SlideShare une entreprise Scribd logo

How Cyber Resilient are we?

CIO Academy Asia Community
CIO Academy Asia Community

Event report from Cyber Security roundtable discussions held in 5 cities. Manila on 31August 2016, Jakarta 6 October 2016, Kuala Lumpur 21 October 2016, Singapore 27 October 2016 and Hong Kong 11 November 2016. Organised by CIO Academy Asia and its partner Fortinet.

Technologie
1  sur  9
Télécharger pour lire hors ligne
CIO Academy Asia and its partner, Fortinet – conducted a series of Cybersecurity roundtable discussions between the month of August and November 2016. A select group of CIOs and CISOs were brought together in each of the 5 (five) key cities in SEA, to discuss some best practices and to address different challenges faced by the organisations in their effort to embrace Cyber-resilience in this inter-connected digital world. This report summarises the key issues discussed during all the sessions: Discussions Summary Changing But Persistent Face of Uncertainty Remarking on the timeliness of the roundtable as we are now operating in a disruptive age, it was noted that security has become almost synonymous with disruption. As a broad expression of uncertainty, it remains valid as an underlying and necessarily persistent consideration as people see technologies threatening to disrupt jobs and lives. Such uncertainty applies even despite current enthusiasms for disruptive developments like driverless vehicles, as recent traffic accidents involving such vehicles have led to reviews of their mode of operations. They serve to remind that disruptive tech also go through the hype cycle. Likewise with social media, it was relatively recent that such technologies have matured and become powerful tools for digital marketing. Some among the audience were not even on Facebook until a few years ago, but its use has since become pervasive even in the public sector. Such changes in usage of new technological media reflect the times and are also necessitated by having to keep up with the millennials but the fundamentals have not changed i.e. cybersecurity has been an issue from the very beginning. Polling Cybersecurity Concerns of the C-Suite Four points were highlighted as underlying why cybersecurity is more important than ever, and which serve as useful ground-level context for framing the roundtable discussions, namely: • Technology platforms like Uber, AirBnB, Grab and other unicorns are now bigger and more attractive and are larger cyberattack targets, the attack exposure is much wider! • The number of IP devices have grown by leaps and bounds, while the volumes and value of data has also multiplied exponentially, • Today all devices highly interconnected on the internet or otherwise , and • Perpetrators of cybersecurity risks and threats have become ever more sophisticated than they have ever been before. The attackers are more well organised than the ones defending. Cyber resilience as a topic has often been covered with different definitions, but the definition proposed by the Scottish government was raised for consideration i.e. that cyber resilience is the ability to prepare for, withstand, rapidly recover and learn from deliberate attacks or accidental events in the online world. 2016 CYBERSECURITY ROUNDTABLE SERIES Resilience Through Systematic Readiness In line with global trends, the Internet of Things is presenting real and present cybersecurity threats, such that traditional mitigation approaches are no longer good enough, it was shared how 4 key thrusts compared against Gartner’s approach i.e. Predictive, Preventative, Detective, and Responsiveness/Corrective, and how these mapped to their mandate for driving initiatives. Furthermore, responsive and mitigating actions are undertaken with digital forensics and data analytics; measures served to enable their national cybersecurity crisis management.
Moving With the Times On the private sector front, McKinsey has remarked how tightly technology and security have become integrated with business processes. This was compared with the situation about 15 years ago when cybersecurity was still seen as a nice-to-have, when IP security did not even exist in some organisations or was parked under the purview of IT infrastructure to handle low level security issues. Security was not seen to be a business issue and threats in those times were also relatively amateurish. The picture now is vastly different, with state-level attacks as detailed in Project CameraShy and coordinated attacks such as those on Sony as detailed in the Project Blockbuster report. As the threat landscape changed, the notion of resilience has also changed – when enterprises used to worry about viruses and malware, today they are facing threats that could bring down entire organisations. Even the lines between cybercrime and cybersecurity incidents are blurring, and attackers are largely motivated by gain. Disrupting the Disrupters The interest now is not simply in having the capabilities to respond to cyberattacks but also to actively disrupt and dismantle attacks. This can be through internal partnerships with departments that share the interest in preventing recurrence of such cyber incidents, as well through external partnerships with the public sector and law enforcement agencies to ensure thoroughness in the common approach to shared cyber threats. IT was repeatedly mentioned that the value and importance of public-private collaborations and acknowledged that such approaches may not be accessible for SMEs, there are strong bases for active dialogue within and across the industry on such matters. Broadening Defensive Approaches He commented that while defence in depth has looked at security from an end-to-end perspective, there still needs to be greater breadth through cross-unit collaborations, because security is increasingly recognised to be a business issue as well. As such, organisations’ IT units may know how to respond to cybersecurity incidents but business and other corporate units should also understand their roles and appropriate responses on their part e.g. how to work with service providers, understand the legal implications and communicate with external parties etc. Security incident management has likewise also evolved – from IT-driven perspectives e.g. ITIL security management to an enterprise view involving different aspects of business and corporate dimensions. The business continuity programme will also need to take into account cyber threats and not just focus on the physical dimensions e.g. disruptions to supply chain. Where required by regulation such as in the financial sector, banks are also required to conduct regular cyber readiness tests where they are assessed on how well they collaborate in the event of attacks. Between Internal and External Threats It was also noted that much of the attention on cybersecurity has tended to focus on external threats but reminded that internal security threats e.g. due to intentional misuse or sheer human errors also merit attention, not least from the perspective of balancing security spends and investments. Attention must also be drawn to the spectre of invisible threats due to infiltration of trusted third parties with direct connectivity to systems, which enable attackers to gain a foothold and access to the actual intended targets. The example of JP Morgan being attacked through their IT asset management system and the First Bank of Taiwan’ ordeal that came about through the compromise of their London office’s IVR systems. As such, organisation leaders’ should not only redefine how they view invisible threats but also rethink their approaches to risk assessments and business impact analyses by taking into account threats that lie beyond the organisation’s immediate environment. 2016 CYBERSECURITY ROUNDTABLE SERIES
With regards to industry competition, we should question the use of broad benchmarks and instead organisations should be guided by clear understanding of how their risk profiles and context stand and differ from their competition. Smarter Use of Resources The value of security analytics platforms provide valuable context and which derive intelligence from not only big data but also user activity logs, VPN and HR logs, video and CCTV feeds which can provide better insights into threat profiles. With better understanding and insights, organisations can better respond and lower their turnaround time from security incidents, allowing them to better focus attention and the efforts of scarce personnel. Organisational structure and adequate budgets for security may also have a role in how well they respond to cybersecurity threats but he stressed the greater importance of assigning clear roles and responsibilities, building a good culture that is supported by relevant KPIs, and having clear contextual understanding to determine what security investments to spend on. Ultimately, it would serve resource-crunched organisations to embrace managed or cloud security services and to better focus on people development and upskilling. As such, it would be good to advocate for creating greater awareness from the top i.e. for those who are in the position to make decisions to be intelligence-led rather than reactionary to the latest threat incident. Beyond awareness and intelligence, there are challenges for the security industry in hiring not only the right skills or experience profile but also the right qualities e.g. stamina for handling high stress levels and self-motivation among security response staff, or engineers for the analytics team who can apply the right perspectives and approaches to the job. Ultimately, cyber resilience is a state of mind that encompasses Patience, Anticipation, Discipline, Stamina, Respect and Defence; this is especially so as recent security exploits have tended to target humans as the weak link. Contextualizing & Incentivising Security Strategies It might well be true that IT security leaders do not take heed and transform themselves from being simply technologists to ‘business technologists’. Security resilience is all about contextualizing of security strategies based on sound understanding of the business and industry, and mapping it across their security requirements. Threats are constantly evolving with responsive measures seem to be readily countered by attackers, hence their interest in ways to respond. From the public sector perspective, there were also concerns over the unpredictability of internal threats and thus the interest in consistent and effective security education and awareness building. How internal awareness is conducted could also be important, ranging from passive (e.g. information sharing on screensavers or posters) to more active (e.g. in-person sessions and outreach to top management and the Board) measures. 