Thank you The Chief Officer for the thought-provoking interview on pertinent concerns and typical fundamentals that C-level leaders need to address. We hope that this sharing would benefit the community at large.”

Read the article below or go to the original post here

Basics of Cyber security for C-level executives with Ken Soh

What is the current state of cybercrime and its future that c level executives should know and take it on top priority considering it as a profit centre?
The cyber threat landscape has evolved since decades ago from a direct attacking-and-crashing nuisance to today’s sophistication of multi-vector advanced persistent threats (APT). Unfortunately, this “evolution” does not stop. Attack vectors continue to expand in breadth and depth. In breadth, the attacks now target not just IT but also the OT and IoT space. In-depth, they have gone cyber-physical and now even with a mix and match of new vector dimensions such as situation and less-known vulnerabilities in people, process, technologies.

The CoVid-19 related cyber-attacks that we see today is probably something that we could relate well. Such attacks ride on the epidemical situation to entice eyeballs and mouse-clicks. This, coupled with a selected mix of socially engineered or technologically vulnerable possibilities, may create catastrophic damages and fatalities unprecedentedly do-able in the past.

One possible example is the attack on medical PACS and DICOM which is the infra-structure developed more than two decades ago for the transport and storage of medical images such as X-Rays, CT Scans, and MRIs. Taking just the DICOM aspect which is the standard file format for such purpose without any cyber protection consideration in place, if coupled with socially engineered dark intelligence, may be abused by the cybercriminals and ill-intents for varied purposes of abduction, extortion and planned misinformation when the contents of DICOM medical records such as X-Rays and patient information are altered. This, in our opinion, is a serious vulnerability in the global medical landscapes since this unprotected standard is still not well recognized in the cybersecurity technology community, with exposed vulnerability both when in-transit and at-rest.

For readers who wish to understand more about the vulnerability of medical DICOM, we have written a paper on this more than a couple of years ago as per >this link. We welcome comments and sharing such related topics for the benefit of the global community.
In summary, cybercrime activities will become increasingly complex and multi-faceted. This will be fuelled primarily by combinatorial adoption of new attack vectors, new situations and new technologies that are unheard of today. The awareness of such security challenges should not be limited to only CIO, CISO and the rest of C suite, but a multi-level awareness of the rapidly challenging threat landscape in a bid to build a total defense culture that is both self-learning and self-resilient.

There’s an emergent need to go beyond firewalls, anti-hacking systems, and virus scanners. It is time to rethink IT security as a culture and not merely a function. How to start with and implement a security culture within the company.
It is common knowledge that an organization’s culture starts from the number one guy of its structure. His or her leadership style determines the culture of the organization. Some simple examples include: if the leadership style is to manage by fear, a “window-dressing” and finger-pointing culture will be developed; if the leadership style is to manage by hear-say (or in my own term “manage by distant learning”) and is not close to the people, an enterprise-wide gossip culture will develop. These are examples of the toxic cultures that do not bring about productive possibilities, instead, they will impact the development of a positive security culture.

Specifically, under leadership that manages by fear, upward reporting is typically suppressed. This would directly impact cyber incident discovery and reporting. To make matters worse, a line-drawing and finger-pointing culture may also lead to information hiding and blame transfer mindset as far as cyber security-related effort is concerned. For management that distance itself from the people, the organization would risk focusing on the wrong protection strategies since the actual and sincere subject matter experts in the organization may not have the direct channel to feedback the gaps early to pre-empt the unnecessary.

With the above consideration, what hence is the right management style for nurturing a productive cybersecurity culture enterprise-wide?

In my opinion, a servant-leadership approach would be effective to help pave the ground for the nurturing of a sharing culture across different levels in the organization. As people start to understand that cyber incident is no longer a taboo today and the security posture of the organization could only be fulfilled via the collective effort of all, a sharing culture will naturally develop, facilitating strong organization fabric and cohesion for the development of a total defense culture.

Cybersecurity is everyone’s business. However, it is not very clear what are the responsibilities and roles of c level in a highly critical and technologically sophisticated workplace.
As in any functional organization, it is about leadership 101. The buck would ultimately end with the leader. While everybody plays a part in cybersecurity, C level needs to set the stage right, and pave the ground right and not just knowing the right direction to work towards but doing them right.

I would tend to see such leadership in the usual perspectives of people, process and technologies.

On People leadership, it is more about applying the right leadership style so that the right culture will naturally be developed. This aspect has been discussed rather extensively with examples under the earlier section.

On Process leadership, it is important to moderate the focus on certification and compliances and channel equal focus between paper audits and operational security, Is certification the be-all and end-all to protecting our enterprises from cyber-attack? Today, cyber breaches and data leaks continue to make headlines despite stringent audits and well-structured certifications. Well-complied systems are compromised not long after they scored flying colors in audits. Certification and compliances do not equate operational security. What is needed alongside certifications to truly protect our enterprises? Are paper certifications end up an academic pursuit providing business owners a false sense of security? It is important to lead with a well-balanced approach towards security compliances and operational security.

