What is the responsibility of leaders in digital protection and responding to cybersecurity incidents?

This article first appeared in L'Echo. We happily quote it below for our blog readers. 

The race towards digital transformation at all costs creates a blind spot for digital protection projects. Yet, these projects will need to get equal attention from executives and functional managers.

A few days ago, another hospital was paralysed by a cybercriminal attack. Are we doomed to suffer these countless attacks or is it possible to get out of this ever-recurring black streak? The question should rather be:  what should be done to prevent these avoidable incidents? Should the focus be on other actors and not necessarily where we are used to pointing?

The eyes turn directly to digital technicians, IT specialists or technical experts in cyber security. Most hospitals and other companies hire such experts internally or ask for an external service to solve their security problems.

Digital security does not seem to be ordered like a pizza delivery or a photocopier. Ordered, paid for, delivered and on Monday morning the problem is solved! Well, no, it is necessary to create layers of protection, one on top of the other to achieve several security perimeters that are more difficult to cross.

But before we do that, let's see who the most relevant actors are in this war, which is what it's all about. Let's take the bull by the horns and examine, one by one, the direct or indirect failures and the people responsible who 'open' the doors to cyber attackers

The executive committee

Good Corporate Governance requires broad visibility of the most serious risks, however, management committees are most often composed of lawyers, compliance experts and financiers. Such a cast is rarely motivated to ask questions in areas where they prefer to maintain a certain modesty, if not actual ignorance. I quickly reassure readers that such fear is no longer justified. It is enough to ask three simple questions that are understandable to the average manager:

2. "What is our risk visibility and what important risks have we not yet tried to mitigate? ” No, it is not the leaders who must investigate these questions and find the answers, but they cannot ignore this need and must demand to have a view on the matter. An operational financial risk, or simply a lack of protection, an increased vulnerability, or a pressing threat, In absolute terms, experts specialising in risk analysis are no longer impossible to find.
3. "Who is in charge of information security and have we recently heard their grievances and requests for additional protections? ” It is not uncommon for such information to be passed from hand to hand until it becomes a game of telephone. The circuit usually goes from a security technician to his or her IT manager, then on to a member of the executive committee who includes it in a page of his or her report and then globalises the discussion, the budgets involved and the responsibility for doing the protection work.
4. "How do you resume normal operations in the aftermath of an incident or crisis? ” In many companies, there is no link between the security of buildings, customers, employees, and IT security. There is no single emergency number (such as a helpdesk) and if there is a problem, you must call someone who knows someone competent, hoping that they will be willing to help, or sometimes it is the IT manager who will have to deal with it.
   
   

Management committees are most often composed of lawyers, compliance experts and financiers. It is rare that such a cast is motivated to ask questions concerning cybersecurity.

How can we get top management more involved in cybersecurity decisions, when they are traditionally the responsibility of the IT department?

These three questions form, in my view, the basis of a key exercise that companies will need to carry out to improve the responsibility of a management committee to be effectively involved in increasing the maturity of the defences in place. Readers can find more details on the maturity levels in this area of cybersecure.be to compare with their own.

The management committee and general management.

How can we get top management more involved in cybersecurity decisions, when they are traditionally the responsibility of the IT department? Or the information security team, risk managers, auditors, external advisors or even the federal police?

Ever since the concept of "technical" IT security or "functional" information security was first introduced, i.e., when the world was awakened to this problem in 1983, with the film "War Games", there has been a struggle to divide the roles. Since then, several good practice standards, OECD recommendations, and IT governance principles, which I helped to draft in 1998, keep hammering home the point: each functional manager should lead and be ultimately responsible for the security of his or her operations, products, and services, as well as the resources made available to them.

But how can this manager ensure digital security without sufficient skills in this area? I would answer that not all of these managers are locksmiths, plumbers or electricians and yet they ensure the security of flows, circuits and doors every day. If necessary, they will call in a specialist at the appropriate time.