2016 CYBERSECURITY ROUNDTABLE SERIES Attune According to Risk Profile On regulatory and standard-driven strategies, the example from the banking sector abiding by regulations is important, it should not be a one-size-fits-all approach i.e. central banks have different mandates and risk profiles compared to retail or commercial banks. As such, it would be wiser to apply an intelligence- driven approach which goes beyond technical threat intelligence to encompass collective and business intelligence e.g. having awareness of the wider implications of organisational M&A activities or large investments and how they might present risks of cyber threats, or the possibility of geopolitical threats.
Taking Care of External Facing End Points An aspect of internal threat is the use of shadow IT by business units who may run external-facing applications without the IT department’s awareness, or lack of uniformity in security procedures for separate networks e.g. corporate versus factory systems. Security concerns over legacy systems and devices likewise play into this vein in terms of touchpoints with customers and processes for data assurance; this poses as one of the greatest challenges to IT security governance which in turn illustrates a lack of end-to-end or thorough security awareness among business units. Some ways to counteract this can include pegging of security education, awareness and compliance to the organisational culture and propensity for learning e.g. tests of how staff can be influenced to respond or not respond to social engineering, and how vigilant they remain in the face of less obvious risks. The Value of Collective Intelligence It is also useful to collate the attributes and characteristics of actual or attempted cyberattacks because they provide insights into areas of vulnerability that can be redressed. As such, the ultimate goal in cybersecurity defence is to make every attempted attack as painful, difficult and expensive as possible, as a way to discourage attackers from persisting. Collaborations within an industry, threat signatures and shared intelligence on attack attributes can be useful as evidence and help improve vigilance and resilience for industry members as a whole. In terms of public-private partnerships, the sharing of intelligence can be crucial because a security incident could be a prelude to a much larger broad-based cyberattack. Higher education institutions and universities could initiate sharing of intelligence among themselves without waiting for the government to sanction or make the first move. However attendees expressed reservations because such moves will require knowledge of priority areas, guidance and adequate confidence that decisions taken will not have negative or unforeseen consequences. To that end, awareness building among institutions could help them better calibrate what they should or could effectively do. Taking the Initiative on Collaboration Initiatives On possible guidelines or rulebooks for different industries to catalyse collaboration in cybersecurity, CyberThreat Alliance can systematically share threat intelligence with industry competitors, government agencies, the FBI, Interpol and other state agencies to better serve end-users. The collaboration has yielded a substantive body of threat information that is beneficial for all parties, and serve to improve the organisation’s solution offerings in the security space. By extension, attendees were encouraged to consider the power of such initiatives if separate institutions or agencies took up the gauntlet and made the first move. If industries led the way then they would find support from the government. By illustration, Bank Negara and StanChart recently signed an MOU to strategically collaborate, share security insights and foster evidence exchange to improve advanced cyber forensic analyses in the financial sector. A further aim was to build capacity and eventually certify 10,000 IT professionals with cybersecurity credentials - measures that were observed to be relevant and useful for the private sector industries to emulate. Business-First Security Education There was a need for cybersecurity education to look in totality beyond the technology or technical infrastructure. A business-centric perspective to education, starting with the IT leaders own transformation from technologist to business technologists. Security leaders need to assume a business hat not least because IT security systems depend on the business side of organisations to drive their value proposition; as such, IT security professionals need to understand business workflows, the core value proposition of the organisation, and the types of likely exposures to cyberattacks encountered in the course of conducting business. 2016 CYBERSECURITY ROUNDTABLE SERIES
Doing so will also allow better prediction, management, decision-making and more effective response to security incidents. It will also better focus the attention of security resources and talent to address the most relevant or important aspects during a security incident. Organisations should select security technologies based on a strong understanding of their specific contextual needs, and question if certain threats are likely or relevant to the nature of their business. Know Thyself (and What Motivates Your Potential Attackers) Less can be more in terms of choice of security technologies, its better to maximise the use of a suite of technologies that are designed to work together rather than invest in different best-of-class security technologies that may not be as well integrated to work together. Organisations’ decisions on security spend should as such be guided by good understanding of their value proposition, the core nature of the business and whom might be likely or interested parties to perpetrate cyberattacks. It is also important to know the touchpoints or access points for the business’ core value assets from an information standpoint and how the applications or devices may impact security. From this perspective, IT leaders will be able to more clearly communicate the possible security impacts of various business initiatives to top management which may not be see or realise the wider implications. As such, the security purview of IT leaders serves as another layer of due diligence from a security standpoint. Organisations also need to do a better job of educating their personnel to understand what are the organisation’s crown jewels or core assets to be handled carefully. Organisations could also do more to collaborate and build trust – starting with measures at the individual level, with careful management of expectations if collaborations are to grow and develop organically. A concern related to the use of third parties for address a business’s cybersecurity needs i.e. where a business is dependent on outsourcing, who would regulate these third parties. A suggestion was to have a clear view of the business benefits and risks at the point of procurement, and possibly consider the appropriateness of cyber insurance. Decision points hinged on business needs and the value to be derived e.g. outsourcing to transfer certain kinds of risks or solve a resource or manpower issue. As such, organisations need to be aware of what trade-offs they are making between different kinds of risks. 2016 CYBERSECURITY ROUNDTABLE SERIES It was recommended that organisations map their business critical assets to identify what are areas that merit focus and security spend. Business critical assets may be seen in terms of their short term ability to drive profit or revenue such as customer databases, or a core business value such as IP and product design. As one way to guide decisions on what are too critical to outsource, vendors should also be able to adequately spell out what they would do under various threat or cyberattack scenarios.
2016 CYBERSECURITY ROUNDTABLE SERIES Manila, Philippines 31 August 2016, Shangri-La at the Fort Manila Jakarta, Indonesia 6 October 2016, Raffles Jakarta
2016 CYBERSECURITY ROUNDTABLE SERIES Kuala Lumpur, Malaysia 21 October 2016, Nobu Kuala Lumpur Singapore 27 October 2016, The St. Regis Singapore
2016 CYBERSECURITY ROUNDTABLE SERIES Hong Kong 11 November 2016, W Hong Kong ©2016. CIO Academy Asia. All rights reserved. Neither this publication nor any part of it may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise without the prior permission of CIO Academy Asia. CIO Academy Asia would like to sincerely thank Fortinet for the collaboration and partnership in this cybersecurity roundtable series. *More photos of the event can be found at CIO Academy Asia’s Facebook Page: facebook.com/cioacademyasia Do show us your support by hitting the “Like” button on our Facebook page!

