Mon, Dec 23, 2019

More Bad News: Some Year-End Perspective for Cyber Security Professionals

There's no shortage of news stories around a continued rise in cyberattacks against hospitals, local municipalities, stunningly out of date systems, or an increasing specter of global geopolitical cyber tensions. By definition, the cyber security news cycle is dominated by stories of attacks, breaches, vulnerabilities and other things that are decidedly not good. How should cyber security professionals best think about this dark landscape as they look back on the year that was and look forward towards the year that will be?

To start, I think it's worth remembering Bruce Schneier's comment on news: "News, by definition, is something that almost never happens," Schneier says. "But that's not how our brain works. If it's in the news, if it's talked about, if we hear about it a lot, we confuse that with it being common."

This phenomenon is exacerbated by the sensationalism that often surrounds the reports, combined with feelings of helplessness.

To help counter these challenges, and to give you strength and resolve to continue to push forward in the coming year, below are three steps that you hopefully find helpful as 2019 draws to a close and 2020 rises over the horizon.

Step 1: Take Stock

Perhaps you had an incident or a breach this year. Maybe you didn't. Maybe you're in more of a consultative role and not directly exposed to the daily challenges of an operating cyber response unit. Regardless, there was doubtless plenty of activity this year and good work that was accomplished. Take a minute to recognize the progress made. Cyber security has become a team sport and recognizing those contributions will be time well-spent.

This is not–to be clear–the same as saying, "we didn't get hacked this year, why do we need to make any changes?" It's also not the same as counting yourself lucky–there's more than luck to the threat landscape we're facing. Whether you worked to improve awareness amongst employees, shore up policies, strengthen third-party cyber risk capabilities or deployed additional defensive technologies, these small projects add up to something worth celebrating. Take a beat, give yourself (and especially your team) some credit, and then move swiftly to Step 2.

Step 2: Frame the Issue

The rise of cyber as an element in the cultural zeitgeist means you will no doubt encounter a raft of questions at holiday gatherings when new acquaintances discover what you do for a living. Do your best to answer their questions about passwords/Alexa/Russia, etc. but take it as an opportunity to frame the issue. Many people–likely including your executive team and board of directors–are struggling to understand what cyber means to them and how they can manage this set of ever-shifting risks. This creates significant opportunity for cyber security professionals to help add value to their organization by framing the issue–and continuing to re-frame it as the landscape changes.

You can deliver this great service by helping your stakeholders (executives, business units, clients, etc.) understand not only what the threats might be, but by then pairing those threats with vulnerabilities that may or may not be present in their world. Take things one step further and help them understand the probability and impact that those threat/vulnerabilities pairs might carry in their specific context. If you're on a roll, you could even go so far as prioritizing them based on these elements and developing some remediation actions around those that are the highest priority. This is, essentially, the state of the art for cyber defense - though it is rife with nuance, grey areas and lots of "it depends" answers. When you reach this point, take a peek at Step 3, which should be a good message to deliver at this point in the discussion.

Step 3: Let's Be Reasonable

Now that you have helped frame the issues in terms of threats and vulnerabilities, contextualized those with elements of likelihood and impact and devised some plans of action to address those risks, remember Step 3: Let's Be Reasonable. Resources are finite, even for the largest organizations in the world, and the problems are complex. An approach that is based on reasonableness will allow you and your team to keep running in the marathon that is cyber defense, and not get caught in the trap of perpetual sprints. Burnout amongst cyber security professionals is a real thing, and we're all well aware of how difficult it is to attract, much less retain, top-tier cyber talent.

An approach based on reasonableness will pay dividends for you in several ways:

  • By basing your daily decisions on reasonableness, you can give your team a very powerful decision-making tool that they can use with each choice they make throughout the day: given what I know and what I'm trying to achieve, is this a reasonable course of action? Knowing that you'll support them in those decisions leads not only to better decisions, but also quicker decisions (both of which are critical).
  • When the default position is to move at a reasonable pace, you leave room for actual emergencies and the ability to flex up and deliver extra effort when it's truly needed. If your team operates in a perpetual state of emergency, or if every priority has suddenly become "Priority No. 1," there's no room to address actual emergencies or top priorities. That breathing room can be the difference between diversion and disaster.
  • Reasonableness is defensible. There's no shortage of enhanced regulatory regimes regarding cyber practices, yet many have one thing in common: a standard of reasonableness. Decisions that are demonstrably reasonable will help you in discussions with your board, in litigation, with regulators and in after-action reports.
Looking Forward

There's no shortage of threats, and the shorter days combined with the longer, bad news cycle can make things seem pretty bleak at times. It's important to remember that these news stories also represent opportunities: opportunities to learn, to improve your situational awareness or simply be grateful that it didn't happen to you. Cyber security is an immensely complex venture, and you must embrace that complexity to succeed. Let that be a source of inspiration and excitement as we close the books on this year and move into the next. We're going to need all the help we can get.

Fortunately, we can get better–together.

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

Optimized Third-Party Cyber Risk Management Programs

Manage risk, not spreadsheets. Identify and remediate cybersecurity risks inherent in third-party relationships, helping achieve compliance with regulations such as NYDFS, FARS, GDPR, etc.

Data Protection Officer (DPO) Consultancy Services

Kroll's data privacy team provide DPO consultancy services to help you become and stay compliant with regulatory mandates.

Virtual CISO (vCISO) Advisory Services

Kroll’s Virtual CISO (vCISO) services help executives, security and technology teams safeguard information assets while supporting business operations with augmented cyber expertise to reduce business risk, signal commitment to data security and enhance overall security posture.