Identify and Mitigate Cyber Risks to Build Digital Resilience
Forging into the new year, IERP offered more insight into how risk practitioners tackle their greatest challenges on 14th February 2020, with a presentation by Haris Tahir, Head of Cyber Defense, Celcom Axiata Sdn Bhd, on the issue of Digital Resilience and how identifying and mitigating cyber risks can be a new way of strengthening cybersecurity. This Tea Talk, the second of the year, was just one of the many efforts of the IERP to raise awareness and promote thought leadership on Enterprise Management. Besides being a platform for sharing insights and increasing knowledge of ERM, IERP’s Tea Talks also offer the opportunity to strengthen ERM/CRO networks, particularly for newer practitioners.
In a quick overview of the cyber environment, Haris covered the history of its development, explaining that it started as information warfare, with various governments exploiting their then-technological capabilities to spy on each other, ostensibly for the purpose of national security. Cybersecurity actually started in the 1960s and carried on until the 1980s. Hacking capabilities developed as covert but tacitly-sanctioned activity, until computer use became widespread and the general public began to explore its exciting possibilities for fun and profit. Technology being capable of exponentially enabling itself, hacking of systems is now so prevalent, Haris said, that it is only a matter of time before all companies experience systems breach and disruption.
“Most organisations in Malaysia are at Level 3,” he remarked. “They are risk-informed, in that they have policies and security controls in place but they are not fully automated. There is a disconnect between departments; different departments may have different strategies. There is a need to connect all departments or domains.” This necessitates collaboration, and one of the main tasks of Chief Information Officers (CIOs), Chief Security Officers (CSOs) and Chief Risk Officers (CROs) is to determine, first and foremost, how many assets their companies have, that are critical but vulnerable. He added that most systems currently in use were fragmented, rendering cybersecurity less effective.
Cyber defence needs to have its own system, preferably fully automated, with the necessary tracking capabilities that can also identify vulnerabilities before these escalate and disrupt operations. The need to track SLAs, particularly, should be automated but in most organisations, this was still being done manually, which often led to details being misplaced in the system. Fragmented, unautomated and unintegrated systems have weaknesses and vulnerabilities that are unable to support decision-making with actionable intelligence. Most businesses do not have such systems as they are complex and expensive.
However, large organisations like telecommunications companies will have more sophisticated systems as they provide essential services, and up-the-minute information is critical. Haris’ presentation included an overview of the system currently missing from most organization, which he was instrumental in developing. An integrated cybersecurity management platform, it combines facilities for prevention, detection and response. It was developed with the organisation’s key challenges in mind: single source of truth for asset inventory; vulnerability tracking to notify/remind stakeholders of exceptions; a platform for handling threat review input and output; integrated ticketing/IT systems; and vulnerability management automation for actionable intelligence.
While his efforts bore fruit, he offered a reality check for those who wanted to set up similar systems in their organisations, saying that they would encounter additional challenges such as the lack of support at Board level and the lack of communication between the CEO and CISO. Based on the research by CIO.COM (https://www.cio.com/article/3491729/ceos-you-re-in-denial-on-cybersecurity.html) “Cybersecurity is not often seen as part of the CEO’s business planning,” he said. “Even within the organisation, there will be different definitions of what constitutes a cyber breach. There will be friction, conflict, competing budgets and misalignments.” But the effort may well be worth it. Users have seen a 25% savings in development time while being able to identify twice the number of vulnerabilities, and significantly reducing the number of false positives, among other outcomes.