Cyber Security is No Longer Enough; Businesses Need Cyber Resilience
@ the IERP® Global Conference, October 2022
Right from the outset of his presentation, speaker Raoul Chiesa established the fact that when it comes to issues of cybersecurity, one of the most crucial factors is the human element. Infrastructure and systems are important, but cybersecurity is truly the practice of deploying people. Chiesa, Ethical Hacker, Independent Advisor of the United Nations Interregional Crime and Justice Research Institute (UNICRI) and Co-Founder of cybersecurity company Swascan, spoke about the need to move from just cybersecurity to cyber resilience; how to measure cyber resilience; and what challenges businesses may face in their efforts to implement it.
What is cybersecurity? Chiesa defined it as the practice of deploying people, technologies and programmes to protect systems and networks from digital attack. These digital attacks can be in the form of malicious hacking or direct human intervention. “Cybersecurity is about risk management,” he said, underscoring the fact that like risk management, cybersecurity requires proper designing from the beginning. This needs an in-depth understanding of the assets which the organisation most urgently needs to protect. Offering five principles for cybersecurity design, he explained each one comprehensively.
He suggested, firstly, that a proper context should be established before designing the system. This would include what the organisation considers its objectives, and the relevance of having such a system. Essentially, the firm should work out its cybersecurity needs within the context of its operations, aims and objectives. Its priority could be protecting its users’ data, acting as an online payment platform, or offering access to its own online resources, just to name a few possibilities. It should, therefore, try to make compromising the system difficult, while simultaneously keeping it simple to operate. This will help to make it difficult for attackers to disrupt the system.
Another factor to consider is the enabling of quick identification of any compromises to the system. The faster system breaches are identified, the faster they can be fixed. Disruptions or down time will also be minimised, thus reducing possible detrimental impact resulting from a compromised system. Even so, cybersecurity cannot be 100% effective. “Security should include the root cause of the problem, not (just) the symptoms,” he cautioned. “It should be built into the design of the system from the beginning, and be able to constantly evolve to mitigate threats.” Many companies try to strengthen security by not making public their knowledge of systems but he identified this as a wrong move.
While ‘security through obscurity’ may be an option, there are other factors to consider, particularly when security needs to constantly evolve to fit dynamic environments. It should also not be at such an advanced level that it can only be handled by specialists. “Security should not require extensive skills or specific technical understanding to operate,” he said. Instead, he advocated raising awareness and acceptance of it to the point of it becoming the default position, rather than something extra for the organisation to manage. Companies wanting to contain threats would do better by speaking about the kind of threats they face, the mitigative strategies they have in place, and their successes.
This is likely to impact positively on their resilience as well. “What is resilience? It’s the ability of a substance or object to spring back into shape; it is elasticity,” he said. In the cyber sense, it can refer to the ability to tap into existing resources to combat system breaches. Measuring cyber resilience, however, is not a simple task; it entails a quantum leap from the real to the virtual world, which is not something that every company can easily manage. Gauging the resilience of the system needs to be done from several directions. Organisations should determine if its systems are assailable, or if there is difficulty applying the necessary measures, and why.
If it is difficult to apply the necessary measures, the organisation’s capacity to identify and mitigate threats may be limited. Thus, the organisation’s needs should be carefully understood, to ensure that the system consistently delivers the intended outcome. “This makes it accreditable and therefore measurable,” Chiesa pointed out. The organisation’s systems are also likely to become more robust and resilient – and be able to recover better from cyberattacks. However, there is no one-size-fits-all solution. Systems should be designed and put in place only after careful consideration. He urged the audience to constantly ask the “What if?” questions.
“We do not know anything in advance,” he stressed. “But disruptions cannot be tolerated for long periods. Organisations have to find their own tolerance levels, and must consider different approaches. In time, they will be able to identify the best solutions which work for them.” Customisation is necessary because individual companies will each have their own policies and priorities; these will also depend on other social, cultural, political and economic factors, besides. “We try to use our intelligence to overcome instances like these with practical solutions,” he said, adding that adaptability was also important, and artificial intelligence (AI) could be used to improve resilience in some cases.