Editor’s note: The following is a guest article from Jeremy D’Hoinne, a VP Analyst at Gartner, researching infrastructure protection.
If there’s one thing every CISO knows to be true, it’s that cybersecurity is unpredictable.
One of the most frequent questions Gartner analysts receive when discussing the threat landscape is “How do I avoid being hit by the next major cyberattack?” The unpleasant truth is that this is the wrong question — it is impossible to foresee precisely how threats and threat actors will evolve.
A more useful question to ask is, “How can I reduce the impact of inevitable, serious attacks?”
As unpredictable and disruptive threats impact businesses more frequently, cybersecurity leaders must improve their organization’s resilience, because breaches will happen under their watch. This requires more than just investing in preventative controls. CISOs must focus on three core areas.
Strengthen the resilience of your security program
Recovering IT infrastructure, applications and data after a cyberattack normally takes more time to complete than the business can afford. A designed resilience program enables the organization to recover from an attack quickly, with as little business disruption as possible.
A crisis communications plan is also an essential component of a resilience program. Organizations are often unprepared to handle communications for security incidents, resulting in role confusion, delays in processing or conflicting messaging.
This can lead stakeholders to the wrong conclusions about the cause, severity and consequences of a security incident.
In addition to traditional cybersecurity incident response (IR) plans, the business needs downtime procedures for continuing to operate and communicate with each other, customers and other stakeholders. Examples of downtime procedures include:
- Offline documentation such as diagrams, blueprints and operating manuals, as well as critical reports stored offline at the end of each day or shift.
- IT support, such as having immutable vaults for application data downloads.
- Operational alternatives, such as spreadsheets to manage workforce scheduling and having reconciliation procedures in place to enter data into applications once the cyberattack is resolved.
Develop a crisis management team and protocol that accounts for factors including reputational damage, cost, impacts to human safety/life and impact to business operations. Set a uniform strategy and messaging guidance and test the procedures regularly.
Build flexibility into security designs
Many businesses make security improvements following “newsworthy incidents.” It is typical for an organization to make a suboptimal decision in the aftermath of an incident, and then a dramatic news story encourages an approach that might have been useful to the victim of said incident, but which may not be helpful the next time around.
Continuous preparation is paramount, and a flexible security design can improve resilience when dealing with unpredictable threats. Gartner predicts that by 2026, organizations investing at least 20% of their security funds in resilience and flexible design programs will cut total recovery time in half when a large blast attack occurs.
For example, most organizations have an ongoing vulnerability management program, but no security team can hope to fix everything. Rather, organizations need an approach that helps them focus on the most-critical exposures first.
An exposure management program is a more structured approach that helps create prioritized lists of treatments and remediations that reduce the organization’s attack surface.
The long-term objective of an exposure-management program is to get consistent, actionable security posture optimization plans that business executives can understand and accept, enabling the required cross-team collaboration.
Another way that CISOs can design security for resilience is by applying a threat-centric approach to security provider selection.
Too often, security product evaluations are limited to a predefined market segment, such as “endpoint detection and response” or “access management.” However, with vendors continuing to combine offerings and buyers looking to consolidate their vendor portfolio, this method of product evaluation becomes less effective.
Leveraging a threat-centric purchase strategy, the security team should evaluate technologies from more than one category of security control, and possibly more than one defined market.
Define a set of relevant metrics for a specific category of attacks before engaging in an RFP or proof of concept process.
Then, inventory security product and service categories that can help improve the security posture against these attacks.
For example, improving the organization’s security posture against phishing requires comparing the efficacy of email security, endpoint, and user awareness controls.
Engage executives with the business value of cybersecurity readiness
To improve the organization’s ability to resist and recover from unpredictable threats, CISOs must better engage business executives to create a steady investment in cybersecurity. To do this, evolve metrics to position cybersecurity readiness and protection levels in a business context.
Security teams often rely on the outcomes from technical security posture assessments and tabletop exercises as guiding metrics. While useful to the security team, such metrics fail to convince executive leaders to make necessary investments before it is too late.
Value-delivery metrics, on the other hand, have a direct line-of-sight to protection levels created by investments, and they can be aligned to business outcomes.
Shift to an outcome-driven approach that links technology operational metrics to the business outcomes they support. For example, rather than reporting on the number of critical vulnerabilities or the percentage of logs analyzed, consider a metric like the number of days to patch critical systems.
This metric can be presented to executives in a business context by demonstrating how the level of protection would change based on investments to support faster patch times.
Looking at recent events impacting the cybersecurity threat landscape – from widespread vulnerabilities like Log4j, to geopolitical threats that arose during Russia’s invasion of Ukraine – it’s evident that security teams cannot avoid disruptive events.
By focusing on preparation over prevention, CISOs and their teams can optimize their organizations’ resilience in the face of new, unpredictable cybersecurity threats.