Recommandé

Wef risk responsibility_hyperconnectedworld_report_2014
Wef risk responsibility_hyperconnectedworld_report_2014Wef risk responsibility_hyperconnectedworld_report_2014
Wef risk responsibility_hyperconnectedworld_report_2014
Silvia Cardona
 
Improving cyber-security through acquisition
Improving cyber-security through acquisitionImproving cyber-security through acquisition
Improving cyber-security through acquisition
Christopher Dorobek
 
What Every CISO Should Learn From the Target Attack
What Every CISO Should Learn From the Target AttackWhat Every CISO Should Learn From the Target Attack
What Every CISO Should Learn From the Target Attack
Booz Allen Hamilton
 
Protective Intelligence
Protective IntelligenceProtective Intelligence
Protective Intelligence
wbesse
 
2018 State of Cyber Resilience for Insurance
2018 State of Cyber Resilience for Insurance2018 State of Cyber Resilience for Insurance
2018 State of Cyber Resilience for Insurance
Accenture Insurance
 
eCrime-report-2011-accessible
eCrime-report-2011-accessibleeCrime-report-2011-accessible
eCrime-report-2011-accessible
Charmaine Servado
 
AI-Cyber-Security-White-Papers-06-15-LR
AI-Cyber-Security-White-Papers-06-15-LRAI-Cyber-Security-White-Papers-06-15-LR
AI-Cyber-Security-White-Papers-06-15-LR
Bill Besse
 
CISO Survey Report 2010
CISO Survey Report 2010CISO Survey Report 2010
CISO Survey Report 2010
Scientia Groups
 

Recommandé

Wef risk responsibility_hyperconnectedworld_report_2014
Wef risk responsibility_hyperconnectedworld_report_2014Wef risk responsibility_hyperconnectedworld_report_2014
Wef risk responsibility_hyperconnectedworld_report_2014
Silvia Cardona
 
Improving cyber-security through acquisition
Improving cyber-security through acquisitionImproving cyber-security through acquisition
Improving cyber-security through acquisition
Christopher Dorobek
 
What Every CISO Should Learn From the Target Attack
What Every CISO Should Learn From the Target AttackWhat Every CISO Should Learn From the Target Attack
What Every CISO Should Learn From the Target Attack
Booz Allen Hamilton
 
Protective Intelligence
Protective IntelligenceProtective Intelligence
Protective Intelligence
wbesse
 
2018 State of Cyber Resilience for Insurance
2018 State of Cyber Resilience for Insurance2018 State of Cyber Resilience for Insurance
2018 State of Cyber Resilience for Insurance
Accenture Insurance
 
eCrime-report-2011-accessible
eCrime-report-2011-accessibleeCrime-report-2011-accessible
eCrime-report-2011-accessible
Charmaine Servado
 
AI-Cyber-Security-White-Papers-06-15-LR
AI-Cyber-Security-White-Papers-06-15-LRAI-Cyber-Security-White-Papers-06-15-LR
AI-Cyber-Security-White-Papers-06-15-LR
Bill Besse
 
CISO Survey Report 2010
CISO Survey Report 2010CISO Survey Report 2010
CISO Survey Report 2010
Scientia Groups
 
RSA Security Brief : Taking Charge of Security in a Hyperconnected World
RSA Security Brief : Taking Charge of Security in a Hyperconnected WorldRSA Security Brief : Taking Charge of Security in a Hyperconnected World
RSA Security Brief : Taking Charge of Security in a Hyperconnected World
EMC
 
SBIC Enterprise Information Security Strategic Technologies
SBIC Enterprise Information Security Strategic TechnologiesSBIC Enterprise Information Security Strategic Technologies
SBIC Enterprise Information Security Strategic Technologies
EMC
 
