With growing executive demand for changes to cybersecurity processes and awareness comes inherent challenges to an organization. To set the stage, the NotPetya attacks on Moeller-Maersk shipping company took them offline for ten days. Jim Haggemann Snabe, the Chairman, describes the heroic efforts to get 45,000 PCs and 2,500 servers back and up and running (see video) proves that ransomware attacks or never before seen attacks can have tremendous impact on business operations.
This is enough evidence for all executives to move forward with cyber initiatives to protect their businesses. But before they do, here are some challenges they most likely run into: change management, shadow IT, technical debt, data enablement and IoT.
(Jim Haggeman Snabe, Chairman of Maersk, at the World Economic Forum)
Information technology is hard. It’s even harder when you are trying to change the behaviors of people who don’t fully understand why change has to be made. On top of that, people don’t like it when you tell them how to use their phones. They don’t like changing their everyday lives for the sake of IT. Some of the big reasons people don’t want to go along with the new security initiatives is a lack of understanding, conflicting initiatives or change fatigue.
Most organizations and employees aren’t equipped to manage and succeed in changing environments. Change fatigue being one thing most companies are feeling more recently, because of the emergence of the digital revolution. With IT spend increasing every year, every employee is impacted by the new purchases and new changes.
More often Directors and CISOs are focused on implementing the best security practices with the least impact to business operations. That’s where governance can ensure security strategies are aligned with business objectives and consistent with regulations.
Shadow IT buying is nothing new to IT teams but the reality is, it’s becoming acceptable. How does procurement keep up with people’s expectations when people are used to Amazon like services, next day delivery or instant access to servers?
They can’t and until buying processes change for teams or new processes are put into place, people won’t stop. Directors and managers do not and should not blame engineers that want to continue progress on their projects and certainly, don’t want to slow them down. One recommendation is to build a system to document concerns, dictate actions with governance controls and keep a running tab of the current status of devices.
What is technical debt? Technical debt is a concept in software development that reflects the implied cost of additional rework caused by choosing an easy solution now instead of using a better approach that would take longer.
For organizations, how do teams keep up with new attacks given an inability to manage antiquated platforms and budgetary constraints? First practical steps is to understand what instances are mission critical, which are in use and which are dormant. Another appropriate step to take is recording the state of devices on an ongoing basis. When it’s time to communicate the risk of dealing with antiquated technology and reasoning for budget to improve systems, an accurate record of instances can be shown.
Deciding where and when to improve infrastructure is a risk conversation, where business continuity and operational risks are discussed with the CIO and the board.
Data Enablement & IoT
There is so much to be said about IoT security and access to data that we will just leave guidance for those venturing into the space. As Mia Boom-Ibes, of Allstate stated in a previous panel, "We need to enable businesses to move. Move with the speed of agile development and enable the necessary skills our people need." Remember, enablement and access, have to be managed. But at the end of the day, the biggest brand gets the most press when a breach occurs.
Things to consider when developing an IoT Security Strategy:
Where does the risk reside in the technology stack?
How are you protecting yourself or ensuring security best practices at each technology provider?
Are you working closely with your hardware manufacturer to address hardware security concerns?
Are you using secure protocols to transmit data?
Does your data engine solution encrypt data?
Here are some opportunities for improvement:
- Build your network.
- Build relationships internally to build security champions
- Discover what’s out there - what’s critical and how do you do it safely.
- Launch educational efforts and communicate
- Take a risk based approach - prioritize efforts