You are here

How to fight cybercrime in 2019: Risk leaders must unify their approach

public://pictures/mark_hughes.jpg
Mark Hughes, Senior Vice President and General Manager, Security, DXC Technology

Each day, news headlines remind us that enterprises are rife with risk. In fact, per a recent survey, most CISOs in North America believe that data breaches are an inevitable hazard. More troublesome still, the risk landscape is changing so fast that risk leaders barely have time to ponder what their response strategy should be before their needs change once again.

The fact is, as digital transformation delivers useful and productivity-fostering innovations in many organizations, cyber criminals, too, are becoming faster, smarter, and more dangerous with technological advances. As organizations continue on their digital transformation journeys, one key security-related trend they need to consider is the growing convergence of information security and operational risk.

It used to be that enterprises treated these as separate elements. But that's changing, in large part due to the increased instrumentation and actuation brought about by the IoT, the automated decision making of machine learning, and the digital value exchanges made possible by blockchain. As a result, organizations can no longer think of information security and operational risk as two separate things.

The State of Security Operations: Go Inside World SOCs

Embed cyber resilience in business processes

After all, with digital transformation, IT no longer just supports the business; IT is the business. Consider an agricultural company that uses IoT sensors in its fields, fertilizer and sprinkler systems to keep crops fed and watered, and airborne drones to monitor it all. These systems need to cooperate with both each other and external systems.

Cyber resilience should be embedded into the business process to ensure that seas of sensors and actuators coordinate their responses as situations change. Patching a system or even a single sensor should not be allowed to create a cascading failure; otherwise, the company risks losing the entire crop—and the revenue associated with it. The line between information risk and operational risk has faded to the point where it barely exists.

In the past, most information risks could be adequately monitored and moderated by humans. But with the expanding scale of IoT implementations, that's becoming increasingly difficult.

While automation is the obvious solution, rules-based systems are too limited for today's world. These systems are good at spotting anomalies, but not so good at adjusting to in-the moment developments. Context will become increasingly important.

[ Special Coverage: RSA Conference 2019 ]

Unify digital transformation and security

The risk environment is changing rapidly. A strong approach to managing evolving risks requires that organizations stop treating information risk as a separate activity and instead unify their plans for overall digital transformation and security under a single, strategic initiative.

One way to envision what this means is to consider how weather forecasting is used to inform decision making. In the past, a company's operational risk teams might consult weather forecasts to coordinate supply chain logistics.

Now, however, the company's information teams must also get involved to consider how those same adverse weather conditions might affect, for example, cloud computing data centers. Sometimes, there's only a small opportunity to make an important decision—e.g., to move just-in-time workloads to lower-risk, higher-cost locations that aren't in a storm's path.

[ Webinar: SecOps Innovation—A Look Into the Future of Security Insights ]

Foster resilience

As the weather example demonstrates, the best way to defend against threats is with a structured, enterprise-wide risk management strategy that has well-defined governance and policies.

The ultimate goal is to foster resilience in systems, to allow them to not only withstand natural disasters and malicious attacks, but to carry out mission-critical business operations if and when disaster—in any form—strikes.

There is certainly good news and bad news wrapped up in digital transformation efforts and corporate use of new technologies. But a strategic review of how the IT landscape is expanding—as well as careful preparation for what that means for security practitioners—should give leading-edge organizations more than a fighting chance to keep both the bad guys and the bad elements at bay.

[ Get Report: How to Get the Most From Your App Sec Testing Budget ]