Besides reacting to global cybersecurity scares by strengthening hard/software, what else can be done? A security expert offers some pointers.

In an era where cyberattacks and data breaches seem inevitable, are organizations doing enough by focusing on prevention? Will organizations be prepared to respond quickly, recover and maintain their operations, should they encounter a cyber security incident? Does this form of “cyber resilience” require an out-of-the-box mindset over and above a reactive security stance?

Time to tweak the security approach

To find out what new security paradigm enterprises may need to brace themselves for the future of AI-powered cybercriminals, Cybersec Asia met with a spokesman for DXC Technology Asia – a Fortune 500 company formed by the merger of Hewlett Packard Enterprise’ Enterprise Service Segment with Computer Sciences Corporation (CSC).

Adballah Zabian, DXC’s general manager for Security and Analytics Services, shares his insights via a series of probing questions on nurturing a culture of cyber resilience:

Q. How well prepared are organizations around the world – and especially in Asia Pacific – to respond quickly, recover and maintain their operations, should they encounter a cybersecurity incident?

Cybercriminals today are constantly evolving, and their tools are becoming more sophisticated. Enterprises are unable to reduce the increasing gap between their security posture and the widening threat landscape. Cybersecurity today can no longer be treated in isolation from the rest of the business; it must be approached with a strategic view.

One key thrust is going digital – while this poses new security risks for enterprises, it also offers a platform for organizations to revolutionize security. If organizations want to survive and thrive in the digital world, the new security architectures that digitalization enables must be accompanied by new security technologies and partnerships.

To cite an example, in last year’s SingHealth hacks incident, the authorities stopped information from going out immediately after the attack, allowing them to launch an investigation right away and monitor the hackers. The response was coordinated across the government – involving ministries, and officials in charge of health, cybersecurity, and critical information infrastructure protection and digital service policies.

We now see that the evolution of cybersecurity is no longer only about responding, it is now also about the speed and ability to remediate. Organizations must therefore consider partners with strong end-to-end capabilities as this will result in a more holistic approach to protecting the enterprise.

Q. How could organizations better survive and continue to execute on long-term strategy when hit with a cybersecurity crisis?

With today’s evolving technology and cybersecurity landscape, the responsibility for improving security starts and finishes in the boardroom. Active defense allows the cybersecurity team to focus on managing cyber risk in accordance with the business’s goals and risk appetite. Rather than continue in a passive stance, organizations must adopt an “active defense” model: they should assume that they have been breached, and start from this scenario. 

Active defense requires organizations to anticipate attacks before they happen, detect alarms to contain attacks, and adopt a tiered approach to protecting critical assets. Organizations need to engage and deflect attackers in real-time by combining threat intelligence and analytics resources within the IT function.

AI can help governments and enterprises monitor and identify possible threats quicker than humans would on their own. By using AI and analytics organizations can start looking at correlations that could have been missed, helping them improve their ability to detect unknown threats. It is important that we as individuals are aware that it is our responsibility to protect the digital assets we interact with on a daily basis. If everyone remains vigilant and follows and maintains good security practices when navigating in and out of the digital world, we will all be contributing towards a safer and more digitally secure Singapore. 

Q. Why is a security governance strategy important for any organization? What are some key considerations in such a strategy?

In the past, cybersecurity has often been viewed as the responsibility of individual businesses to undertake and not a critical one at that. This is largely due to the lack of a perceived tangible correlation to business outcomes. However, the landscape is changing – enterprises must strike a balance between protecting critical assets, detecting compromises and responding to incidents. 

To be resilient, enterprises need to focus on protection, detection and response. An enterprise cyber resilience strategy includes three main components:

  • Adopt existing business and IT systems to next-generation threats
    • Think strategically with assessments and plans
    • Identify and access management capabilities and endpoint access
    • Operate optimally using a holistic approach 
    • Take a technical snapshot before planning and rebuilding
  • Update your cybersecurity governance strategy
    • Protect critical assets through proactive planning
    • Detect next-generation threats with enterprise-wide visibility
    • Respond rapidly to preserve business continuity
  • Create a resilience-conscious culture
    • Think beyond security
    • Educate the first line of defense
    • Foster collaboration across the organization 

Nationwide efforts like Singapore’s Cybersecurity Act that centralize defenses under a common denominator and provide vulnerability remediation are a nod in the right direction because safeguarding critical infrastructure is everyone’s responsibility.

  • Start with the assumption that a cyber incident can and will occur at any point, and that enterprises need to be ready to deal with it.
  • Education is also key – organizations and governments need to embark on an active campaign to train their employees and citizens to become more cyber aware.

Q. What does it mean to have a cyber-resilient culture?

For enterprises to become truly cyber resilient, they must be prepared for the worst to happen – it’s no longer about whether a hack will occur, but rather, about the likely consequences of a breach when it occurs. Protection is important, but organizations must also develop strategies to ensure durable networks and take advantage of the opportunities that digitalization can bring.

Making the IT landscape cyber resilient requires investments in areas such as infrastructure, design and development of systems, applications and networks. At the same time, organizations must create and foster a resilience-conscious culture, of which security is an essential part, and which forms part of a holistic approach to security that takes all aspects of the business into consideration.

Improving security is not a one-time project, but a program of continuous improvement. Changing the corporate culture is rarely easy, especially when adjusting how personnel perform familiar tasks – but to achieve cyber resiliency, it’s important to go beyond establishing a security conscious culture to foster a resilient one. 

Cyber resiliency is about establishing a policy and process that helps an organization to survive and continue to execute its long-term strategy in the face of evolving security threats. While threats and hackers cannot be kept out forever, an organization’s cyber-resistant culture can minimize the distraction and damage while ensuring that the organization stays focused on the business at hand. 

Q. How could cyber-resiliency become part of a holistic approach to security? How could organizations make their IT landscape more cyber-resilient?

Businesses get stronger through cyber resilience – Enterprises should focus on becoming even more resilient to threats by planning and practicing for cyber-attacks in advance, as well as any potential business threat such as natural disasters or human error. 

To become cyber resilient, enterprises must strike a balance between protecting critical assets, detecting compromises and responding to incidents. Making the IT landscape cyber resilient requires investments in areas such as infrastructure, design and development of systems, applications and networks. 

At the same time, organizations must create and foster a resilience-conscious culture, of which security is an essential part. To be resilient, you must design for it, with a focus on protection, detection and response. An enterprise cyber resilience strategy includes three main components stated earlier.

In a nutshell, cyber resilience needs to be a top priority for any organization, from the board of directors to every employee. There needs to be a sense of urgency, coupled with the agility to adapt and respond quickly. It is also an ongoing pursuit – a measure of cyber resiliency can be accomplished by mapping all objectives to deliverables to ensure the full traceability of benefits.