Kathy Gibson reports – Cybersecurity is not a simple exercise: there is no quick solution to a complex situation.
Tony Olivier, acting-chief information security officer (CISO) at Imperial Logistics and also co-author of the Cybercrimes and Cybersecurity Bill of South Africa, explains that there are many issues that CISOs need to think about.
They include legislation, resources shortages, the shift to mobile, the rise of ransomware, the politicisation of data, the shift to the cloud and artificial intelligence (AI).
Speaking at a CoCre8 Technology Solutions security event, Olivier says CISOs need to think not just about the Protection of Personal Information Act (PoPIA) that has been in the news lately, but other regulations like the Regulation of the Interception of Communication Act (RICA) and the new Cybercrimes and Cybersecurity legislation as well.
The resource shortage is an issue worldwide, but particularly in South Africa, where it is driven by a growing brain drain and less-than-adequate education system.
Ransomware is more dangerous than ever, Olivier says, because it is now a business, with groups like Conti running different departments that specialise in various aspects of setting up and executing an attack.
“These groups think of themselves as a business, and are indifferent to the damage they cause to other businesses.”
After the Ukraine war started, the real politicisation of cybercrime came to the fore, and there has been a massive increase in ransomware attacks on organisations that might be even peripherally involved in the war.
Shifting to the cloud has many benefits for companies, and the right partner could be a real asset in the fight against cybercrime – but the wrong partner could leave customers wide open to attack.
“When it comes to cloud, it doesn’t matter where you put your information, you are still liable for the security of your data,” Olivier stresses.
At the same time as threats are increasing, new technology available to assist is also becoming available. “Technology is hugely beneficial in the fight against cybercrime.”
Asset management is a massive issue for CISOs: all security standards or protocols call for a thorough knowledge of all assets.
But this assumes that companies include CISOs as an asset management stakeholder; and that the CISO has sight of, and participates in, the process of procurement, disposition and retiring of assets.
It also assumes that the organisation has central control of its data assets; and that there are consistent processes in place.
Another issue that needs to be considered is the relationship of complexity and security.
“With IoT there is a massive growth in the attack surface; and with the move to cloud, the complexity increases,” Olivier points out.
Design and quality contribute to the effectiveness of security to a point, after which they are overwhelmed by complexity, he adds.
The same is true of management: uncontrolled management data diminishes the quality of security management. Discrimination is key and the CISO has to determine what to measure,
For now, at least, security requires a high level of EQ, vigilance and energy – and it is almost impossible to do it successfully without the right technology.
The security industry, unfortunately, is trying to fight both old and new challenges with traditional technologies, Olivier says. And it still take months to patch systems.
“As a result, information security remains a bolt-on solution, and we are still largely getting it wrong.”
Not every CISO is the same, Olivier adds, and has to work in an environment that is driven by complexity, federation, politics and constrained budgets.
“The situation is getting tougher, and will get worse – but we still haven’t solved the problems we have had for 36 years.”
This means we will never be risk free: there are already events, incidents and probable breaches – and there will be more, Olivier says.
There is a reasonable likelihood that the cause of the breach is outside of the CISO’s control. And there is almost zero likelihood they will be able to identify and take action against the attacker.
“Most significantly, a serious breach is the gift that keeps giving,” Olivier adds. “It will consume your time. It is an auditor’s dream because it funds forensic investigators, lawyers and media relations. It will cripple you for weeks or months and it will place you under the microscope within the company.
“And there is an opportunity cost: while you are reacting to a breach, you are detracted from securing the organisation.”
To do their jobs effectively, CISOs need to implement best practices, using technology and complying with standards, policies and frameworks,
But every CISO is different, Olivier explains, although they all have to run security and also communicate effectively with the business.
Policies are all very well, he says, but creating a policy is no small undertaking since it is a business decision with many implications – and it is an ongoing process. “In all of this time, there is an opportunity cost.”
As a result, often policies are not even implemented despite the time and effort it takes to craft them. So, rather limit the number of policies, Oliver advises.
Often, IT buys technology rather than leave budget unspent, but he advises CISOs to use all technology purchased rather than leaving it on the shelf.
“And I can’t stress this one enough: monitor every day – you need to be aware of what is going on in the organisation,” Olivier stresses.
He adds that internal intelligence is as important as knowing what is happening externally – that information is critical for the CISO.
The bottom line, Olivier believes, is that attack is the best form of defense. “You don’t sit and look at dashboards, and compliance won’t solve a problem.”
At the same time, Olivier urges CISOs to familiarise themselves with all the laws associated with cybersecurity, particularly the South African Cybercrimes Act which makes cyber breaches – or even unknowingly enabling them – a real crime that can result in jail sentences.