I recently had the opportunity to join Tim Orchard and James Hatch of BAE Systems Applied Intelligence in a webcast discussion on how to defend your business against cyber threats.
The technology component to mitigating cyber risk is a critical factor. As Chief Information Security Officer, (CISO) of a global organization and in light of the U.S. Department of Homeland Security Cyber Security Awareness Month, I wanted to share these perspectives with you.
In the globalized digital world, responsibilities of government and private sector are continuously shifting and increasingly overlapping. Organizations and private companies are working on more protection, enforcement and intelligence.
What it means to defend a business also changes, and organizations need to do three things:
- Focus on the right things via intelligence and risk management to understand where the risks are coming from
- Be thick-skinned and robust – have technology systems that are hard to get into and hard to damage
- Be operationally active – to be able to deal with issues when they arise
In response to these goals, I’ve outlined five critical components that can help your organization achieve strong cybersecurity measures.
1. Understand the underlying cyber risk
At Willis Towers Watson, our cyber consultants and brokers work with companies globally to understand cyber risks and work to understand what that underlying risk is about. There are two main risks that we seek to defend against, that are so fundamentally different that we need to be prepared with responses to each:
- An external cyber-attack, where a hacker or external person is coming in and trying to compromise corporate systems – these are often malicious in nature and range from denial of service, to compromising data or systems integrity, to a hacking attempt combined with social engineering activity.
- A privacy breach – sometimes the result of an external threat, but often driven by an internal employee working within network. When caused by an internal party, these are often accidental but, sometimes, can also be malicious.
The first step in active cyber defense is to properly understand these threats, your ability to protect against them, and quantify the risk exposure you face. This allows both investment and activity to be prioritized effectively.
2. Thicken your organization’s skin from the inside out
Being thick-skinned usually means having a network perimeter set to protect against external threats, but we need to start thinking about bringing this inside, too. We have to be thick-skinned throughout, because many threats today are internal as well as external.
3. Build a cyber-savvy workforce
This is a big challenge because we’re dealing with people and our systems aren’t always as people-centric as they need to be. So, to understand the risk and work out what level of control and mitigation we need, we first need to understand just how thick-skinned our organization needs to be, how responsive we need to be, and what those risks mean to us across each stakeholder group of our organization. Training, in many cases, needs to be tailored and embedded into company culture in order to build — and maintain — a cyber-savvy workforce.
As security specialists, we understand what the threats are, who/where they’re coming from, how likely the risk is to happen and what impact it will have on our organization. This requires some quantification, an area in which security is least mature. The traditional way of quantifying things is to look at the past – what’s the impact and how does it relate today? This doesn’t work very well in cyber.
While we don’t have a track record of breaches and events that we can follow over a long period, data-sharing and the increasing role of government is beginning to change this. Additionally, we need to better quantify the impact of a breach and consider this holistically across stakeholder groups as peoples’ impacts are changing as well as the government’s role and regulations. Willis Towers Watson has a proprietary cyber risk quantification tool that helps organizations quantify this risk.
4. The basics are harder, more important and not enough
Understanding risk management – doing the basics to protect your organization against cyber risk – is becoming harder because the environment we’re working in is more complex. Thankfully, we’re inheriting some new tools that are huge accelerants to better understanding the technology challenges to cyber risk. The basics are harder, more important, and definitely not enough. We no longer live in an environment in which doing the basics is a catch-all for cybersecurity risk. We need to master the basics and embrace the new technologies to better mitigate cyber risk.
5. We can’t remove the human element
The hackers, the malicious actors, are unstructured in their approach. They’re not interested in what technology we have so they can understand how their attack can be caught by it. They’re interested in understanding how we work so they can work around it. Understanding your organization’s Cyber IQ is one of the first defenses in this battle.
Artificial Intelligence is the future of advanced protection. There are capabilities out there that can look beyond the rules and respond to the human element, because at the beginning of a threat, there’s always a person – so, you can’t take the human element out of the equation.
Our organizations are complex, but our capabilities aren’t there yet. We need to go beyond cybersecurity awareness training and phish testing. Organizations also need to have a way of measuring those employee behaviors that create vulnerabilities and address those talent and skills gaps that will be necessary as artificial intelligence becomes more prevalent.
Learn more about comprehensive cybersecurity from Willis Towers Watson.
Matt Palmer is Chief Information Security Officer at Willis Towers Watson.