The Security Challenge: What's Next?
The Security Challenge: What's Next?The Security Challenge: What's Next?
The Security Challenge: What's Next?
Cognizant
 
Guide to high volume data sources for SIEM
Guide to high volume data sources for SIEMGuide to high volume data sources for SIEM
Guide to high volume data sources for SIEM
Joseph DeFever
 
IT Executive Guide to Security Intelligence
IT Executive Guide to Security IntelligenceIT Executive Guide to Security Intelligence
IT Executive Guide to Security Intelligence
thinkASG
 
Dynamic Defense
Dynamic DefenseDynamic Defense
Dynamic Defense
Booz Allen Hamilton
 
Cybersecurity in the Age of Mobility
Cybersecurity in the Age of MobilityCybersecurity in the Age of Mobility
Cybersecurity in the Age of Mobility
Booz Allen Hamilton
 
2017 global-cyber-risk-transfer-report-final
2017 global-cyber-risk-transfer-report-final2017 global-cyber-risk-transfer-report-final
2017 global-cyber-risk-transfer-report-final
Δρ. Γιώργος K. Κασάπης
 
FDseminar IT Risk - Yuri Bobbert - Antwerp Management School
FDseminar IT Risk - Yuri Bobbert - Antwerp Management School FDseminar IT Risk - Yuri Bobbert - Antwerp Management School
FDseminar IT Risk - Yuri Bobbert - Antwerp Management School
FDMagazine
 
Darktrace_WhitePaper_EnterpriseImmuneSystem
Darktrace_WhitePaper_EnterpriseImmuneSystemDarktrace_WhitePaper_EnterpriseImmuneSystem
Darktrace_WhitePaper_EnterpriseImmuneSystem
Austin Eppstein
 
Cyber security investments 2021
Cyber security investments 2021Cyber security investments 2021
Cyber security investments 2021
Management Events
 
Ics white paper report 2017
Ics white paper report 2017Ics white paper report 2017
Ics white paper report 2017
Ir. Indin Hasan ST, MT, IPM, ASEAN Eng
 
Getting ahead of compromise
Getting ahead of compromiseGetting ahead of compromise
Getting ahead of compromise
CMR WORLD TECH
 
Enterprise cyber security
Enterprise cyber securityEnterprise cyber security
Enterprise cyber security
nsheel
 
Cyber Security small
Cyber Security smallCyber Security small
Cyber Security small
Henry Worth
 
Tripwire_UK_Executive_Cybersecurity_Literacy_Survey
Tripwire_UK_Executive_Cybersecurity_Literacy_SurveyTripwire_UK_Executive_Cybersecurity_Literacy_Survey
Tripwire_UK_Executive_Cybersecurity_Literacy_Survey
Melloney Jewell
 
Segurinfo2014 Santiago Cavanna
Segurinfo2014 Santiago CavannaSegurinfo2014 Santiago Cavanna
Segurinfo2014 Santiago Cavanna
Santiago Cavanna
 
IT Security Trends in 2012
IT Security Trends in 2012IT Security Trends in 2012
IT Security Trends in 2012
Icomm Technologies
 
Information Security Governance: Government Considerations for the Cloud Comp...
Information Security Governance: Government Considerations for the Cloud Comp...Information Security Governance: Government Considerations for the Cloud Comp...
Information Security Governance: Government Considerations for the Cloud Comp...
Booz Allen Hamilton
 
7350_RiskWatch-Summer2015-Maligec
7350_RiskWatch-Summer2015-Maligec7350_RiskWatch-Summer2015-Maligec
7350_RiskWatch-Summer2015-Maligec
Christine Maligec, CRM-E, CRIS
 
Five principles for improving your cyber security
Five principles for improving your cyber securityFive principles for improving your cyber security
Five principles for improving your cyber security
WGroup
 
Networkers cyber security market intelligence report
Networkers cyber security market intelligence reportNetworkers cyber security market intelligence report
Networkers cyber security market intelligence report
Simon Clements FIRP DipRP
 

Contenu connexe

Tendances

RSA Security Brief : Taking Charge of Security in a Hyperconnected World
RSA Security Brief : Taking Charge of Security in a Hyperconnected WorldRSA Security Brief : Taking Charge of Security in a Hyperconnected World
RSA Security Brief : Taking Charge of Security in a Hyperconnected World
EMC
 
Darktrace_WhitePaper_EnterpriseImmuneSystem
Darktrace_WhitePaper_EnterpriseImmuneSystemDarktrace_WhitePaper_EnterpriseImmuneSystem
Darktrace_WhitePaper_EnterpriseImmuneSystem
Austin Eppstein
 
Cyber Security small
Cyber Security smallCyber Security small
Cyber Security small
Henry Worth
 
Tripwire_UK_Executive_Cybersecurity_Literacy_Survey
Tripwire_UK_Executive_Cybersecurity_Literacy_SurveyTripwire_UK_Executive_Cybersecurity_Literacy_Survey
Tripwire_UK_Executive_Cybersecurity_Literacy_Survey
Melloney Jewell
 

Tendances (20)

RSA Security Brief : Taking Charge of Security in a Hyperconnected World
RSA Security Brief : Taking Charge of Security in a Hyperconnected WorldRSA Security Brief : Taking Charge of Security in a Hyperconnected World
RSA Security Brief : Taking Charge of Security in a Hyperconnected World
 
SBIC Enterprise Information Security Strategic Technologies
SBIC Enterprise Information Security Strategic TechnologiesSBIC Enterprise Information Security Strategic Technologies
SBIC Enterprise Information Security Strategic Technologies
 
The Security Challenge: What's Next?
The Security Challenge: What's Next?The Security Challenge: What's Next?
The Security Challenge: What's Next?
 
