CYBER SECURITY technologyreseller.co.uk 45 principles and how we retrofit them to existing systems. A change of approach Moving from data protection to cyber resiliency Deneen DeFiore: Historically, people thought about cybersecurity in terms of data protection – let’s protect the PCI data or let’s protect the PII data – and we had strategies to do that. Now, the thinking is more around cyber resiliency, because something that can cause operational disruption has a cascading effect across the ecosystem, especially in aviation, where an issue with an operational system can mean not being able to get planes off the ground. I think there’s been a shift in mindset from just thinking about cybersecurity from a data protection standpoint to having a cyber resiliency strategy, because it does take everybody in the operation to understand the impact of and reduce the blast surface of an attack. And it’s not only within your own organisation, because of how connected we are to partners and third parties. In United’s case, our assets are mobile and we operate at airports across the world, and each one is different. All that variation in the ecosystem really makes it imperative to understand impacts and to have a resilient cybersecurity approach. Cyber resilience is good corporate governance Joanna Burkey: It’s interesting that we aren’t sitting here talking about IT infrastructure, but about broader business. We’re talking about understanding how certain threats can affect each of our businesses specifically, and that, I think, is a cause for optimism, because we’re maturing and evolving the conversation. The way I interpret this is it all comes down to good corporate governance in a way that is specific to your enterprise. At HP, we are setting very aspirational goals for ESG, and when you think about risk topics, like financial risk, privacy risks, cyber risk, making the right decisions for your enterprise is all about governance. That’s an interesting lens to look at threats and resilience through. Resilience is going to mean one thing to Deneen at United and a different thing to me at HP. And that’s a plus – a feature not a bug. When we start to make those connections, we can really start to understand how all of this is key to running your enterprise the right way. Focus on the vector, not every threat Ian Pratt: The key thing is to take the conversation up a level. If you’re trying to focus on individual techniques and procedures that people are exploiting, you’re always going to be behind the curve. There are so many vulnerabilities out there ready to be found and exploited that if you’re operating at that level, it’s going to be a case of trying to detect what’s happening and then catching up. You really need to look at approaches that deal with classes of issue, so you can deal with a whole vector of attack that might have 100 separate issues. years, there’s been a realisation we have to make the cybersecurity tent bigger in terms of the skills that we bring in and the people we bring in. Those of us in the field, especially those who got into it a long time ago, don’t really do ourselves a service in the way we talk about our field. It can be very obtuse, with a special lexicon; at times it almost feels as if you need a special handshake. I don’t think that has served us well, and there’s a realisation these days that we must make the cybersecurity tent bigger. There is talent out there if we think about it differently. We can bring in non-traditionally educated people – we don’t necessarily need college degrees for every role. We can target folks in their mid to late careers who have a lot of skills in things like risk management and communication, for example. There is a rich set of skills out there that absolutely will make cyber more resilient. Fight complexity Ian Pratt: Reducing complexity and reducing the attack surface are key because so many problems are caused by legacy. Many of the systems we use and are probably sitting in front of right now have their roots in the 1980s and were built at a time when security was not front and centre of what people were worrying about. There’s this enormous legacy of vulnerable technology out there and pretty much an infinite supply of vulnerabilities for attackers to go after and exploit. As an industry we have done a good job over the last few years of clearing up mess faster than we’ve made new mess, but this is a battle that’s going to be waged for at least the next couple of decades until everything is replaced with technology in which security is built in from the beginning as a key design goal. Minimise the blast surface Ian Pratt: There’s a set of engineering techniques and principles that have stood the test of time and been used to build very secure systems – things like the principle of least privilege, reducing access rights to any given, whether it’s a person or a computer or an application running on that computer, and then isolation to ensure you limit what can happen, for example by putting things in a container so that even if something goes wrong inside that container, it’s not going to spread. You build to cope with failure, because there will inevitably be failure; it’s how you cope with it, how you remain resilient that matters. We have to look at how the new systems we build take advantage of these Deneen DeFiore Ian Pratt Top tips Deneen DeFiore: Keep in mind the business outcome you’re trying to achieve, rather than talking about every threat and trying to defend your organisation against everything that could happen. Kurt John: Build strong, resilient, dynamic, diverse teams – not just cognitively diverse, but diverse across the board. That’s the number one way to drive creativity. Joanna Burkey: Really think about how cyber strategy in your business emphasises and promotes good corporate governance. I really believe that’s the right way to make an enterprise-specific strategy. Make the G in ESG really mean something. Ian Pratt: So many of these attacks end up leveraging privileged users, the sysadmins, even the security people. Often, they’re a link in the chain of how an attacker turns a simple breach of, say, an endpoint into an expensive enterprise compromise. Do all you can to make lateral movement and escalation hard.
RkJQdWJsaXNoZXIy NDUxNDM=