As a cybersecurity expert who has worked with many companies and governments globally over the years, how do you define the state of affairs in cybersecurity?
Michael Stokes: The issues organisations face are similar regardless of geography. The specific types of attacks may differ, but, generally, everyone agrees on the problems. However, the paths to the solutions are not as defined. I am seeing the increase of security operations centres (SOCs) and corporate security policies, but overarching strategies geared to address the complete cybersecurity issues are still being crafted.
What do you think is the main issue facing those tasked with cybersecurity?
The threat is asymmetrical. The attacker only has to be right once, but the defenders must be right every time. Today’s ‘cyber-warriors’ need to be able to focus on the complex attacks that can do a lot of damage.
How should organisations prepare for cyberattacks?
The old strategy of keeping the enemy out will no longer work. More dynamic strategies need to be adopted so that a normal standard operating process expects the enemy inside.
What approaches should be taken?
The answer needs to be based on a plan for the organisation to get to cyber-resilience, as this is key when working with cybersecurity in this day and age. Many organisations use point training solutions, but it is more important to improve the organisation’s maturity when it comes to cybersecurity.
How does certification impact on how an organisation creates a cyber-policy?
Certification is the start of an effective cyber-policy. Just like a college degree, it demonstrates a solid understanding of the domain. However, it doesn’t always mean that the individual is capable of defending all attacks. Also, like a recruit fresh from boot camp, he or she knows the concept of fighting, but needs to drill constantly in order to be able to perform under pressure when lives and, in the case of corporate security, money and information are on the line.
Training seems to be paramount to cyber-defence. What type of training is needed?
Firstly, make a baseline of the basics so everyone in the organisation is speaking the same language. Then, you need constantly updated ‘live-fire’ training that puts individuals and teams in realistic attack scenarios based on what is happening in other organisations. You also need to be able to perform virtual check rides instead of exams, so the people on the front line have demonstrated their capability.
We hear a lot about the advanced persistent threat (APT). How real is this threat?
The threat is real, but most cyberattacks use already understood and documented methods. I’ve been to cybersecurity trade shows where the access points were unsecured and IT security experts were sending their passwords in plain text. Everyone is so worried about this intricate, highly specialised attack that they forget to close and lock the back door.
We need to make sure that the cost to attack is getting more expensive and the cost to defend is getting less expensive. The APT is real, but most of the damage being done is mundane, and exploits simple-to-fix holes in corporate defences.
What can a leader in an organisation do right now to address the threat?
Pick a model that has a proven track record and begin to honestly assess the capabilities in the organisation. The path to cyber-resilience is just that: a path that has prescriptive and measurable tactics, which are built around basic concepts that have also proven consistently successful, for example live-fire training, team-based security roles and content based on current cyberattacks.