Guide to high volume data sources for SIEM
Guide to high volume data sources for SIEMGuide to high volume data sources for SIEM
Guide to high volume data sources for SIEM
 
IT Executive Guide to Security Intelligence
IT Executive Guide to Security IntelligenceIT Executive Guide to Security Intelligence
IT Executive Guide to Security Intelligence
 
Dynamic Defense
Dynamic DefenseDynamic Defense
Dynamic Defense
 
Cybersecurity in the Age of Mobility
Cybersecurity in the Age of MobilityCybersecurity in the Age of Mobility
Cybersecurity in the Age of Mobility
 
2017 global-cyber-risk-transfer-report-final
2017 global-cyber-risk-transfer-report-final2017 global-cyber-risk-transfer-report-final
2017 global-cyber-risk-transfer-report-final
 
FDseminar IT Risk - Yuri Bobbert - Antwerp Management School
FDseminar IT Risk - Yuri Bobbert - Antwerp Management School FDseminar IT Risk - Yuri Bobbert - Antwerp Management School
FDseminar IT Risk - Yuri Bobbert - Antwerp Management School
 
Darktrace_WhitePaper_EnterpriseImmuneSystem
Darktrace_WhitePaper_EnterpriseImmuneSystemDarktrace_WhitePaper_EnterpriseImmuneSystem
Darktrace_WhitePaper_EnterpriseImmuneSystem
 
Cyber security investments 2021
Cyber security investments 2021Cyber security investments 2021
Cyber security investments 2021
 
Ics white paper report 2017
Ics white paper report 2017Ics white paper report 2017
Ics white paper report 2017
 
Getting ahead of compromise
Getting ahead of compromiseGetting ahead of compromise
Getting ahead of compromise
 
Enterprise cyber security
Enterprise cyber securityEnterprise cyber security
Enterprise cyber security
 
Cyber Security small
Cyber Security smallCyber Security small
Cyber Security small
 
Tripwire_UK_Executive_Cybersecurity_Literacy_Survey
Tripwire_UK_Executive_Cybersecurity_Literacy_SurveyTripwire_UK_Executive_Cybersecurity_Literacy_Survey
Tripwire_UK_Executive_Cybersecurity_Literacy_Survey
 
Segurinfo2014 Santiago Cavanna
Segurinfo2014 Santiago CavannaSegurinfo2014 Santiago Cavanna
Segurinfo2014 Santiago Cavanna
 
IT Security Trends in 2012
IT Security Trends in 2012IT Security Trends in 2012
IT Security Trends in 2012
 
Information Security Governance: Government Considerations for the Cloud Comp...
Information Security Governance: Government Considerations for the Cloud Comp...Information Security Governance: Government Considerations for the Cloud Comp...
Information Security Governance: Government Considerations for the Cloud Comp...
 
7350_RiskWatch-Summer2015-Maligec
7350_RiskWatch-Summer2015-Maligec7350_RiskWatch-Summer2015-Maligec
7350_RiskWatch-Summer2015-Maligec
 

Similaire à How Cyber Resilient are we?

Five principles for improving your cyber security
Five principles for improving your cyber securityFive principles for improving your cyber security
Five principles for improving your cyber security
WGroup
 
State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...
at MicroFocus Italy ❖✔
 
State of Security Operations 2016
State of Security Operations 2016State of Security Operations 2016
State of Security Operations 2016
Tim Grieveson
 
Journal of Business Continuity & Emergency Planning Volume 7 N.docx
Journal of Business Continuity & Emergency Planning Volume 7 N.docxJournal of Business Continuity & Emergency Planning Volume 7 N.docx
Journal of Business Continuity & Emergency Planning Volume 7 N.docx
christiandean12115
 
Improved-Cybersecurity-cooperation
Improved-Cybersecurity-cooperationImproved-Cybersecurity-cooperation
Improved-Cybersecurity-cooperation
rrepko
 
GramaxCybersec_Cybersecurity Trends 2024.pdf
GramaxCybersec_Cybersecurity Trends 2024.pdfGramaxCybersec_Cybersecurity Trends 2024.pdf
GramaxCybersec_Cybersecurity Trends 2024.pdf
Gramax Cybersec
 
How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe Security
Rahul Tyagi
 
managed-security-for-a-not-so-secure-world-wp090991
managed-security-for-a-not-so-secure-world-wp090991managed-security-for-a-not-so-secure-world-wp090991
managed-security-for-a-not-so-secure-world-wp090991
Jim Romeo
 
Information Sharing of Cyber Threat Intelligence with their Issue and Challenges
Information Sharing of Cyber Threat Intelligence with their Issue and ChallengesInformation Sharing of Cyber Threat Intelligence with their Issue and Challenges
Information Sharing of Cyber Threat Intelligence with their Issue and Challenges
ijtsrd
 

Similaire à How Cyber Resilient are we? (20)

Five principles for improving your cyber security
Five principles for improving your cyber securityFive principles for improving your cyber security
Five principles for improving your cyber security
 
Networkers cyber security market intelligence report
Networkers cyber security market intelligence reportNetworkers cyber security market intelligence report
Networkers cyber security market intelligence report
 
State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...
 
State of Security Operations 2016
State of Security Operations 2016State of Security Operations 2016
State of Security Operations 2016
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Journal of Business Continuity & Emergency Planning Volume 7 N.docx
Journal of Business Continuity & Emergency Planning Volume 7 N.docxJournal of Business Continuity & Emergency Planning Volume 7 N.docx
Journal of Business Continuity & Emergency Planning Volume 7 N.docx
 
Security - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaperSecurity - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaper
 
Cisco Yıllık Güvenlik Raporu 2015
Cisco Yıllık Güvenlik Raporu 2015Cisco Yıllık Güvenlik Raporu 2015
Cisco Yıllık Güvenlik Raporu 2015
 
Improved-Cybersecurity-cooperation
Improved-Cybersecurity-cooperationImproved-Cybersecurity-cooperation
Improved-Cybersecurity-cooperation
 
Module 2 - Cybersecurity On the Defense.pdf
Module 2 - Cybersecurity On the Defense.pdfModule 2 - Cybersecurity On the Defense.pdf
Module 2 - Cybersecurity On the Defense.pdf
 
Get Ahead of Cyber Security by Tiffy Issac, Partner EY India
Get Ahead of Cyber Security by Tiffy Issac, Partner EY IndiaGet Ahead of Cyber Security by Tiffy Issac, Partner EY India
Get Ahead of Cyber Security by Tiffy Issac, Partner EY India
 
Shifting Risks and IT Complexities Create Demands for New Enterprise Security...
Shifting Risks and IT Complexities Create Demands for New Enterprise Security...Shifting Risks and IT Complexities Create Demands for New Enterprise Security...
Shifting Risks and IT Complexities Create Demands for New Enterprise Security...
 
What CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityWhat CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber Security
 
GramaxCybersec_Cybersecurity Trends 2024.pdf
GramaxCybersec_Cybersecurity Trends 2024.pdfGramaxCybersec_Cybersecurity Trends 2024.pdf
GramaxCybersec_Cybersecurity Trends 2024.pdf
 
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
 
Csa summit la transformación digital y el nuevo rol del ciso
Csa summit la transformación digital y el nuevo rol del cisoCsa summit la transformación digital y el nuevo rol del ciso
Csa summit la transformación digital y el nuevo rol del ciso
 
csxnewsletter
csxnewslettercsxnewsletter
csxnewsletter
 
How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe Security
 
managed-security-for-a-not-so-secure-world-wp090991
managed-security-for-a-not-so-secure-world-wp090991managed-security-for-a-not-so-secure-world-wp090991
managed-security-for-a-not-so-secure-world-wp090991
 
Information Sharing of Cyber Threat Intelligence with their Issue and Challenges
Information Sharing of Cyber Threat Intelligence with their Issue and ChallengesInformation Sharing of Cyber Threat Intelligence with their Issue and Challenges
Information Sharing of Cyber Threat Intelligence with their Issue and Challenges
 

Plus de CIO Academy Asia Community

Plus de CIO Academy Asia Community (11)

Digital Leadership : Building an Agile Organisation!
Digital Leadership : Building an Agile Organisation!Digital Leadership : Building an Agile Organisation!
Digital Leadership : Building an Agile Organisation!
 
reThink CIO Forum Bangkok post event summary
reThink CIO Forum Bangkok post event summaryreThink CIO Forum Bangkok post event summary
reThink CIO Forum Bangkok post event summary
 
Connecting the Right Dots : Maximising Innovation Value
Connecting the Right Dots : Maximising Innovation ValueConnecting the Right Dots : Maximising Innovation Value
Connecting the Right Dots : Maximising Innovation Value
 
Building an Innovation Strategy for your Digital Enterprise
Building an Innovation Strategy for your Digital EnterpriseBuilding an Innovation Strategy for your Digital Enterprise
Building an Innovation Strategy for your Digital Enterprise
 
Leading your Digital Transformation Journey
Leading your Digital Transformation JourneyLeading your Digital Transformation Journey
Leading your Digital Transformation Journey
 
Reinventing the DNA of the Future Workplace
Reinventing the DNA of the Future WorkplaceReinventing the DNA of the Future Workplace
Reinventing the DNA of the Future Workplace
 
Business Agility – Staying Ahead in Today's Digital Economy
Business Agility – Staying Ahead in Today's Digital EconomyBusiness Agility – Staying Ahead in Today's Digital Economy
Business Agility – Staying Ahead in Today's Digital Economy
 
reThink CyberSecurity Israel post trip report
reThink CyberSecurity Israel post trip reportreThink CyberSecurity Israel post trip report
reThink CyberSecurity Israel post trip report
 
IT Value Management workshop: Post Event Report
IT Value Management workshop: Post Event ReportIT Value Management workshop: Post Event Report
IT Value Management workshop: Post Event Report
 
Is Mobile E-commerce the new gold rush? TechMavericks Talkshow Singapore
Is Mobile E-commerce the new gold rush? TechMavericks Talkshow SingaporeIs Mobile E-commerce the new gold rush? TechMavericks Talkshow Singapore
Is Mobile E-commerce the new gold rush? TechMavericks Talkshow Singapore
 
Disrupt or Be Disrupted
Disrupt or Be DisruptedDisrupt or Be Disrupted
Disrupt or Be Disrupted
 

Dernier

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 

Dernier (20)

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 

How Cyber Resilient are we?

