When Cyber Security Breaches Are Inevitable, It's Time to Call for a New Approach
At a TED Conference this year, the Radical Innovators foundation hosted a forum with more than 60 of the world’s top CHROs, CIOs, and founders. On the agenda: How new technologies like AI and quantum computing can elevate our human experience, transforming how we work and live together.
Despite the hopeful purpose of this impressive community, the foundation also felt compelled to host a session on a more troubling topic: how these same emerging technologies will supercharge cybersecurity threats.
Interest in the subject was no surprise: The hyperscaling of cyberattacks in the cloud era is scary. According to research from Proofpoint, 94% of cloud customers were targeted at some point during every month of 2023. Of those targeted companies, 62% were successfully compromised. In the wrong hands, emerging technologies will increase the success rate of cyberattacks,
Coming out of that session, the general sentiment was that successful hacks are now an inevitability, since the teams and tools at their disposal cannot scale to match the threat.
“We need to start with the assumption that the system is already compromised,” says Ajay Waghray, CIO of PG&E Corporation, a California-based utility. “But my fear is most CISOs remain too narrowly focused on stopping breaches alone.”
Enter the world of cyber resilience
During the pandemic, much research was done on team resilience. It turned out that resilience requires the ability to not just recover from a setback, but to bounce forward—to engage in a way that leaves us stronger than before. This mindset aligned with Waghray’s view of cyber resilience. He believes we need to do more than deflect cyberattacks.
Instead, we need to build the capacity to sustain business operations during and after a cyberattack. And we do this by adding business continuity and organizational resilience strategies to more traditional information systems security.
CEO Bipul Sinha leads a cyber resilience firm called Rubrik. He says cyber resilience requires two key elements: knowing where sensitive corporate data lives (to quickly restore standard business operations) and the ability to evolve existing security policies to prepare the organization for future threats.
“Knowing that cyberattacks are inevitable, leaders must do advance work, to have the policies, systems and strategies in place so that when the attack happens, the business can keep moving forward,” Sinha says. “But the work doesn’t end there. You must learn and evolve in the aftermath of every attack to get stronger. And that requires a new organizational mindset.”
Venture capital is also taking note of the shift towards cyber resilience. Ravi Mhatre is partner and co-founder of Lightspeed Venture Partners, a global investment firm that boasts high-profile wins with companies such as Mulesoft, Nutanix, Nest, and Snap Inc. Mhatre says Lightspeed has significant stakes in several next-generation security technologies, with an understanding that threat mitigation and containment will be essential to building a truly secure enterprise.
"We need evolutionary thinking about cybersecurity," he says. “The way we see it, the current threat environment requires more than a strong perimeter."
Once you accept cyber resilience as the way forward, what do you do about it? Waghary identified four key elements of a cyber resilience and recovery posture: planning, practice, proactive detection, and partnerships. These elements are a great starting point for conversations about adopting a cyber resilience posture.
Planning: Recent changes to cybersecurity policy prioritize planning as essential to an effective cyberattack response. Some of these regulations require a public, regularly-updated resilience plan that extends far beyond traditional cybersecurity tactics to include a full recovery of business systems and the timely restoration of business operations.
The board and executives must demand a policy for frequent, offsite backup; If backup procedures are not adequate to meet the moment, the business will not be able to recover without experiencing loss.
This will require some investment in technology. Front-line technologists like Nate Brooks, technology services manager at American Family Insurance, need the right tools to manage an inevitable cyberattack.
“We have a single pane of glass and real-time insights into our resiliency status, security footprint, and data observability,” he details. “This gives AmFam executives the peace of mind they need to protect our customers' data and keep our business running.”
Practice: Things can get chaotic during a cyberattack, even with a planned response in hand. Team members must know their roles and how to communicate with each other; And that requires regular fire drills.
Richard Agostino, senior vice president and chief information security officer at Target, says that running regular cross-organizational simulations can build institutional muscle memory and minimize the “fog of war” that can roll in during a cyberattack. It can also expose fail points and vulnerabilities in the plan, which should be continuously updated to reflect the evolving realities of the threat landscape.
“Even the best documented response plan is bound to fail in a crisis if the team hasn’t practiced together,” he says. “Regular simulations provide a safe environment for everyone involved with the response—from IT teams to senior leadership—to improve together, prior to a real-world crisis.”
Proactive Detection: Early detection is essential to limiting the impact of a cyberattack and quickly restoring the business. That means getting the right level of visibility into what’s happening on your network.
One way to do this is to deploy a security service edge (SSE) or secure access service edge (SASE) solution that controls access to a network—on-premises, cloud, or hybrid—and monitors the flow of information and activity. When successfully implemented, SSE and SASE controls provide advanced data protection capabilities that maximize your visibility of data flows and help you protect data wherever it moves and inspect cloud, SaaS, web, and private applications at a granular level.
Partnerships: Cyber resilience is a team sport that begins with executive and board-level agreement on the resources required to build recovery and resilience protocols. The IT and InfoSec teams must also be aligned with the executive/board-level policy to ensure cybersecurity strategies and tactics match the new threat. Collaboration among experts at all of these levels can help keep cyber resilience best practices up-to-date.
What Now?
Any leader who is concerned that emerging technologies will supercharge cyberattacks needs to embrace a position of cyber resiliency. But this may take some doing. Many CEOs, CISOs, and Board members have invested significant time and effort in the old model of cybersecurity. Budgets have already been set. Vendor relationships are already established. But companies shouldn't let organizational inertia prevent them from adapting to the future.
It's this kind of intellectual flexibility that guides Rafi Khan's thinking. As CISO of NJ TRANSIT, he is responsible for security and resilience of the IT systems that nearly 500,000 commuters count on every day.
"It’s imperative that nothing interrupts our business," he says. "We’re committed to the ongoing and necessary work that gives our data resilience and helps us reduce our risk as we face ever-evolving, and inevitable, cyber threats."
This article was written by Keith Ferrazzi from Forbes and was legally licensed through the DiveMarketplace by Industry Dive. Please direct all licensing questions to legal@industrydive.com.