 |
| Peter Kisa Baziwe CCNA CISSP CWNP CPTE CISA (V3T3R4N) is a Consulting Technology and Cybersecurity Auditor focused on emerging technologies of Artificial Intelligence, Blockchain and Cloud. He has over 20 years’ experience in ICT both locally and internationally and has completed over 50 Bank information system audits since 2016. He is currently the Vice President of ISACA Tanzania Chapter. When he is not looking at bits and bytes he is out door’s testing the limits of his mental and physical boundaries. |
As more organizations’ come on board the digital transformation band wagon a major area of concern is cybersecurity. Cybersecurity continues to be one of the top five risks an organization needs to resolve, more so in the fast moving pace of the 4th Industrial revolution of which we are now living. In this era everything is connected through the web or internet and it amplifies the need to have strong cybersecurity practices.
Cybersecurity is, “the protection of software, hardware, and data resources that are connected and store in an organization or even at home”. It involves the protection of the personal, financial data, commercial data, business-critical information, operational continuity, data integrity, and availability of online software or business and customer systems. Other components include regulating the physical access, controlling malicious intrusion, allowing authorized access, encrypting the valuable information and safeguarding the privacy.
Cybersecurity relates to the technological processes and procedures to keep the valuable data and software resources safe and secure from the external threats emerging through the Internet, physical security of hardware and data centers together with software source code and intellectual property are also components of cybersecurity both directly and indirectly.
The importance of cybersecurity in today’s organization is such that it can’t be left to just the IT department alone. Cybersecurity is a Board issue the unavailability of LUKU services last year is an example of how important it can be. Cybersecurity as a subset of information security is held by 3 pillars of confidentiality, integrity and availability. Once any one of those are missing from an information system then we have a problem.
What Covid19 taught many organization is that digitalization enables business continuity and is a no brainer in the current era. This also brought the need to urgently secure remote connections and extend security practices of the organizations’ to new perimeters and devices that were not usually in a local office or organizations’ boundaries. People could connect from home using a different mobile or internet connection with any device that may not be secure.
We shall be looking at some of the challenges facing organizations today in their quest to secure their information systems in a rapidly changing environment. My main goal is to bridge the disconnect at a senior management level that may exist between cybersecurity and business objectives in today’s challenging environment.
The most important point I want to make is that we always secure information systems to enable business, period. What that means in practice is that the Chief Security Officer of yesterday that was bent on refusing connections to this or that for cybersecurity sake without understanding business strategy operations and goals is going to be isolated.
During the Covid 19 saga quick decisions had to be made and flexibility in how operations were to work. All of a sudden the perimeter of the organization is extended and you need to allow and monitor over hundreds of connections to either your infrastructure or through the cloud. Many of my security people had to brush up on VPN connections and security protocols, ideal remote working platforms and of course even workers needed to come up to scratch learning how to use Zoom, Blue Jeans, Teams, Skype or other platforms quickly. It was a necessity.
Cybersecurity risk is a business risk albeit a new one. Just as Senior Management and the Board has been handling financial, market, operational and other risks , cybersecurity risk should not be left to the IT department alone as we become a digitally transformed organization. The boards and senior managements that understand this then include it in their Governance agenda and set controls to mitigate it. Those that ignore it do so at their peril. The tone at the top should acknowledge it as business risk so cybersecurity strategies brought forth can be supported and hence bear fruit.
A key problem I see is that a number of Cybersecurity Managers (Heads of IT included) still do not know how to explain to senior leadership the importance of cybersecurity in relation to the businesses’ goals and objectives. They may explain things in tactical and technical terms we are used to in cybersecurity whereas what is needed is to align the cybersecurity strategy to the business one. How is cybersecurity let alone ICT enabling our business goals? Business leaders are hearing all these tech buzzwords of Artificial Intelligence, Cloud, Big Data, Blockchain and how they can make profits become exponential. The missing piece is if ICT is going to use these technologies how are cybersecurity heads or managers going to address the risks brought on by enabling these emerging technologies.
A Cybersecurity strategy should cover the major risks but still enables business to achieve its goals. Cybersecurity Strategy needs to be aligned with the business strategy and explained and articulated well to the Board and senior management. Traditionally the all too common voice was for security to block and tell you of ways that the innovation will not work without aligning their strategy to the business one. A certain amount of residual risk always remains and management and the board have been dealing with this since time immemorial.
