Cyber Security Leaders of the Week by Himanshu Chaudhary

How do you articulate the three-pronged approach of ‘people, processes and technology’?

People, processes and technology are the three important components of Security Operation Centers, if you lose one, the other two will fall automatically. A breakdown in any of the three core components will result in compliance failure, therefore it is absolutely necessary to ensure that these three components are well informed and aligned with the organisational security strategy. At Fujitsu, we focus on sustainable implementation of these components, which is complex, but should be the main goal of Cyber Security leaders.

• People: My primary focus lies in enabling people to meet their goals and business requirements, where enablement refers to providing them with the required tools, a supportive platform and room for failure. Failing is not a problem, but not correcting your mistake and trying again is a problem. Providing the required tools not only refer to processes or technology, but also to knowledge. Security leaders should always focus on providing enough training and other knowledge building opportunities, by which it can be assured that people are not the weakest link in the security defences, as is often the case.
• Processes: One thing I have learned in my professional experience is that successful processes are not the best looking or complex ones, but the simple ones. Despite the ever-increasing complexity and dynamics in organisations, security leaders should always focus on developing easy to understand and easy to implement processes. With easy to understand and implement processes, people will not waste crucial time in pulling up and understanding the process during critical times, and will have less probability for any compliance failure. From my perspective, good processes are the ones that naturally arise from clear thinking and are easy to manage.
• Technology: Investing in technology helps in mitigating and defending against known or unknown threats and should be promoted in order to capture new market opportunities, improve operational excellence and acquire the ability to do more with less. Though it is important to remember that technology is just one component, which could potentially be bypassed by people, but we should also remember that technology is a crucial component that plays a main role in people enablement.

The Relationship with the Board (Customer)

How do you convey to the Customer the message that, with regard to cybersecurity, you can minimise the risk but you are never going to be 100 percent secure?

A well-informed and decisive customer or board will always understand that it is all about risk management, and there is no such thing as 100% secure. I constantly refer in my discussion with customers that our goal is to protect our customers from mass cyber-attacks or specific targeted attacks, but we cannot guarantee protection from every targeted cyber-attack, especially zero-day cyber-attacks. For missed targeted cyber-attacks we have security incident response or cyber threat hunting capabilities. But, in the end, it is just like a Whack-a-mole game, and suffering from a cyber security incident is not about if, but when. We have already heard multiple times about multi-billion dollar companies or national agencies suffering from security incidents, despite having the latest technology, the most skilled people and access to the highest grade of cyber threat intelligence. This already shows there is no such thing as “100% secure”, even for companies or agencies that have greater focus and bigger budgets for cyber security.

At Fujitsu, our cyber security strategy uses a multi-layer cyber security protection approach, combining security incident response, cyber threat hunting, digital forensic analysis, etc. capabilities. With a multi-layer protection approach we try to stop as many cyber-attacks as possible, but with advanced capabilities such as threat hunting, we try to remediate undetected threats.

When we talk about 100% security, we should also consider its impact on user experience and associated cost. For example, if we change the company password policy to use 16 character strong passwords (combination of uppercase, lowercase, number and 3 special characters), with a 30 day expiry and no re-use policy of last 24 passwords, this would certainly strengthen the security posture, but would impact user experience and result in extra cost because of the handling of more password reset requests. Therefore, when we talk about security, we should always look at a balanced triangle of user experience, cost and security, and should consider risk management instead of full proof security.

Creating a Cyber Security Culture Within the Organisation

Almost everybody agrees that organisations need a culture of security. How can security leaders help facilitate that type of culture?

According to CSO, “Phishing attacks account for more than 80% of reported security incidents” & “94% of malware is delivered via email”.

As we all know very well, the human factor is the weakest link in the entire security chain, and in overcoming this the security function in an organisation has a significant role to play, but responsibility of safeguarding an organisation and its data lies with everyone in the organisation, from employees to executives, including temporary employees and contractors. Creating an effective cyber security culture in an organisation takes lot of innovation and courage and cannot be achieved merely via annual web-based training. In order to influence people’s behaviour a mixed set of innovative measures should be taken, such as regular reminders, dry runs, short comedy visuals, awareness programs, awarding people for cyber hygiene, etc. It is all about grabbing people’s attention and influencing their hearts and minds. Many major security breaches I have handled started from a misstep by one person, therefore it is important to make each and everyone in organisation is aware of the consequences of their missteps.

Threat Landscape and the Biggest Challenges

What are the biggest challenges you face in the year ahead?

