Procurement Mega Trends and The Importance of Early and Continuous Adoption for The Purpose of Strategic & Operational Evolution
A short article by Sherif Abdelmageed, Strategic Sourcing Lead at…
In this article, we will address creating a cyber security culture within the organisation, how can leaders balance security and innovation, and much more.
How do you articulate the three-pronged approach of ‘people, processes and technology’?
People, processes and technology are the three important components of Security Operation Centers, if you lose one, the other two will fall automatically. A breakdown in any of the three core components will result in compliance failure, therefore it is absolutely necessary to ensure that these three components are well informed and aligned with the organisational security strategy. At Fujitsu, we focus on sustainable implementation of these components, which is complex, but should be the main goal of Cyber Security leaders.
How do you convey to the Customer the message that, with regard to cybersecurity, you can minimise the risk but you are never going to be 100 percent secure?
A well-informed and decisive customer or board will always understand that it is all about risk management, and there is no such thing as 100% secure. I constantly refer in my discussion with customers that our goal is to protect our customers from mass cyber-attacks or specific targeted attacks, but we cannot guarantee protection from every targeted cyber-attack, especially zero-day cyber-attacks. For missed targeted cyber-attacks we have security incident response or cyber threat hunting capabilities. But, in the end, it is just like a Whack-a-mole game, and suffering from a cyber security incident is not about if, but when. We have already heard multiple times about multi-billion dollar companies or national agencies suffering from security incidents, despite having the latest technology, the most skilled people and access to the highest grade of cyber threat intelligence. This already shows there is no such thing as “100% secure”, even for companies or agencies that have greater focus and bigger budgets for cyber security.
At Fujitsu, our cyber security strategy uses a multi-layer cyber security protection approach, combining security incident response, cyber threat hunting, digital forensic analysis, etc. capabilities. With a multi-layer protection approach we try to stop as many cyber-attacks as possible, but with advanced capabilities such as threat hunting, we try to remediate undetected threats.
When we talk about 100% security, we should also consider its impact on user experience and associated cost. For example, if we change the company password policy to use 16 character strong passwords (combination of uppercase, lowercase, number and 3 special characters), with a 30 day expiry and no re-use policy of last 24 passwords, this would certainly strengthen the security posture, but would impact user experience and result in extra cost because of the handling of more password reset requests. Therefore, when we talk about security, we should always look at a balanced triangle of user experience, cost and security, and should consider risk management instead of full proof security.
Almost everybody agrees that organisations need a culture of security. How can security leaders help facilitate that type of culture?
According to CSO, “Phishing attacks account for more than 80% of reported security incidents” & “94% of malware is delivered via email”.
As we all know very well, the human factor is the weakest link in the entire security chain, and in overcoming this the security function in an organisation has a significant role to play, but responsibility of safeguarding an organisation and its data lies with everyone in the organisation, from employees to executives, including temporary employees and contractors. Creating an effective cyber security culture in an organisation takes lot of innovation and courage and cannot be achieved merely via annual web-based training. In order to influence people’s behaviour a mixed set of innovative measures should be taken, such as regular reminders, dry runs, short comedy visuals, awareness programs, awarding people for cyber hygiene, etc. It is all about grabbing people’s attention and influencing their hearts and minds. Many major security breaches I have handled started from a misstep by one person, therefore it is important to make each and everyone in organisation is aware of the consequences of their missteps.
What are the biggest challenges you face in the year ahead?
There are many known or unknown challenges we will face in coming year, the following are the ones which I predict based on my current role at Fujitsu:
How can leaders balance security and innovation?
If we look at the innovation landscape in just the last few years, i.e. autonomous cars, virtual reality glasses, foldable screens, 3D printers, air taxis, 5G network, etc., we will realise that another big industrial revolution has already been started, and at this moment we are in middle of it, which will fundamentally change everything from the way we live to the way we work. When we talk about such innovations, we also talk about risks associated with these innovations, such as risk of accident with autonomous cars, risk of social disconnect with virtual reality glasses, medical risks with 5G networks, etc. In a similar way, we should consider innovation and cyber security together, just like two sides of coin.
