, new solutions are being tried out: drones are monitoring for environmental issues, data is being collected from IoT sensors and crunched in the Cloud with help of machine learning.  These are deployed alongside existing legacy systems in the geographically distributed infrastructure, adding complexity and increasing attack surface.

It’s hard, it seems, to still get the basics right. Asset control, vulnerability and patch management, network segregation, supply chain risks and poor governance are the problems still waiting to be solved.

The price for neglecting security can be high: devastating ransomware crippling global operations, industrial espionage and even a potential loss of human life as demonstrated by recent cyberattacks.

It’s not all doom and gloom, however. There are many things to be hopeful for. Oil & Gas is an industry with a strong safety culture. The same processes are often applied in both an office and an oil rig. People will actually intervene and tell you off if you are not holding the handrail or carrying a cup of coffee without a lid.

To be effective, cyber security needs to build on and plug into these safety protocols. In traditional IT environments, confidentiality is often prioritised. Here, safety and availability are critical. Changing the mindset, and adopting safety-related principles (like ALARP: as low as resonantly practicable) and methods (like Bowtie to visualise cause and consequence relationships in incident scenarios) when managing risk is a step in the right direction.

Photo by Jonathan Cutrer.

One year in: a look back

In the past year I had the opportunity to help a tech startup shape its culture and make security a brand differentiator. As the Head of Information Security, I was responsible for driving the resilience, governance and compliance agenda, adjusting to the needs of a dynamic and growing business.

More

About me

Thank you for visiting my website. I’m often asked how I started in the field and what I’m up to now. I wrote a short blog outlining my career progression.

More

I’m joining PigeonLine’s Advisory Board

I’ve been asked to join PigeonLine as a Board Advisor for cyber security. I’m excited to be able to contribute to the success of this promising startup.

PigeonLine is a fast growing AI development and consulting company that builds tools to solve common enterprise problems. Their customers include the UAE Prime Ministers Office, the Bank of Canada, the London School of Economics, among others.

Building accessible AI tools to empower people should go hand-in-hand with protecting their privacy and preserving the security of their information.

I like the company’s user-centric approach and the fact that data privacy is one of their core values. I’m thrilled to be part of their journey to push the boundaries of human-machine interaction to solve common decision-making problems for enterprises and governments.

How to detect threats in AWS with GuardDuty

GuardDuty

Once some basic asset management, identity and access management and logging capabilities in AWS have been established, it’s time to move to the threat detection phase of your security programme.

There are several ways to implement threat detection in AWS but by far the easiest (and perhaps cheapest) set up is to use Amazon’s native GuardDuty. It detects root user logins, policy changes, compromised keys, instances, users and more. As an added benefit, Amazon keep adding new rules as they continue evolving the service.

To detect threats in your AWS environment, GuardDuty ingests CloudTrail, VPC FlowLogs and VPC DNS logs. You don’t need to configure these separately for GuardDuty to be able to access them, simplifying the set up. The price of the service depends on the number of events analysed but it comes with a free 30-day trial which allows you to understand the scope, utility and potential costs.

It’s a regional service, so it should be enabled in all regions, even the ones you currently don’t have any resources. You might start using new regions in the future and, perhaps more importantly, the attackers might do it on your behalf. It doesn’t cost extra in the region with no activity, so there is really no excuse to switch it on everywhere.

To streamline the management, I recommend following the AWS guidance on channelling the findings to a single account, where they can be analysed by the security operations team.

Master

It requires establishing master-member relationship between accounts, where the master account will be the one monitored by the security operations team. You will then need to enable GuardDuty in every member account and accept the invite from the master.

You don’t have to rely on the AWS console to access GuardDuty findings, as they can be streamed using CloudWatch Events and Kinesis to centralise the analysis. You can also write custom rules specific to your environment and mute existing ones customising the implementation. These, however, require a bit more practice, so I will cover them in future blogs.