Kathy Gibson reports – Artificial intelligence (AI), security and governance are all critical if digital transformation is to succeed.
But sometimes technology leaders frame the cybersecurity conversation in a way that doesn’t resonate with boardroom decision-makers – and so the topic is sidelined.
This is the word from Grant Hughes, chief information security officer of GVW Group, founder and president of the ISC2 Cape Town Chapter, who says technology professionals need to understand the importance of cybersecurity to the business – and make that the basis of the conversation.
“We often fail to connect the dots between what we do and what is important to the businesses we serve,” he tells delegates to the SNG Grant Thornton Cybersecurity Summit in Sandton today. “It is only when we have complete conversations that we win over the business.”
The frequency and impact of breaches is on the rise, and so we need to rethink the way we do cybersecurity, Hughes adds.
“I have seen a disconnect between the effort and investment on one side, and the results on the other. You’d think if you put in the investment and effort you would be more successful.”
He believes there are several reasons for this, chief among them the preponderance of tools and software, where security teams spend time managing the tools and sometimes missing the breaches.
And then, where we are picking up breached, we often fail on recovery, Hughes says.
Meanwhile, the decentralised network, with ever-increasing levels of complexity, also challenges security teams.
And sometimes our approach is flawed, he adds.
“Security theatre makes people feel more secure without doing anything to improve security – there is the illusion of security.”
Some things we do are vendor security assessment reports, VM scans but no remediation.
The other approach is compliance, which does have the potential to make us more secure. :But it needs to be done correctly. What is the scope; are we maintaining it regularly?”
What Hughes calls real security are the things that actually make companies more secure. These include adversary simulation, configuration and VM, firewall configuration and ruler reviews, and focused training.
There are challenges, though.
Lack of leadership support is the first and most important, with some security teams still battling with scepticism from company executives.
Failure to align with business objectives is a critical shortcoming that security leaders make. “It is difficult for companies to part with money if the purpose is not clear,” Huges says. “So we need to ensure that we align with the business objectives.”
This ties into a shortcoming of many cybersecurity strategies: neglecting the human element. This extends beyond end users to vendors, customers support staff. “You have to factor in everyone, segment them according to risk, and provide them with the correct training,” Hughes explains.
An over-reliance on technology is a common pitfall, he adds. “Technology adds a lot of value – but it is only one layer. Companies expect that a technology investment will solve the problem, but you still need to focus on people and processes or it won’t work.”
Importantly, organisations need to make provision for the possibility that a breach will occur. A lack of incident readiness means that we don’t know how to respond in the event of an incident happening.
And organisations cannot focus only on their own systems. Neglecting supply chain or third party risk can be fatal. “We see consistently that when a supplier is breached, the customer that is affected is the one that makes in into the headlines,” Hughes points out.
Organisations need to shift their posture from cyber security to resilience.
“The approach we take influences the questions we ask,” Hughes points out. “When we talk about security, we ask if the organisation can be breached; when we talk about resilience we talk about how we can recover from a hack.
“The questions we ask will drive the strategy, and when its balanced we spread investment across all the right pillars.”
He says cyber resilience is built on the foundations of governance, risk and compliance (GRC) and an understanding of the active risk profile.
Hughes describes the six pillars of cyber resilience as follows:
- Embed security in the design;
- Prioritise basic security controls;
- Strengthen the human firewall;
- Focus on readiness and incident response;
- Secure the supply chain and vendor ecosystem; and
- Implement continuous independent assurance.
On the topic of cybersecurity, AI is a subject that needs to be aired, Hughes adds.
“AI is a conundrum, with plenty of benefits and risks. Organisations have to find a way to negotiate them.”
He points out that AI includes technology risk that must be guarded against, but the threat also includes a danger of flawed algorithms within the organisations that could expose data.
At the same time, cultural resistance is a big issue, with people concerned about their jobs.
The expanded threat surface is the big issue, with bad actors using AI to create new and better tools.
Hughes adds, however, that whether AI is used to create threats, the threats are still the same.
“We need to ensure malicious code cannot execute or exfiltrate data. The things we do to mitigate these threats are largely the same. The point is that not all AI risks are new risks, but rebranded.”
For organisations, the solution is not to simply block access to AI, as this could make the problem worse, Hughes says.
“Whatever policy you implement, think about the unintended consequences that could result.”
He recommends that companies adopt an emerging technology adoption framework. “This must always start with a governance and oversight layer, with a group of people leading the new technology into the company.”
This must be followed by user awareness, training and change management.
The third step is to implement security safeguard with policies like DLP and access control.
“Industry thought leadership and engagement means organisations don’t have try to solve everyone on their own,” Hughes says.
“And, finally, we need to think about incident management and how we respond to individual issues that come up.”