At present, it is rare for the head of a key department to have a manual for dealing with a crisis or serious incident. They may not have lists of what can go wrong, and yet, one only has to browse the eternal list of incidents (e.g., konbriefing.com) which lists at least 3 attacks on European hospitals in ten days). Or take the annual report of the European agency, ENISA, listing the most frequent cyber threats with a total of over 99,000 incidents in 2022.

These threats and the incidents that follow, deserve to be addressed by the management committee, which should get all its members to identify what can go wrong and what can be done to prevent it, rather than going blindfolded towards a certain sentence inflicted by an unknown person acting from behind a keyboard in a place on earth that will probably never be identified.

And before we dive headlong into deciphering the technical plans of the digital environment, let's start with the basics and simply analyse: what vital data could create an incident if it is corrupted or leaked and what threats or unauthorized access will be involved? And most importantly, how can such an action be detected, prevented and corrected?

Similarly, in identifying manual or automated operations, which activity should not be interrupted? And if it is, how to detect, avoid and correct such an action?

At present, it is rare for the head of a key department to have a manual for dealing with a crisis or serious incident. They may not have lists of what can go wrong.

Functional managers will need to make informed plans to improve the security of their operations. By identifying the critical elements of their organisations, they will be able to identify risks and initiate protection projects.

Hoping that protection will come in the form of global regulation, some IT tool or device, or a carefully written and archived procedure, like many others, is a trap that functional and senior management often falls into. You have to start by putting your own house in order and starting with a good knowledge of your valuable assets and the risks threatening them.

IT managers

They will have to be the guardians of the company's digital temple and will need to ensure on a daily basis that the overall architecture, including computing devices, hardware, software, cloud assets and data are properly safeguarded. Responsible management is required, with structuring, maintenance and lifecycle monitoring activities to ensure that the business environment is easier to manage, protect and less costly to upgrade and evolve. Many companies do not have architectural specialists; And worse, they do not have architectural management methods. The result is a heterogeneous mix of technologies that are not necessarily compatible. These flaws are a breeding ground for cybersecurity failures, such flaws, which are often known because they are quite frequent and allow cyber-criminals to develop attacks.

Many companies do not have architectural specialists; and worse, they do not have architectural management methods.

IT managers and digital transformation leaders will need to ensure that a significant part of their new system-build activities incorporate identified digital protection improvement needs. However, it is common to find that in a majority of companies that are not mature in terms of cybersecurity, transformation projects are mostly functional to improve the company's operations and activities rather than to protect them. Sometimes protection projects are not even identified or are not given priority over other more visible projects. It is rare, in my experience, for senior management to be involved in prioritising such projects or even to be aware of them.

Information security officers

Finally, information security managers have an important three-dimensional task, the first, which I call Top-Down, is to manage the four core activities of an Information Security Officer:

-​ Protecting the scope of assets (governance and identification activity)

-​ Measure and plan protections for the risks related to these assets

-​ Implement these improvement projects, and integrate them into the operational flow.

- ​If all this does not work and an incident occurs, ensure that all parties involved are involved in pre-defined plans to respond and recover normal operations.

A weak or missing link is enough to make the attackers' job much easier.

These tasks can only be done effectively in collaboration with the other actors mentioned above.

The second, which I call Bottom-Up, is to assess the status of all, access protection, data security, network protection, user awareness, and others. The ISO 27001 standard that guides the implementation of sound management of security activities lists 93 controls in four categories.

In analysing these controls, in any case, those relevant to data protection and operations should be regularly identified, evaluated, and action plans defined. However, many companies do not have an overview of the quality and status of these various controls. A dashboard should alert senior management to these controls when they result in weak protection that could affect the security of an important asset.

The third dimension corresponds to the tasks of consulting and monitoring ongoing projects, this dimension sometimes occupies the majority of the time of information security professionals. If their team does not have sufficient human resources, this will prevent them from managing the other two dimensions mentioned above.

Conclusion

Each of the actors listed in this article will have to assume their responsibilities in the essential protection chain. A weak or missing link is enough to make the attacker’s job much easier. Many companies are missing several links, which makes them easy prey and vulnerable. The race towards digital transformation at all costs creates a blind spot for digital protection projects. These projects need to be given equal attention by management and functional managers.