Managing Cybersecurity from Risk to Responsiveness and Resiliency
Synopsis of Presentation
Cybersecurity is critical for all organizations, regardless of size or industry. In today's interconnected world, cyber threats constantly attack businesses. A successful cyberattack can devastate an organization, leading to financial losses, reputational damage, and even legal liability.
The traditional approach to cybersecurity has been to focus on risk mitigation. This involves identifying and assessing the risks to an organization's information assets and implementing controls to reduce those risks. However, this approach is no longer sufficient. Cyber threats are constantly evolving, and it is impossible to mitigate all risks.
A more effective approach to cybersecurity is to focus on responsiveness and resilience. This means being prepared to respond quickly and effectively to a cyberattack and recover quickly. By focusing on responsiveness and resilience, organizations can reduce the impact of a cyberattack and protect their critical assets.
This is a summary of the presentation by Kang Meng Chow, Director, Averitus Pte. Ltd., at the Meet-the-Expert Webinar on 9 February 2023.
Meet-the-Expert Webinar 9 Feb 2023
The presentation's theme is "Managing Cybersecurity from Risk to Responsiveness and Resiliency."
Cyber Resilience in the Face of Evolving Challenges
The discussion on cyber resilience explores the evolution of cybersecurity from a risk-based perspective to a focus on responsiveness and resilience. It began years ago when the term "cybersecurity" was not commonly used, and the speaker was working at JP Morgan Chase. This journey led to the development of responsive security, culminating in publications in 2013 and a Chinese version in 2018.
The traditional approach to cybersecurity emphasises that security is only as strong as the weakest link, prompting the implementation of layered defences across various layers of the OSI seven-layer architecture. These layers encompass physical security, data protection, and more. However, this approach increases complexity, introduces uncertainty, and leads to the emergence of unforeseen vulnerabilities.
Risk management is crucial in cybersecurity, involving identifying, assessing, and prioritising risks. Organisations aim to move risks from unacceptable to acceptable states. Still, residual risks persist, and risk assessments can be subjective, influenced by individuals' experiences and biases. Undisclosed vulnerabilities, system complexity, and unforeseen interactions further complicate risk management, making organisations vulnerable to unexpected "Black Swan" events.
Navigating the Evolving Threat Landscape: Responsive Cyber Resilience
Cyber resilience is crucial in today's rapidly evolving threat landscape. Traditional approaches to cybersecurity, focused on controlling and protecting assets, are no longer sufficient. The concept of responsive security is emerging as a key strategy. Responsive security is based on principles and theories emphasising early detection, rapid response, and proactive risk management.
Responsive security recognises that organisations should rely on prevention and be prepared to respond effectively when security incidents occur. This approach is analogous to the behaviour of piezoelectric materials, where charges realign to create a circuit when pressure is applied, resulting in a response. Similarly, organisations should detect potential failure events early, align their responses with the situation, and minimise potential impacts.
Organisations must foster alignment and coordination among various stakeholders, including IT, security, legal, and business teams, to achieve cyber resilience and responsive security. This involves regular scenario planning, drills, and communication to ensure everyone knows their roles and responsibilities during a security incident. Furthermore, understanding the evolving threat landscape and assessing vulnerabilities is crucial. Vulnerability management and patching should be a top priority, as many attacks exploit known vulnerabilities.
Responsive Security
Cyber resilience is a critical aspect of modern security strategies, and it goes hand in hand with responsive security. In this context, resilience refers to an organisation's capacity to prepare for, respond to, and adapt to various challenges, including incremental changes, complicated situations, disruptions, and even catastrophic events.
To achieve resilience, being responsive is essential. To be responsive, organisations must anticipate potential issues and uncertainties. One practical approach is to identify the failure modes of their systems using methodologies like Failure Mode and Effect Analysis (FMEA). This allows them to proactively detect and address emerging failure events, ensuring preparedness and an adequate response.
In cloud resilience, it's essential to recognise that cloud computing has become the new norm. Rather than building traditional data centres, organisations are encouraged to embrace cloud services. However, when adopting cloud solutions, following established guidance such as the AWS Well-Architected Framework and the Multi-Region Fundamentals framework is crucial.
These frameworks address critical factors like data dependencies and operational readiness, creating robust and resilient cloud systems.
Conclusion
In conclusion, a comprehensive security strategy extends beyond risk assessment. It involves being responsive to potential threats and designing systems with resilience. Organisations can enhance cyber resilience and effectively navigate the ever-evolving landscape of cybersecurity challenges by identifying failure modes, preparing for uncertainty, and following cloud best practices.
David Chin moderated the session.
Find out more about Blended Learning DRP-5000 [BL-DR-5]
Contact us to learn more about our blended learning program and when the next course is scheduled. They are the BL-DR-3 Blended Learning DRP-300 Disaster Recovery Implementer and the BL-DR-5 Blended Learning DRP-5000 Disaster Recovery Expert Implementer.
Please feel free to send us a note if you have any of these questions to sales.ap@bcm-institute.org |