At Fujitsu, innovation is at the centre of everything, but because of being a mature company with 84 years’ experience, we continuously measure risks while fostering innovation. In general, there are two types of innovation. First, is corporate innovation which focuses on capturing market opportunities or improving operational excellence, and then second is security solutions innovation, which focuses on capturing new capabilities or the ability to do more with less. Corporate innovation should be promoted in order to maintain a stronghold in the market, but when we talk about security solutions innovation, we should always ask, will this innovation help me in doing more with the same amount of people or will this innovation provide us a capability where we are already not covered by any other solutions? Nevertheless, whenever we talk about corporate innovation or security solution innovation, the responsibility of the cyber security leader is to provide fundamental building blocks, which have clear documented guidelines, policies and procedures, and then innovation can be fostered upon that.
How important is information sharing within the sector to keep abreast of new threats and cybersecurity best practices?
Quote from Helen Keller, “Alone we can do so little, together we can do so much.”
Initially SOC’s used to be tools driven using a multi-layer tool approach, i.e. SIEM, IDS/IPS, FW, AV, etc. They were completely centralised and closed in nature, merely working based on the information available in the organisation. Later on, they realised the value of collaboration and information sharing, and then the term “Cyber Threat Intelligence” was coined. With “Cyber Threat Intelligence”, SOC moved from reactive to proactive and became intelligence driven SOCs. Now various SOCs around the world utilise collected information through various public or private feeds in order to block potential a cyber-attack proactively.
One classic example of the benefit of “Cyber Threat Intelligence” is the attack by the “Lazarus group”, which has targeted banks all over the world. “Lazarus group” was infamous for using the same tactics, techniques and procedures, such as using the same tools in order to launch phishing, DDoS and vulnerability exploits. This collected information was shared with all the banks proactively, and the banks that were fast enough in utilising the shared information, were able to protect themselves. Other banks that did not utilise the shared information suffered the fate of security breach and loss of a huge chunk of money. We can always work and come together like the military and sharpen our skills, just like how the military conduct joint service and multinational exercises in order to increase their skills and improve the ability to work collaboratively in a dynamic operational environment.
One thing that we all need to remember is that Cyber Threat Intelligence is not like plug-n-play, there is a massive amount of information available, which has been shared by thousands or millions of feeds. This collected information will need to be filtered first before getting passed for internal usage and getting used for finding suspicious activity within the network.
Cyber threat landscape is evolving every day. Now we are doing more innovations than ever, Cyber Security solutions has evolved into much effective and efficient solutions than ever. But with that, we have also seen much more breaches than ever, companies has loosed much more money in security breaches or compliance issues than ever, etc. This means we have had various different challenges in past, and we will have challenges in future. Maybe scale or dimension of challenges will change, but with that our response should also change.
Cyber Security is a continuous evolving domain, and as Cyber Security leaders, we are and will continue to be challenged to understand bits and bytes of technology, while at the same time also expected to understand goals of the business.
Do not hesitate to reach out if you want further contact with me.
Originally published on cyberstartupobservatory.com
Himanshu Chaudhary is currently Head of Security Operation Center 4 at Fujitsu. He is a Cyber Security expert who is passionate about everything surrounding Cyber Security, Innovation, Technology, and Business Development. Himanshu comes with 8 years of technical and team development experience, where in his current role as Head of Security Operation Center 4 at Fujitsu, he is responsible for developing & managing Cyber Threat Analysis, Cyber Threat Hunting, Cyber Threat Intelligence and Security Incident Response MSSP service for Fujitsu CEE region customers.
In his career, Himanshu has worked with many leading businesses, coming from wide range of industries, such as Automotive, Airlines, Banking, Ecommerce, Health, Information Technology, Insurance, Telecommunication, etc. During this time, Himanshu has worked on many domains, such as Penetration Testing/Vulnerability Assessment, Reverse Engineering, Cloud Security, Cyber Threat Analysis/Hunting/Intelligence, etc.
Himanshu holds Bachelor’s degree in Computer Science, Master’s degree in Computer Security, and wide range of professional certifications, such as OSCP, CEH, OCP and OCA.
Himanshu is also active in expanding and sharing his knowledge via various channels, such as attending or speaking at Conferences, visiting Universities as Guest Lecturer, writing blogs, etc. To invite me as a Speaker at your conference please reach out to me directly via LinkedIn.