Many of us who have worked in the technology industry for years agree that the pace of innovation is increasing more than we’ve ever seen before. The time span from development of an IT concept to its launch is continuing to shrink, and the volume of new technologies available to the public is expanding exponentially. At the same time, cloud computing is allowing more people to “connect” globally; everyday. Although it’s an exciting time for the technology industry, it also poses many security challenges for IT leaders and ultimately our nation.
Security threats are evolving and becoming more complex and difficult to detect. The widespread use of sophisticated technologies such as Artificial Intelligence (AI) and the Internet of Things (IoT) will also open up possibilities for new breeds of security risks to develop.
A multi-faceted security plan, including an internal policy and a response plan that’s updated annually is now crucial for every organization. The objective of such a plan should be to address current risks, predict future threats and have processes in place to mitigate attacks quickly.
"The widespread use of sophisticated technologies such as Artificial Intelligence (AI) and the Internet of Things (IoT) will also open up possibilities for new breeds of security risks to develop. A multi-faceted security plan, including an internal policy and a response plan that’s updated annually is now crucial for every organization"
Private and public organizations in each state need to work collectively to implement security strategies and form a cohesive network to share information. Incorporating industry standards and actions conducted by peers, as well as following best practices is also essential.
Three fundamental components should be included in a security plan:
Security threats can vary by country, state, industry and organization. To fully understand the magnitude of threats occurring nationally, it’s imperative to form solid partnerships with security stakeholders such as the FBI, DHS, ISACs, TSA, InfraGard, USSS and Fusion Centers (counter terrorism centers). A full scope of common threats or trends, as well as severity levels, are provided by these agencies. Connections with reliable suppliers, vendors and other external businesses are also an important component in understanding threats. A compromised supplier should be a concern for every organization. It takes a network to defend a network. Securing an ecosystem cannot be accomplished alone. Organizations that work in a silo are limiting themselves and become more vulnerable to attacks. Open dialogue at the local, state and national level is imperative.
Tools such as intrusion detection and prevention, spam filters, content filters and many others on the market allow an organization to recognize its threats. Outside consultants can also be a valuable tool for gaining a different perspective and “a second set of eyes” before a security plan is formed.
Identify Security Gaps
Once an organization has a thorough understanding of its security threats, assessing whether the proper tools are in place to close gaps is the next step. It’s unrealistic to expect to close all security gaps at once; therefore, forming a strategy that prioritizes easy, high-risk or low-cost gaps will make the most impact and create an initial security barrier to build upon.
The chart below illustrates industry-recommended controls rated as basic, foundation or advanced with a measure of impact and cost based on the State of Arizona’s experience. There is a general consensus across various sectors of business that these twenty controls will stop the vast majority of attacks today and provide the framework for automation and system management in the future. As these controls are implemented, organizations should also focus on building an internal or external staff of knowledgeable resources who will identify breaches and other gaps unique to their businesses. A plan to identify 3 to 4 additional gaps per year is an effective goal and ensuring enough tools are in place to identify breaches is a must.
Reduce or Mitigate Risks
After cyber risks are identified and a general gap strategy is in place, a strategy to mitigate, reduce or accept risks is necessary. Key areas to reduce and mitigate risks include:
Backup Policy and Procedures
Understand limits in case of an emergency. If recovery is needed from a ransomware attack, can it be done?
Incident Response Policy
Understand its function and limits — provide plenty of opportunities to exercise the policy and identify weaknesses.
Know who they are before an emergency, not during one.
Cyber Security Insurance
Insurance is helpful with response and mitigation to soften the costs of a breech.
Security Awareness Goals
Set goals, test, train and repeat the process.
Tracks the acceptance of risks and is a useful reference tool.
Accepting risks is fine as long as there is an understanding of where, why and what the consequences are of that risk. For example, an organization may have to spend $1M to mitigate
$5K worth of risk — cost may be the deciding factor in whether to accept that risk. Accepted risks should be agreed upon by the entire organization and align with business objectives.
A Commitment to Securing the Nation
As IT leaders we must recognize that the cyber security journey has really just begun. We have already experienced cyber attacks on national security infrastructures and threats to our organizations. The information of millions of Americans have been compromised. As we face a new era of innovation, organizations throughout the nation need to work together as one team, to follow unified strategies and execute these strategies seamlessly to create the highest level of security and protection.