  • 1.
  • 2. CIO Academy Asia and its partner, Fortinet – conducted a series of Cybersecurity roundtable discussions between the month of August and November 2016. A select group of CIOs and CISOs were brought together in each of the 5 (five) key cities in SEA, to discuss some best practices and to address different challenges faced by the organisations in their effort to embrace Cyber-resilience in this inter-connected digital world. This report summarises the key issues discussed during all the sessions: Discussions Summary Changing But Persistent Face of Uncertainty Remarking on the timeliness of the roundtable as we are now operating in a disruptive age, it was noted that security has become almost synonymous with disruption. As a broad expression of uncertainty, it remains valid as an underlying and necessarily persistent consideration as people see technologies threatening to disrupt jobs and lives. Such uncertainty applies even despite current enthusiasms for disruptive developments like driverless vehicles, as recent traffic accidents involving such vehicles have led to reviews of their mode of operations. They serve to remind that disruptive tech also go through the hype cycle. Likewise with social media, it was relatively recent that such technologies have matured and become powerful tools for digital marketing. Some among the audience were not even on Facebook until a few years ago, but its use has since become pervasive even in the public sector. Such changes in usage of new technological media reflect the times and are also necessitated by having to keep up with the millennials but the fundamentals have not changed i.e. cybersecurity has been an issue from the very beginning. Polling Cybersecurity Concerns of the C-Suite Four points were highlighted as underlying why cybersecurity is more important than ever, and which serve as useful ground-level context for framing the roundtable discussions, namely: • Technology platforms like Uber, AirBnB, Grab and other unicorns are now bigger and more attractive and are larger cyberattack targets, the attack exposure is much wider! • The number of IP devices have grown by leaps and bounds, while the volumes and value of data has also multiplied exponentially, • Today all devices highly interconnected on the internet or otherwise , and • Perpetrators of cybersecurity risks and threats have become ever more sophisticated than they have ever been before. The attackers are more well organised than the ones defending. Cyber resilience as a topic has often been covered with different definitions, but the definition proposed by the Scottish government was raised for consideration i.e. that cyber resilience is the ability to prepare for, withstand, rapidly recover and learn from deliberate attacks or accidental events in the online world. 2016 CYBERSECURITY ROUNDTABLE SERIES Resilience Through Systematic Readiness In line with global trends, the Internet of Things is presenting real and present cybersecurity threats, such that traditional mitigation approaches are no longer good enough, it was shared how 4 key thrusts compared against Gartner’s approach i.e. Predictive, Preventative, Detective, and Responsiveness/Corrective, and how these mapped to their mandate for driving initiatives. Furthermore, responsive and mitigating actions are undertaken with digital forensics and data analytics; measures served to enable their national cybersecurity crisis management.
  • 3. Moving With the Times On the private sector front, McKinsey has remarked how tightly technology and security have become integrated with business processes. This was compared with the situation about 15 years ago when cybersecurity was still seen as a nice-to-have, when IP security did not even exist in some organisations or was parked under the purview of IT infrastructure to handle low level security issues. Security was not seen to be a business issue and threats in those times were also relatively amateurish. The picture now is vastly different, with state-level attacks as detailed in Project CameraShy and coordinated attacks such as those on Sony as detailed in the Project Blockbuster report. As the threat landscape changed, the notion of resilience has also changed – when enterprises used to worry about viruses and malware, today they are facing threats that could bring down entire organisations. Even the lines between cybercrime and cybersecurity incidents are blurring, and attackers are largely motivated by gain. Disrupting the Disrupters The interest now is not simply in having the capabilities to respond to cyberattacks but also to actively disrupt and dismantle attacks. This can be through internal partnerships with departments that share the interest in preventing recurrence of such cyber incidents, as well through external partnerships with the public sector and law enforcement agencies to ensure thoroughness in the common approach to shared cyber threats. IT was repeatedly mentioned that the value and importance of public-private collaborations and acknowledged that such approaches may not be accessible for SMEs, there are strong bases for active dialogue within and across the industry on such matters. Broadening Defensive Approaches He commented that while defence in depth has looked at security from an end-to-end perspective, there still needs to be greater breadth through cross-unit collaborations, because security is increasingly recognised to be a business issue as well. As such, organisations’ IT units may know how to respond to cybersecurity incidents but business and other corporate units should also understand their roles and appropriate responses on their part e.g. how to work with service providers, understand the legal implications and communicate with external parties etc. Security incident management has likewise also evolved – from IT-driven perspectives e.g. ITIL security management to an enterprise view involving different aspects of business and corporate dimensions. The business continuity programme will also need to take into account cyber threats and not just focus on the physical dimensions e.g. disruptions to supply chain. Where required by regulation such as in the financial sector, banks are also required to conduct regular cyber readiness tests where they are assessed on how well they collaborate in the event of attacks. Between Internal and External Threats It was also noted that much of the attention on cybersecurity has tended to focus on external threats but reminded that internal security threats e.g. due to intentional misuse or sheer human errors also merit attention, not least from the perspective of balancing security spends and investments. Attention must also be drawn to the spectre of invisible threats due to infiltration of trusted third parties with direct connectivity to systems, which enable attackers to gain a foothold and access to the actual intended targets. The example of JP Morgan being attacked through their IT asset management system and the First Bank of Taiwan’ ordeal that came about through the compromise of their London office’s IVR systems. As such, organisation leaders’ should not only redefine how they view invisible threats but also rethink their approaches to risk assessments and business impact analyses by taking into account threats that lie beyond the organisation’s immediate environment. 2016 CYBERSECURITY ROUNDTABLE SERIES
  • 4. With regards to industry competition, we should question the use of broad benchmarks and instead organisations should be guided by clear understanding of how their risk profiles and context stand and differ from their competition. Smarter Use of Resources The value of security analytics platforms provide valuable context and which derive intelligence from not only big data but also user activity logs, VPN and HR logs, video and CCTV feeds which can provide better insights into threat profiles. With better understanding and insights, organisations can better respond and lower their turnaround time from security incidents, allowing them to better focus attention and the efforts of scarce personnel. Organisational structure and adequate budgets for security may also have a role in how well they respond to cybersecurity threats but he stressed the greater importance of assigning clear roles and responsibilities, building a good culture that is supported by relevant KPIs, and having clear contextual understanding to determine what security investments to spend on. Ultimately, it would serve resource-crunched organisations to embrace managed or cloud security services and to better focus on people development and upskilling. As such, it would be good to advocate for creating greater awareness from the top i.e. for those who are in the position to make decisions to be intelligence-led rather than reactionary to the latest threat incident. Beyond awareness and intelligence, there are challenges for the security industry in hiring not only the right skills or experience profile but also the right qualities e.g. stamina for handling high stress levels and self-motivation among security response staff, or engineers for the analytics team who can apply the right perspectives and approaches to the job. Ultimately, cyber resilience is a state of mind that encompasses Patience, Anticipation, Discipline, Stamina, Respect and Defence; this is especially so as recent security exploits have tended to target humans as the weak link. Contextualizing & Incentivising Security Strategies It might well be true that IT security leaders do not take heed and transform themselves from being simply technologists to ‘business technologists’. Security resilience is all about contextualizing of security strategies based on sound understanding of the business and industry, and mapping it across their security requirements. Threats are constantly evolving with responsive measures seem to be readily countered by attackers, hence their interest in ways to respond. From the public sector perspective, there were also concerns over the unpredictability of internal threats and thus the interest in consistent and effective security education and awareness building. How internal awareness is conducted could also be important, ranging from passive (e.g. information sharing on screensavers or posters) to more active (e.g. in-person sessions and outreach to top management and the Board) measures. 