Request a demo
Demo
POC
Demo
POC

Blog

Cybersecurity Resilience:  Fundamental changes are required.

The resilience governments and enterprises desire will be unachievable without fundamental changes in the industry and enterprise boardrooms.

Words and language mean a lot and make a greater difference than we often realise, we only have to look at how we used to talk about IT Security, then Information Security, then Cybersecurity and now Cybersecurity Resilience. These were not just changes of words to mean the same thing, but more a reflection on the ever-changing world within which we are operating. Many of those who have lived and worked through these changes, if they are still in the profession may actively be looking to move out of it? Let’s have a look at why this may be the case and its impact on cybersecurity resilience.

The last twenty plus years have seen some of the greatest technological advancements in computing and how business is conducted. Every single one of these changes has both a direct and indirect impact on cybersecurity and how we as professionals respond and manage it. Here’s a short list of some of these changes.

  • Increase in cybersecurity standards and frameworks, and the range of changes in them to accommodate the changing threat landscape. Whereas once there were only a few, now it’s a case of “pick a standard, any standard”. Yet there are many more on the way that security professionals will need to keep abreast of.
  • Increase in regulatory or legislative compliance, these have been growing more so in the last few years. However, the international picture for the future is that there is a greater range of regulations to come. Further, to accommodate the fast moving technologies, the regulators are being given powers to extend compliance without requiring additional legislation; the UK and European legislation on consumer product security is an example of things to come. All of these and how they impact the enterprise need to be understood.
  • In reality the standards and regulations have followed the challenges created by the technology available, in use and the growing adoption. Just like the mobile phones each of us use today are better than any spy could have wished for 20 years ago. Devices we have today and what they are capable of have grown very fast, and what was only within the reaches of large enterprises have become within the reach of not only small business, but also many consumers. This has been one of the contributors of not just the Internet of Things, but more the Internet of Everything. Where these devices are far more pervasive than the shadow IT of yesteryear security professionals contend with.
  • The shadow IT isn’t just the devices available to users within an enterprise, but the Apps on these devices or available through a browser, facilitated by Cloud Services. Collectively and individually, devices and Cloud Services have enabled and facilitated business models that were previously never possible, but equally they have made it harder for enterprises to control the use, sharing and movement of data between applications, devices and geographical locations.
  • The growth in devices, apps and many multiple user accounts have all been written in code, where the use of secure coding practices and secure by design and default have not been the norm by any stretch of imagination. This has meant that devices and apps may come with gaping vulnerabilities, sometimes it is within the code produced by the manufacturer, sometimes it’s within the Application Programming Interface (API) libraries – which means all the apps using the API will be affected in one go.
  • The other impact of multiple devices, apps and accounts is that the number now required to manage one’s life has meant that an average mobile device user may have anywhere from 50 to 200 apps and accounts which may hold their user credentials and payment details. Thus making personal devices and authentication details a valuable commodity for attackers. Recent research by Microsoft found that BYOD devices were a major weak point and a successful target for attackers.
  • A further impact of the growth of devices, apps and accounts is that the overall attack surface of an individual and hence the enterprise in which they work has grown exponentially. Whereas, several years ago security managers may only have been concerned about the IT in an enterprise now, there is IoT, OT and other technologies that employees may use or connect with. Making it harder for security teams to close the attack gaps.
  • Not surprisingly, with a fast growing attack surface, attacks have increased, and along the way cyber crime has attracted traditional criminal organisations. Amongst the many advantages for criminals, is that cyber crime knows no boundaries, so opportunities for them are not just the local market, it is wherever their operating skill level takes them.
  • Over the same period, professional bodies and certifications have responded and created certifications for the many technologies and roles that have been created in response. However, virtually all of these certifications focus almost entirely on technology and technology skills.
  • The liability of security managers / CISOs of advice or actions taken or not taken. The findings of the Uber case in the US a few years ago resulting in the CISO going to prison was a wake up call. Although the circumstances in which it happened are outside the discussion here, the fact that it happened, created a precedent that had not previously existed. This has impacted security managers, and has been the topic of many discussions at security events.

 

There are likely many more changes that readers can add to the list, although it is long enough to serve its purpose to demonstrate that the environment and landscape in which we operate and try to manage cybersecurity has vastly changed. Not only do security professionals need to know so much more, but they are having to be responsible for, overseeing and advising on so much more in order to ensure that their organisation is resilient to attacks. Likewise, enterprise response teams may not have grown at the same pace as incoming attacks have.

In October 2022, I chaired a two day event for security managers where one of the discussion topics was how do we manage change and the impact of the change. Most of this discussion was on our stress, burnout and mental health, and that of our colleagues in the industry. At the end of the discussion it seemed that this was probably enough interest to follow-up on, so I asked if anyone would be willing to volunteer to write-up about this topic. Luckily, there were two amazing colleagues, resulting in the production of a paper which we released in May 2023 during Mental Health Awareness Month – https://www.virtuallyinformed.com/resources/security-papers

In the process of writing the paper, we found that the Cyber Resilience of almost every national government strategy, relied on the Cyber Resilience of its enterprises, and that the Cyber Resilience of an enterprise relied on the resilience of its cybersecurity teams. However, nowhere is there a commitment by any national government nor enterprise to take care of their cybersecurity teams to ensure the Cyber Resilience they desire.

Furthermore, there was overwhelming evidence that despite a skills shortage the impact of burnout, stress and the mental well-being of the most skilled professionals, was making them question their commitment to stay in the industry.

The stark situation that the industry finds itself in is that if burnout, stress and mental well-being are forcing out the most skilled professionals while there is already a skills shortage, what should the government and enterprises be doing about it? Because if they don’t do anything about it, then the Cyber Resilient Strategies of governments and enterprises won’t be worth the paper they are written on.

The paper led to a presentation and panel discussion at InfoSecurity Europe in June 2023, and a decision by us as authors to set up the Mental Health in Cyber Security Foundation to take the work proposed in the paper forward. One of the proposals was to develop a Charter for organisations to sign up to at the board level. We will be going public with this in the very near future.

In closing, we cannot over emphasise that the Cyber Resilience of your organisation is directly dependent on the resilience of your cybersecurity teams, so, what are you doing to help them?

Share:

Sarb Sembhi

Sarb Sembhi is CISM, CTO & CISO, Virtually Informed. As a well-respected industry veteran, Sarb speaks, writes and contributes to global security events and publications. He was the Workstream Lead for Thought Leadership of the UK Cyber Security Council Formation Project, is the Co-Vice Chair of the Smart Buildings Working Group and Executive Steering Board member of the IoT Security Foundation. He advises and sits on several start-up boards and is a Mentor on the Cylon accelerator programme. Sarb was shortlisted 5th in the IFSEC Global 2020 “20 Most Influential People in Cyber Security” and included in “2018 Tyto Tech 500 Power List” of influencers in the UK’s technology sector.

You might also like

Cybersecurity Resilience:  Fundamental changes are required.

Security and Trust start with Hardware and Information

Cybersecurity Challenges & Insights in India.

Building a Cybersecurity Culture: 7 Key Strategies for Your Organisation

Platform

Unify

Control

Quantum

Integrations

We are certified

Partners

Channel Partners

Technology Alliances

Industry recognised

Resources

Use Cases & Case Studies

Cybersecurity Trends

Blogs

A proud member of

About

Team & Advisors

News

A proud member of

Contact

+44 203 608 6177

[email protected]

A proud member of

© 2023 BlockAPT Ltd. | Co. Reg. 11759911 | All Rights Reserved Worldwide | Privacy Policy | Terms of Use