On Technology leadership, it is important for the C suite leadership to look beyond the product and functional innovations but more of keeping abreast of innovations that entail radically differentiated technologies at its fundamental level.

One good example is to look beyond just the detection paradigm. Specifically, most cyber technology fundamentals are still caged in the thought of “detection”. Whether it is AV, multi-AV, machine learning, sandboxing, threat intelligence, most approach today is to apply the most advanced technologies to detect the bad, in order to remove the bad. Unfortunately, most have forgotten the fact that we cannot detect advanced threats in the first place. Even if we are able to detect them now, we can’t later. It is a never-ending pursuit as long as the thought is detection centric. We need to bring ourselves beyond that, we need to focus on eliminating the cause rather than focusing on detecting the effect. We need to focus on the detection-less paradigm and start to preach it to our people and start leading. For that, the thought leadership to educate the people to think outside the box is paramount. People should start to think about how to apply fundamentally differentiated strategies to take care of advanced threats, rather than managing the hygiene challenges. There are many detection-less strategies. For the convenience of this reading, I would cite Content Dis-arm and Reconstruction (CDR) as one of such strategies. It has protected more than 350 CIIs since 2009 with zero incidents. For a reader who is keen to know more, the deeper information is available via >this link.

What are the areas of training, improvement and continuous learning that c level executives must adapt to play a key role in securing organizational assets
Unfortunately, there is no textbook to an effective cyber protection strategy. The cyber threat landscape is a wild jungle out there. It is a highly dynamic and changing environment. With that, we advocate a practitioner’s approach to effectively dealing with the challenge. Any textbook-based approach typically does not work out. Some of our example experience could be shared as follows:

“Security by Design”: While this is a logically sound statement, it remains as a slogan. We advocate “Security by Practice”. This is for the simple reason of practicality. While most IT systems are in operation today, Security by Design may not seem practical. How do we apply such theory to productive systems? What that would come close in our opinion is probably to perform Vulnerability Assessment and Penetration Testing to the production systems and network infrastructures. For applications, static SAST would be useful. We specifically find binary SAST technology a practical approach to verify 3rd party applications or old applications which do not have source code anymore for whatever reasons. Coming back to the notion of “Security by Design”, even for greenfield systems, the buy-in of senior management and stake owners are the critical success factors for the expansive overhead needed to fulfill it.
Security Certifications: While certification of products and services sounds professional and useful upfront, unfortunately, cybersecurity does not work that way due to its highly dynamic, complex and multi-dimensional nature. A technology tool would easily incur hundreds of thousands and months of verification for certification purposes. It is more often than not that the certification remains a compliance or paper exercise since then it would be obsolete the moment the certification is done or approved. New thread paradigm would have already emerged, new requirements and techniques would likely be needed by then while continuous certification becomes practically and commercially challenging. This, however, does not mean that certification is totally unnecessary. Our opinion is that certification would remain useful if the design structure could afford a baseline that is unchanged, with enhancements and innovations possibilities to build on top of it. Beyond that, we recommend that users perform targeted penetration testing for the scope of requirements that they need, rather than focusing on certification which is usually generic. In other words, it would be practical if users do the relevant testing on focused areas that they need since they know their own requirements best, and hence knowing what is important best.

What should be the elements of an ideal model of corporate and regulatory governance to implement a resilient cybersecurity culture
Cybersecurity typically encompasses People, Process and Technology considerations. We have covered them in the earlier section accordingly.

Clearly outline additional Key result areas and key performance indicators for c level executives like CHRO, CFO, CMO, CSO for fostering a culture
There has also been addressed in the above generally. On results and KPI, we could summarize them as follows:

Corporate-wide Phishing Campaign: this can be measured concretely via email phishing and USB drop test and gather enterprise-wide statics on cyber awareness in a highly quantified manner. Staff who need targeted awareness training can be identified and gathered for specific training after which.
Enterprise Risk Management Framework: this can be measured via an in-depth study of the enterprise BCM/DRP/ERM framework, and dry run with table-top cyber incident exercise. The gaps could hence be identified, and gaps are filled accordingly after which.
Regular Compliance Audit and VAPT: the enterprise security posture should be continuously measured via regular compliance audits as well as VAPT exercises. Remedial actions after which will ensure and enforce resilience on an ongoing basis.
360-Degree Feedback Exercise: as discussed, the people factor and culture are instrumental in the development of a total defense framework in enterprises. To factor in cyber consideration in the 360-degree feedback exercise will hence be directly pertinent in the assessment of openness and sharing culture of the organizations in fulfilment of the total defence culture of the organization.