Published on the 06/04/2022 | Written by Heather Wright
Insights from the cybersecurity trenches…
Cybersecurity is a choice – and it’s a choice that needs to be carefully considered with an educated management and board.
That was a key takeaway from a recent CIO Summit panel discussion where Eli Hirschauge, Tower Insurance head of strategy and governance and deputy CDO, and Richard Harrison, chief information security officer for healthAlliance, which provides non-clinical shared services and an ICT platform for Northern Region DHBs provided insights and experiences from inside the cyber security trenches.
“You can spend a lot on tools but get low level protection if the business isn’t brought into it and you haven’t actually developed the capability properly,” Harrison says of the importance of communication in building cyber resilience.
“Without talking about risk, you end up talking about whether you are secure or not, which is a boolean equation.”
He says organisations which perform best in cyber resilience tend to have better engagement with their boards, executives and key business stakeholders.
“They’ve presented the risks in terms that are understood and allow for much more informed choice by the business. And those businesses understand that technology is not really the key to resilience, it is an enabler but really, people and process are more important.
“For me that means the role of the CISO, CSO, or individual with responsibility for security is actually changing. They need to be at the top table, they need to understand what the business strategy is, align the security strategy on a risk based approach and become enablers of secure business and not blockers of it,” he says.
“Security is actually a choice, based on risk, appetite and tolerance so if we’re not conveying the risks in terms a board or executive can understand so they can make a decision about the levels of investment then we potentially leave the business exposed to greater risk and vulnerability.”
When it comes to communicating with the board, Hirschauge says he takes a three-pronged approach – measure, communicate and engage.
Providing regular updates covering KPIs relevant to cyber at a board and executive level is the measure step, while contextualising the measures – adding colour and depth to the discussion – is his ‘communicate’ step. But Hirschauge takes it one step further, adding simulations or different exercises to bring to life the situation.
“Those scenarios and simulations are becoming increasingly important not only to create the knowledge or inform or educate, which is a very passive way of describing it, but to actually engage in a discussion of what it actually means and what decisions we need to make together between management and the board.”
Which brings us to another key aspect of the conversation: Cybersecurity is a choice according to both Hirschauge and Harrison.
“You can have lower costs and higher risk at one end and greater levels of investment and lower risk at the other end. And you chose a point on that continuum based on your risk appetite, your risk tolerance, and understanding of what it is you’re trying to protect,” Harrison says.
Adds Hirschauge: “The conversation around security is really one about risk appetite, it’s not a binary thing – are you secure or not. It’s about how much risk are you willing to take as a business.”
But to make those assessments, the board and management need information presented to them in a way that makes sense to them, both agreed – pushing more responsibility back on the CISO, who needs to know enough about the organisation’s operations and strategy and purpose so that they can inform those decisions.
“Risk is a fantastic lens in which we can talk about it,” says Hirschauge. “Without talking about risk, you end up talking about whether you are secure or not, which is a boolean equation which you don’t want to have in a conversation.
“Risk allows you to have a conversation that resonates with the board, allow us to align with tolerance around the general risk of the organisation, not just about the IT, the widgets, the software we need to do. So it is an incredibly powerful tool in our arsenal of how to communicate a topic that quite complex.”
Both agreed that increased publicity and awareness of cybersecurity risks is making it easier to communicate cybersecurity with boards, with Harrison urging peers to ‘never waste a good opportunity to have a conversation’.
“You certainly have an uptick in queries from boards and executives when those types of events happen,” he says, referring to the likes of the Waikato DHB and NZX attacks last year.
“The most usual question is ‘could it happen to us?’. And the answer to that is yes, it could happen to you, and these are the reasons why, but here’s what we could do about it, or here’s what we are doing about it to manage those risks.”
When it comes to knowing how to prioritise where to spend time and money to improve cyber security readiness, Hirschauge was blunt: “There are any number of tools that will be really, really good. We are not lacking tools to help security. But there are other things you can invest in to improve security and sometimes they have bigger influence.
“So if you think about your decommission strategy, if you think about what you need to do in a breach in terms of efficient recovery, how do you ensure you have a patching regime that actually prevents you from doing those things. These things usually are underneath the water.
“You see the big shiny ‘we’ll buy this new tool and we’ll buy email protection, a WAF or other tools that are really good’, but actually a lot of the investment needs to go into just hygiene factors and actually corporate decisions to decommission systems are probably the most important thing if you are to get a better more secure, the more modern your underlying platform is the more secure you are by definition.”
Moving off legacy systems might improve your security posture, but it doesn’t remove the cybersecurity pressure, the two agreed.
“I think there is a misconception about cloud sometimes. It’s a shared responsibility model when it comes to security,” Harrison says.
“The cloud service provider will be responsible for securing the underlying platform and infrastructure, but what you do in the cloud is your responsibility and your accountability.
“If you misconfigure things, if you don’t set things up properly, if you don’t have the right policies, if you allow S3 buckets to be published to the open internet and they’ve got personal information in, then thats your responsibility, so regularly checking your cloud configurations, auditing is a key part of that process.
“You can get technology that will do it for you but it is not just plug and play when it comes to the cloud. You have to manage it.”
Cloud also brings in a new relationship for IT teams to manage, adding yet another party to the supply chain.
“You certainly need to be managing your supply chain. You need to be aware of what is in your supply chain. You need to understand what your suppliers platforms are. We’ve just had a major global vulnerability that affects hundreds of millions of devices around the world, do you know whether your third party vendors are affected or not? You have to have that visibility right the way through all the different relationships you hold.”
But both agreed gaining that visibility can be challenging – though like everything else in this industry, solutions to problems are rapidly being found, in this case in the form of independent validations and registers that declare what they find out about third parties.
But internal security assessments remain critical.
“We don’t introduce new technology to Tower without doing our own assessment of the security vulnerabilities of that particular technology,” Hirschauge says. “We have a range of tests that we will apply before we put in any new kit. Whether it is our own penetration testing or review of documentation or further conversation with the supplier it is always important for you to be as certain as you can at the point of integrating to a new technology that you take those things into account,” he says.
“Having a full list of who all your suppliers are is a good starting point,” adds Harrison.
Harrison, who says healthAlliance has an intelligence driven strategy, flagged dark web monitoring as something worth doing for companies that can afford to.
Dark web monitoring sees companies monitoring things like their brands on the dark web.
“You’d be surprised what comes up from time to time that will cause you to take action.
“Very often the most common thing that would come up will be someone who has used their work email address to subscribe to another service somewhere, that service has been breached and the email address, potentially password will now be in a data dump somewhere on the dark web.
“So what you need to do is obviously change the credentials on that account because we know people use the same password for everything.
“It is things like that that will come up many many times usually with many organisations, that just give you a head start and get you ahead of the game.”
And in the cat and mouse game of cyber security, getting ahead of the game is the name of the game.