As cybersecurity professionals we need to outline how our cybersecurity strategy identifies and protects an organizations’ High Value assets plus mitigates specific threats by industry and region. Many a time we haven’t truly identified an organizations’ high value assets. You may think it’s the server infrastructure when it may actually be the source code of your locally developed national payments system that hasn’t been documented or expensive database software license that holds critical data.
Identifying and protecting the real crown jewels of the organization is of paramount importance and is question that every board or senior management of an organization seeks assurance for.
Another thing is that our cybersecurity fundamentals should be protecting and mitigating against specific threats that are industry related and are happening in the region. There is no point mitigating advanced industrial control attacks if that’s not your industry. I see lots of advanced cybersecurity tactics that go wasted in organizations’ because of protecting non relevant industry attacks.
It’s not to say Cybersecurity shouldn’t protect against globally vulnerabilities that may affect masses of ICT infrastructure like the Log4shell vulnerability. The Log4Shell, an internet vulnerability that affects millions of computers, involves an obscure but nearly ubiquitous piece of software, Log4j. The software is used to record all manner of activities that go on under the hood in a wide range of computer systems. This actually a good question to ask cybersecurity professionals on how their fundamentals (tactics)cover global vulnerabilities!
The point am making though is that specific local, regional threats and industry specific threats should already be covered by your cybersecurity fundamentals. So often we see a banking Trojan used from one bank to the next in a short space of time like a week or two as happened in Kenya in 2019.
Long time ago there was threat of a local virus called Oginga Odinga way back. Guess what at that time there were no antivirus signatures from Norton or MacAfee it was a regional specific threat (East Africa).
So before advanced security measures cybersecurity fundamentals should cover regional local and specific Industry threats. Another example is the not using the threat intelligence from TZ CERT (from TCRA its free!) A major telecom organization was compromised when the key threats that were used to exploit it were listed in the TZCERT alerts! So local and regional and industry threats should be covered before doing advanced cyber threats, that’s good strategy as budgets are limited.
Cybersecurity Fundamentals should be protecting against the five ways organizations are breached or compromised:
- Weak, Leaked or Stolen Credentials
- Social Engineering
- Security Misconfigurations of Hardware and Software
- Vulnerabilities in Software and Hardware that are exploited
- Insider attacks (loner, collusion or accidental)
An interesting observation I have seen is Cybersecurity and Compliance teams often clash and conflict over frameworks and configurations. This happens when there is a disconnect between Cybersecurity Strategy and The Compliance strategy. One citing NIST Cybersecurity Framework 1.1 the other maybe ISO 27000 or COBIT2019! Organizations may struggle to harmonies framework conflicts! With sometimes compliance forcing the issue and say they are responsible for the risk appetite and position!
This certainly arises especially when a difference in a key internal control differs with an international standard. A local Internal control says something different from say the PCI-DSS standard …One may be newer than the other.
Both Compliance and Cybersecurity are important, compliance driven by regulation and liability while cybersecurity by protection detection and response.
There should be a normalization and an alignment of frameworks and both Cybersecurity and Compliance should work together to meet framework needs while being able to respond to modern day threats.
One thing is clear though, any organization that puts a higher priority on compliance will eventually be compromised.
Cybersecurity as a whole suffers from a severe shortage of talent and this is globally. It is important to recognize and assess the talent and capabilities that an organization has in house. This goes for both Operational and Tactical areas, Risk Management areas and strategic and governance of cybersecurity areas.
Usually many start out with Technical tactical operational skill but fail to advance beyond middle management levels that now require risk mitigation governance and strategy skills.
No wonder we sometimes have presentations on cybersecurity that are heavily punctuated with technical terms and short on alignment with business strategy metrics and goals.
It’s not an easy thing to find such talent of which is much needed going forward in this 4th Industrial revolution and volatile, uncertain, complex and ambiguous (VUCA) environment.
New emerging technologies are being integrated and used rapidly with little advice on where the risks are or how to secure and enable business innovations needed currently and for the future.
Cybersecurity is hard because of its breadth and width mixed with complex technologies, professionals have many areas to cover while the opponent need only find one single weakness into the organization’s ICT Infrastructure, processes or people. This make the battle always tilted in favor of the adversary and cyber defenders are always in catch up mode.
This is starting to change as new emerging technologies like Cloud technology, Blockchain and Artificial Intelligence converge to give us new tools and ways to defend.
It however further widens the gap needed to get the required talent and brings us to the only constant we have known in cybersecurity, only training is the key! For everyone in the organization cybersecurity awareness is a must.
No comments:
Post a Comment