2016 CYBERSECURITY ROUNDTABLE SERIES Attune According to Risk Profile On regulatory and standard-driven strategies, the example from the banking sector abiding by regulations is important, it should not be a one-size-fits-all approach i.e. central banks have different mandates and risk profiles compared to retail or commercial banks. As such, it would be wiser to apply an intelligence- driven approach which goes beyond technical threat intelligence to encompass collective and business intelligence e.g. having awareness of the wider implications of organisational M&A activities or large investments and how they might present risks of cyber threats, or the possibility of geopolitical threats.
  • 5. Taking Care of External Facing End Points An aspect of internal threat is the use of shadow IT by business units who may run external-facing applications without the IT department’s awareness, or lack of uniformity in security procedures for separate networks e.g. corporate versus factory systems. Security concerns over legacy systems and devices likewise play into this vein in terms of touchpoints with customers and processes for data assurance; this poses as one of the greatest challenges to IT security governance which in turn illustrates a lack of end-to-end or thorough security awareness among business units. Some ways to counteract this can include pegging of security education, awareness and compliance to the organisational culture and propensity for learning e.g. tests of how staff can be influenced to respond or not respond to social engineering, and how vigilant they remain in the face of less obvious risks. The Value of Collective Intelligence It is also useful to collate the attributes and characteristics of actual or attempted cyberattacks because they provide insights into areas of vulnerability that can be redressed. As such, the ultimate goal in cybersecurity defence is to make every attempted attack as painful, difficult and expensive as possible, as a way to discourage attackers from persisting. Collaborations within an industry, threat signatures and shared intelligence on attack attributes can be useful as evidence and help improve vigilance and resilience for industry members as a whole. In terms of public-private partnerships, the sharing of intelligence can be crucial because a security incident could be a prelude to a much larger broad-based cyberattack. Higher education institutions and universities could initiate sharing of intelligence among themselves without waiting for the government to sanction or make the first move. However attendees expressed reservations because such moves will require knowledge of priority areas, guidance and adequate confidence that decisions taken will not have negative or unforeseen consequences. To that end, awareness building among institutions could help them better calibrate what they should or could effectively do. Taking the Initiative on Collaboration Initiatives On possible guidelines or rulebooks for different industries to catalyse collaboration in cybersecurity, CyberThreat Alliance can systematically share threat intelligence with industry competitors, government agencies, the FBI, Interpol and other state agencies to better serve end-users. The collaboration has yielded a substantive body of threat information that is beneficial for all parties, and serve to improve the organisation’s solution offerings in the security space. By extension, attendees were encouraged to consider the power of such initiatives if separate institutions or agencies took up the gauntlet and made the first move. If industries led the way then they would find support from the government. By illustration, Bank Negara and StanChart recently signed an MOU to strategically collaborate, share security insights and foster evidence exchange to improve advanced cyber forensic analyses in the financial sector. A further aim was to build capacity and eventually certify 10,000 IT professionals with cybersecurity credentials - measures that were observed to be relevant and useful for the private sector industries to emulate. Business-First Security Education There was a need for cybersecurity education to look in totality beyond the technology or technical infrastructure. A business-centric perspective to education, starting with the IT leaders own transformation from technologist to business technologists. Security leaders need to assume a business hat not least because IT security systems depend on the business side of organisations to drive their value proposition; as such, IT security professionals need to understand business workflows, the core value proposition of the organisation, and the types of likely exposures to cyberattacks encountered in the course of conducting business. 2016 CYBERSECURITY ROUNDTABLE SERIES
  • 6. Doing so will also allow better prediction, management, decision-making and more effective response to security incidents. It will also better focus the attention of security resources and talent to address the most relevant or important aspects during a security incident. Organisations should select security technologies based on a strong understanding of their specific contextual needs, and question if certain threats are likely or relevant to the nature of their business. Know Thyself (and What Motivates Your Potential Attackers) Less can be more in terms of choice of security technologies, its better to maximise the use of a suite of technologies that are designed to work together rather than invest in different best-of-class security technologies that may not be as well integrated to work together. Organisations’ decisions on security spend should as such be guided by good understanding of their value proposition, the core nature of the business and whom might be likely or interested parties to perpetrate cyberattacks. It is also important to know the touchpoints or access points for the business’ core value assets from an information standpoint and how the applications or devices may impact security. From this perspective, IT leaders will be able to more clearly communicate the possible security impacts of various business initiatives to top management which may not be see or realise the wider implications. As such, the security purview of IT leaders serves as another layer of due diligence from a security standpoint. Organisations also need to do a better job of educating their personnel to understand what are the organisation’s crown jewels or core assets to be handled carefully. Organisations could also do more to collaborate and build trust – starting with measures at the individual level, with careful management of expectations if collaborations are to grow and develop organically. A concern related to the use of third parties for address a business’s cybersecurity needs i.e. where a business is dependent on outsourcing, who would regulate these third parties. A suggestion was to have a clear view of the business benefits and risks at the point of procurement, and possibly consider the appropriateness of cyber insurance. Decision points hinged on business needs and the value to be derived e.g. outsourcing to transfer certain kinds of risks or solve a resource or manpower issue. As such, organisations need to be aware of what trade-offs they are making between different kinds of risks. 2016 CYBERSECURITY ROUNDTABLE SERIES It was recommended that organisations map their business critical assets to identify what are areas that merit focus and security spend. Business critical assets may be seen in terms of their short term ability to drive profit or revenue such as customer databases, or a core business value such as IP and product design. As one way to guide decisions on what are too critical to outsource, vendors should also be able to adequately spell out what they would do under various threat or cyberattack scenarios.
  • 7. 2016 CYBERSECURITY ROUNDTABLE SERIES Manila, Philippines 31 August 2016, Shangri-La at the Fort Manila Jakarta, Indonesia 6 October 2016, Raffles Jakarta
  • 8. 2016 CYBERSECURITY ROUNDTABLE SERIES Kuala Lumpur, Malaysia 21 October 2016, Nobu Kuala Lumpur Singapore 27 October 2016, The St. Regis Singapore
  • 9. 2016 CYBERSECURITY ROUNDTABLE SERIES Hong Kong 11 November 2016, W Hong Kong ©2016. CIO Academy Asia. All rights reserved. Neither this publication nor any part of it may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise without the prior permission of CIO Academy Asia. CIO Academy Asia would like to sincerely thank Fortinet for the collaboration and partnership in this cybersecurity roundtable series. *More photos of the event can be found at CIO Academy Asia’s Facebook Page: facebook.com/cioacademyasia Do show us your support by hitting the “Like” button on our Facebook page!