There are many known or unknown challenges we will face in coming year, the following are the ones which I predict based on my current role at Fujitsu:

• Global Cyber Skills Shortage: Various reports have estimated that next year there will be a global cyber skills shortage of 3.5 million. This figure is about existing or upcoming vacancies, but when I look at existing cyber security professionals, I still encounter many of them with no deep understanding of cyber security or who have never hacked a single machine legally or illegally in their career. Cyber attackers think and operate in a certain way, and if we do not understand that, how can we protect our assets from them. In order to overcome such problems, new approaches must be considered, and the government, academia, institutions, businesses, etc. all have their role to play.
• Cloud – Unknown Threat Landscape: According to Forbes, 83% of enterprise workloads will move to the cloud by the year 2020. Adoption of cloud services is growing multi-fold, and in 2020, it will not be any different. Cyber security leaders will need to get a grip of the Cloud threat landscape, and despite the many operational, business and commercial benefits, they will need to understand the risks to their businesses. Speed and momentum of cloud services adoption has created various concerns for cyber security leaders around container security, cloud storage, cloud sharing applications, identity theft, vulnerability management, etc.
• Security Tools & Controls Usage: Many organisations already have various integrated security solutions or features, which they are failing to understand and take better advantage of. A greater understanding of these solutions is needed in order to make smarter investment decisions.
• AI Security: According to studies, 2020 will see a rise in the use of adversarial attacks to exploit vulnerabilities in AI systems. AI models are insecure and vulnerable to attacks, for example, an AI learning to recognise cats could be tricked into believing that an image of a dog was also a cat, an exploit that could later be leveraged. It is also possible to extract parts of an AI model, leading to intellectual property theft, as well as the ability to craft “adversarial” AI that could manipulate the intended model.
• Automation: It allows an organisation to collect data about security threats from multiple sources and respond to low-level security events without human assistance. At a granular level, the correct adoption of automation will help organisations map and really understand how to improve their business processes. By making correct use of their technology stack and associated APIs, early adopters will get faster and enhanced reporting and will improve their security posture through the reduction of Mean Time To Respond (MTTR) to threats, that could impact their reputation, operations and bottom-line.

Balance Between Innovation and Cyber Security

How can leaders balance security and innovation?

If we look at the innovation landscape in just the last few years, i.e. autonomous cars, virtual reality glasses, foldable screens, 3D printers, air taxis, 5G network, etc., we will realise that another big industrial revolution has already been started, and at this moment we are in middle of it, which will fundamentally change everything from the way we live to the way we work. When we talk about such innovations, we also talk about risks associated with these innovations, such as risk of accident with autonomous cars, risk of social disconnect with virtual reality glasses, medical risks with 5G networks, etc. In a similar way, we should consider innovation and cyber security together, just like two sides of coin.

At Fujitsu, innovation is at the centre of everything, but because of being a mature company with 84 years’ experience, we continuously measure risks while fostering innovation. In general, there are two types of innovation. First, is corporate innovation which focuses on capturing market opportunities or improving operational excellence, and then second is security solutions innovation, which focuses on capturing new capabilities or the ability to do more with less. Corporate innovation should be promoted in order to maintain a stronghold in the market, but when we talk about security solutions innovation, we should always ask, will this innovation help me in doing more with the same amount of people or will this innovation provide us a capability where we are already not covered by any other solutions? Nevertheless, whenever we talk about corporate innovation or security solution innovation, the responsibility of the cyber security leader is to provide fundamental building blocks, which have clear documented guidelines, policies and procedures, and then innovation can be fostered upon that.

The Need for Collaboration Within and Outside the Organisation

How important is information sharing within the sector to keep abreast of new threats and cybersecurity best practices?

Quote from Helen Keller, “Alone we can do so little, together we can do so much.”

Initially SOC’s used to be tools driven using a multi-layer tool approach, i.e. SIEM, IDS/IPS, FW, AV, etc. They were completely centralised and closed in nature, merely working based on the information available in the organisation. Later on, they realised the value of collaboration and information sharing, and then the term “Cyber Threat Intelligence” was coined. With “Cyber Threat Intelligence”, SOC moved from reactive to proactive and became intelligence driven SOCs. Now various SOCs around the world utilise collected information through various public or private feeds in order to block potential a cyber-attack proactively.

One classic example of the benefit of “Cyber Threat Intelligence” is the attack by the “Lazarus group”, which has targeted banks all over the world. “Lazarus group” was infamous for using the same tactics, techniques and procedures, such as using the same tools in order to launch phishing, DDoS and vulnerability exploits. This collected information was shared with all the banks proactively, and the banks that were fast enough in utilising the shared information, were able to protect themselves. Other banks that did not utilise the shared information suffered the fate of security breach and loss of a huge chunk of money. We can always work and come together like the military and sharpen our skills, just like how the military conduct joint service and multinational exercises in order to increase their skills and improve the ability to work collaboratively in a dynamic operational environment.

One thing that we all need to remember is that Cyber Threat Intelligence is not like plug-n-play, there is a massive amount of information available, which has been shared by thousands or millions of feeds. This collected information will need to be filtered first before getting passed for internal usage and getting used for finding suspicious activity within the network.

Closing Statement

Cyber threat landscape is evolving every day. Now we are doing more innovations than ever, Cyber Security solutions has evolved into much effective and efficient solutions than ever. But with that, we have also seen much more breaches than ever, companies has loosed much more money in security breaches or compliance issues than ever, etc. This means we have had various different challenges in past, and we will have challenges in future. Maybe scale or dimension of challenges will change, but with that our response should also change.

Cyber Security is a continuous evolving domain, and as Cyber Security leaders, we are and will continue to be challenged to understand bits and bytes of technology, while at the same time also expected to understand goals of the business.

Do not hesitate to reach out if you want further contact with me.

Originally published on cyberstartupobservatory.com