Not all security breaches are created equal, and while they may be inevitable and imminent, they are not illimitable. Much like a butterfly’s metamorphosis, security breaches go through phases. For instance, the MITRE att&ck framework and Lockheed Martin Kill chain are prime examples of a phased methodology for prescribing where a security breach is in its lifecycle and what defenses at each stage will limit the damage that attackers can do. While security breaches do have the power to create illimitable damage, this only comes as a consequence of organizations lacking strong security culture, resilience and failure to strive for continuous improvement. Security breaches may be inevitable and imminent, but the impact of these attacks ultimately lies with the mindset of its targets.
Fail to Prepare, Prepare to Fail
Organizations that proactively prepare for a breach before its occurrence can execute successful damage control. Enforcing cybersecurity measures before an attack can positively change cybersecurity mindsets, ultimately transforming an organization’s approach towards imminent attacks. The consequence of not being prepared for an attack can put an organization’s level of maturity, compliance and resilience into serious question. The court ruling of the Equifax data breach in 2017 proves that organizations that cannot provide evidence of taking the appropriate measures repeatedly over time will be held liable for the cost of damages from the attack.
Appropriate and Proportionate Controls
Whilst the existing Network & Information Systems (NIS) legislation simulates the implementation of appropriate and proportionate controls using state-of-the-art technologies, the newer regulations go a step further and will introduce fines if these minimum controls are not met. In fact, the latest revision to the existing NIS legislation, known as NIS2, proposes to introduce another level of penalty for organizations that fail to adhere to a minimum set of requirements and compliance functions, irrespective of whether a breach has occurred. Therefore, with the newer NIS legislations, tick-box compliance exercises are well and truly a thing of the past; it will become vital for organizations to raise the bar and prove their compliance in line with these regulations to improve resilience. One way organizations can check themselves is by following a set of chosen cybersecurity frameworks (CSF), such as Cyber Essentials, NIST, ISO, CIS, etc., which will help determine the security measures they have in place are, in fact, appropriate and proportionate.
Moreover, in efforts to postpone damages from threats that have made it beyond the initial phases, cybersecurity teams have invested in detection capabilities to identify lateral movement, privilege escalation, anomalous behavior, command and control traffic and so on. Ultimately, these controls seek to postpone the inevitable and delay the imminent. However, what stops security breaches from growing into major incidents and becoming catastrophic incidents is an organization’s ability to respond and recover effectively. This plays not only into the tools and cybersecurity frameworks (CSFs) selected by the organization to help protect them but also into the overall security culture of the business that acknowledges the need for continually doing better when it comes to cybersecurity.
Continuous Improvement for a Stronger Security Culture
Response and recovery controls move the bar away from cybersecurity and towards cyber resilience. Thus, not only can cybersecurity teams seek to control the frequency of breaches impacting the organization, but they also seek to limit the magnitude. The Japanese philosophical process of Kaizen, meaning ‘the pursuit of perfection’, can be applied to how organizations manage their adversarial defense strategies. Although perfection is unattainable in cybersecurity, this should not prevent cybersecurity teams from striving for continuous improvement. In doing so, organizations can strengthen their security culture as well as achieve successful risk management and improve resiliency as a result.
For better or worse, security culture and resilience are inextricably linked. However, maintaining a strong security culture within cybersecurity teams can be challenging, particularly in a sector filled with experts with diverse opinions. A CSF can minimize a security breach’s frequency and magnitude and override individual opinions. Still, this raises the critical question of why many cybersecurity teams remain hesitant to commit to CSFs in the first place. The reality of this predicament is that many organizations fail before they’ve even started because they lack investing for a unifying purpose and disregard the importance of standardized goals. Even NIST agrees that culture can inform and, to an extent, define an organization’s risk management strategy, changing the language it uses in a recent update to encompass security awareness training and culture.
This is not to say that organizations should dictate a one-size-fits-all approach to security controls. Instead, organizations need to comprehend that strengthening culture with the adoption of CSFs enables a defined thinking process that is applied to each cyber risk encountered. Therefore, by applying standardized tools to standardized thinking, organizations will have a unified approach to risk assessment that offers predictable levels of certainty and assurance, providing all the safe harbors that cyber resilience offers. The best security programs will not only have decision-making and culture initiatives mapped to a best practice CSF but also the security technology that enables alignment with these frameworks as well – giving organizations the reassurance and proof they need to demonstrate that they have taken appropriate measures to limit and contain security incidents.