Essential points to know before implementing a cybersecurity transformation program
In light of the recent explosion of cyber attacks and the changes brought about by the pandemic, there appears to be a compelling need for cybersecurity transformation. Businesses have to update their cyber defenses or risk the possibility of falling prey to persistently sophisticated attacks.
Transforming an organization’s security posture, however, is not as easy as it sounds. It takes time, expertise, and resources. One bad decision or an inadequacy in the technologies employed will render the transformation useless. Things can even become worse than the previous state. To make sure that it yields the expected benefits, organizations need to do it correctly.
To be clear, cybersecurity transformation is not some arbitrary phrase used to describe any kind of change in an organization’s cybersecurity system. PwC describes it as a process that enables the rapid reduction of cyber risks while adopting new digital technologies in support of an organization’s strategic goals.
Deloitte has a similar cybersecurity transformation perspective, inferring that it entails the need "to rethink current approaches to managing cyber risks." Deloitte suggests that transformation must lead to "a new secure, vigilant, and resilient approach to manage these (cyber) risks and create a cyber risk-aware culture, from the top down."
From reactive to proactive
Most of the existing security models used by organizations tend to be reactive. They usually build upon a legacy IT architecture and simply add new controls as the need arises or based on updated threat intelligence. This way of addressing threats is far from ideal as far as the rapidly changing landscape of cyber risks is concerned. "This causes an increase in the attack surface and cyber risk exposure," PwC says.
To achieve a more effective security posture, a transformation is in order. A hodgepodge of security solutions is not going to deliver the kind of protection organizations need when dealing with relentless and resourceful cybercriminals.
It is important to switch to more advanced and proactive defenses including continuous security testing. Installing defenses is not enough. These defenses have to be tested continuously to make sure that they work as intended. Enterprises that have been accustomed to standard cyber protection tools and security measures should consider using a continuous security validation platform, which goes beyond the basic malware and attack detection solutions.
"Security and risk management leaders must confront the threat landscape based on a continuous assessment of threat and business evolutions," writes security research by Gartner security analyst John Watts.
Continuous security validation includes the capabilities of multiple security measures including threat detection validation, security control optimization, SIEM/SOC validation, purple team automation, full kill-chain AP simulation, cloud, and on-prem infrastructure configuration, and social engineering awareness.
Additionally, advanced security testing solutions will need to implement the MITRE ATT&CK framework to undertake a thorough evaluation of possible threats and optimize security versus evolving attacks in a comprehensive manner.
The new cybersecurity system should be prepared to deal with emerging threats by adopting smart cyber threat intelligence that may be augmented by AI or machine learning. As threat detection capabilities improve, the amount of security information generated also increases exponentially. It would be difficult to keep track of all security events and differentiate serious threats from minor or benign issues. A system powered by artificial intelligence can help address this challenge.
Trends that drive transformation
PwC highlights five "attack surfaces" that are increasingly being targeted by hackers and other cybercriminals. These are the supply chain, the remote working setup, Internet-of-Things, digital channels, and the cloud. As more organizations and individuals turn to internet-based work and business, these attack surfaces become more vulnerable without the right intervention.
New vulnerabilities and attack points have emerged out of supply chains as companies expand their networks and work with more third-party suppliers or service providers. One of the best demonstrations of the cruciality of supply chain security is the SolarWinds attack, which exposed thousands of organizations, including US government agencies, to security breaches. This happened as hackers successfully infiltrated a third-party software supplier (SolarWinds) and used it as a jumping point for attacks.
Remote working also presents new security challenges by creating network arrangements that are unfamiliar to end-users and IT teams. It opens up more opportunities and vulnerabilities that allow bad actors to access and exfiltrate sensitive data. Remote workers who settle with weak passwords, for one, pose a critical threat to the security of an entire organization.
Similarly, the use of IoT expands networks, particularly the number of connected devices that can be used as entry points for attacks. Poorly secured devices can easily allow hackers to breach a network, spread malware, or steal data.
More digital channels are welcomed in the new normal where people transact with minimal-to-none physical interaction. However, they also present more cybersecurity challenges. Without proper security controls, these digital channels can also serve as extraction points for sensitive data or entry points for malicious software.
Lastly, the increasing reliance on cloud solutions requires a greater need for cybersecurity transformation. The cloud infrastructure offers significant advantages, but not many organizations have the proficiency to secure it properly.
Transformation takes time
In a recent interview with Consultancy.org, noted cybersecurity consultant Sara Ng acknowledges that it takes to implement transformation programs. "But there are still real changes you can make within a 12-24-month period," Ng asserts.
Ng identifies four phases of cybersecurity transformation, namely planning, mobilization, execution, and transition.
Planning by itself is already a meticulous process, which includes the formulation of a strategy based on updated security perspectives. Ng also suggests having "no-regrets" activities alongside planning, wherein organizations presume that the attacks always succeed so they can come up with swift mitigation measures and other contingencies.
Mobilization is about establishing solid foundations to support security transformation. This entails the identification of key performance indicators through steering committees. This is also the phase where accelerators are introduced to kickstart the transformation program.
The execution phase is where the muscle crunching begins. This is when the new system is put in place then tested, tweaked, repaired, tested again, and subjected to an endless cycle of security verification. As mentioned, modern cyber threats keep evolving, so a security posture cannot be static. The cybersecurity transformation itself calls for a continually evolving system to adapt to new risks and attacks.
Finally, the transition period happens. Even after all the testing done during the execution phase, there is no guarantee that the organization itself will meld seamlessly with the new system. Employees have to undergo training to match their mindset, know-how, and skills with the new cybersecurity posture. Likewise, there will likely be a need to upgrade software and, in some cases, hardware. The organization may also need to provide new resources in support of the new system.
The inevitable need for transformation
With all the changes that happened over the past years and the increasing volumes and sophistication of cyber attacks, organizations are faced with an unavoidable need to transform their security controls. The conventional patchwork and incremental improvements are unlikely to deliver the best security outcomes.
The discovery of the massive SolarWinds attack was a shocking wake-up call for security teams across the board. It wouldn’t be surprising if organizations are already conducting thorough evaluations of their security posture. Some may even be doing a full overhaul to root out all weaknesses and potential sleeper malware in their networks.
Peter Davidson works as a senior business associate helping brands and start ups to make efficient business decisions and plan proper business strategies. He is a big gadget freak who loves to share his views on latest technologies and applications.