Security Think Tank: 2022 changed how we thought about resilience
2022 saw the cyber security landscape continue to evolve and become ever more challenging for businesses and governments.
A post-Covid new normal has been in full force this year, with companies embracing hybrid and remote work arrangements, while sustaining (or bracing for) large-scale data breaches and destructive ransomware attacks. Government infrastructure has also been targeted, and state-sponsored cyber warfare has opened new frontiers in the Russia-Ukraine conflict.
Throughout this global mayhem, we have witnessed a noticeable shift in what it means to “do” cyber security within organisations, especially those which are more cyber mature. From a mindset of “secure everything” to try to prevent attacks, there has been a transition to a real acceptance of the notion that suffering a cyber attack is not a question of if, but when.
Developing cyber resilience has become the driving force and a key objective of cyber security efforts. That means understanding how to roll with the punches and how to continue to operate (or indeed, survive) during an attack, and, ideally, come back stronger.
Becoming resilient is at the heart of the people-processes-technology triangle and there have been shifts in all three aspects in 2022.
Technology: playing catch-up versus security by design
While the rush to consume numerous tools and technologies to bulletproof organisations against breaches by securing the network’s perimeter and its many endpoints continued, there is clear and growing disillusionment with these products and the false sense of security they create. How, for example, will purchasing the latest threat intelligence software protect you if you have no way of deploying protection against a new threat fast enough?
Similarly, there is a growing understanding that addressing identified vulnerabilities has turned into a futile exercise of playing catch-up with extremely sophisticated threat actors. This is further reinforced by the realisation that the growing risk of insider threat cannot be addressed by a traditional security mindset.
The conceptual shifts required to address these challenges emphasise the need to develop resilience bottom-up from the get-go of any business operation. Implementing security by design, which seeks to make systems as free of vulnerabilities and impermeable to attacks as possible by building security into products from conception, and zero trust, a fundamental building block of resilience, have therefore moved to the top of the agenda for big organisations.
People: security teams versus organisation-wide resilience
Recruiting cyber security staff who are close matches to the roles and requirements needed remained a significant challenge in 2022 due to severe workforce shortages. This lack of skilled staff has become most apparent during and after major attacks, when the crucial need to recover services could not be met.
Under the resilience paradigm, organisations should be prepared to grow cyber security subject matter experts by training individuals with transferable skillsets. This will allow for more dynamic hiring and broader, more resilient cross-organisational teams.
Another trend this year was the shift from cyber security awareness training, which is no longer sufficient, to essential C-suite and board-level cyber security exercises. This focuses on decision-making, chain of command and skills enhancement to enable smooth and effective cyber incident management, response and recovery.
Introducing “cyber nudges” – design features engineered into digital environments to indirectly encourage good cyber habits – can also be effective. Building individual and corporate muscle memory to mitigate the effects of an attack can stop a bad situation from turning worse, while crucially identifying what effective recovery, or survival, looks like and what needs to be in place to make it happen.
Processes: business as usual versus rigorous testing
A key question this year has been: does the organisation have a mature development and operational lifecycle, is it actually being used, and is it used effectively? Too often, the lifecycles did not close the loop and resilience failed to evolve. As a result, continuous integration/development pipelines and improved DevSecOps have begun to emerge as concepts that must be embraced.
Resilience develops not only from understanding your environment and the threats to it, but also from codifying what precisely can go wrong and how to effectively respond when it does.
Rigorous testing of business processes can help ensure that when an attack occurs, the right actions can be, and are, taken. Developing processes, exercising them and training the individuals who can carry them out, at varying and increasing levels of complexity, validates and helps to improve them. This enables the organisation to keep up with the latest threats and attack trends not only by securing against them, but also by preparing for them to happen.
Overall, the most important cyber security lesson we learned in 2022 is that cyber resilience is more important than a narrow security focus in organisations and governments’ preparedness for attacks. That does not mean the value of security should now be dismissed and that there should be an exclusive focus on resilience. Rather, that organisations which change their mindset from attempting to prevent cyber attacks, to becoming more resilient to them, are the ones most likely to survive and potentially even thrive when attacks inevitably occur.