Hi,

My name is Peter Van Eeckhoutte and I am the founder and principal consultant at Corelan Consulting. Today I would like to share a short introduction to (CyberSecurity) Risk Management. The intended audience for this article is companies (managers) that are perhaps still a little hesitant to look at Cybersecurity in a more structural way, as well as those that are already somewhat convinced about launching a formal risk management process in their company but require some guidance on how to do it in a pragmatic manner.  Yes, I know, those that are skeptical probably won’t be reading this in the first place.  And if they do, maybe they won’t read until the end (too many words). In that case, I hope that you’ll forward a link to this article to them, perhaps adding your own set of arguments & reasoning on why they should take cybersecurity a bit more serious and why they should read this article to the end.

Bear with me, because at the end of this post, I’ll be sharing 5 FREE practical tips to help you implement a pragmatic risk management program.

In today’s article, we’ll be looking at:

1. What is cybersecurity? (And why should you care?)
2. Terminology
3. Do you really need Cybersecurity?
4. Cybersecurity Risk Management: where to start?
5. 5 practical tips
6. How can we help?

1. Cybersecurity (and why should you care?)

In its most simple and pure form, Cybersecurity means “protecting systems & data against attackers”, basically preventing someone/something from causing damage and harm (intentionally or accidentally) to you, or at least limiting the damage they can cause when attacking your systems & data.

Cybersecurity aims at protecting the systems & data, by ensuring & preserving 4 essential pillars (“C-I-A-A”):

• Confidentiality (make sure that data & information is not disclosed to an unauthorized party)
• Integrity (make sure that data & information cannot be modified/destroyed by an unauthorized party)
• Availability (make sure you have timely access to your information)
• Accountability (make sure you can see who performed a certain action)

Of course, not all of these pillars are equally important in every scenario.  Importance greatly depends on what you’re looking at.  For example, your company internet website is probably designed & intended to be publicly accessible.  As a result, protecting its “confidentiality” may not be so important. On the other hand, if the goal is to preserve C-I-A-A, cybersecurity shouldn’t really break the ones that are important either, that is clear.

The ultimate goal of cybersecurity is to try to allow you to focus on doing business and to try to keep you in business if/when something goes wrong. Cybersecurity is not about trying to achieve some kind of “absolute security” as such (whatever that may be), just for the sake of securing things, but rather to be able to operate a successful business, where security is not an extra feature, but belongs to the DNA of how the business operates and is part of the full set of business risks. Make no mistake, cybersecurity will never be able to take away all the risks, but at least it should make things somewhat more predictable.

Ok, perhaps you’re not convinced yet that you should care about cybersecurity because you still associate cybersecurity with something negative, with what you know & see about it today.  Perhaps you didn’t give it a fair shot either, maybe you didn’t really implement it in a business-oriented manner.  In any case please read on, with an open mind.

2. Terminology

First, let’s clarify some terms that will be used later on in this article:

• Vulnerability: a weak spot (in hardware or software)
• Threat: possible danger (of something that can cause damage)
• Likelihood: the odds, chance that something will happen
• Risk: the chance that a threat will translate into an incident
• Impact: the damage that an incident would cause
• Exploit: abuse of a vulnerability (act, tool)
• Control: a mechanism to reduce/mitigate risk

3. Do you really need Cybersecurity?

A frequently heard argument against the implementation of a more structural approach towards cybersecurity is “we have never had any issues before, why should we do more than what we already do“?

Of course, it’s important to realize that “absence of evidence” is not “evidence of absence“. (Besides, without proper detection mechanisms, you may not be able to tell if you’re having a security incident or not. Malicious criminals may be inside your systems already, without you noticing anything.)

For some reason, companies tend to be quite hesitant to look at cybersecurity in a pro-active manner (beyond getting a firewall and some antivirus, preferably a free version), and to implement structural processes, to create and adopt a formal security program. Yet at the same time, we don’t seem to question security in other aspects of our lives. In fact, we all rely on it and embrace it.

We purchase cars that have airbags, not because we’re waiting for the airbag to be deployed, or looking forward to seeing it deployed. In fact, we hope we won’t run into a scenario that would require the airbag to be used, and yet at the same time, we rely on them to work well when needed. The fact that you haven’t had an accident yet doesn’t mean you’re going to opt-out on the airbag when purchasing a car. You’re not going to wait until you have an accident either to buy an airbag for your future car. After all, you know what’s at stake, you know the value of what you’re protecting (you and your loved ones), you can clearly see the threats to your safety. Some of these threats are “external” (other cars, weather conditions, unexpected sharp corners, roadblocks), others are “internal“ (fatigue, texting while driving, speeding, driving under influence, etc). You also know that your car is vulnerable (it won’t survive crashing into something else). A crash would affect the Integrity of the car, as well as its Availability, and it might also affect your own Integrity & Availability. Bottom line, you know exactly why the airbag is there. There is a risk of getting into an accident. Perhaps the likelihood (of crashing into something) may be quite low, but you also know that the impact (if it were to happen) could potentially be high. Better safe than sorry, right?

Of course, having the airbag shouldn’t prevent you from driving the car either, nor make it more difficult to do so in a “normal” manner. Perhaps that’s why people (companies, managers, …) are quite critical and skeptical about cybersecurity, and hesitant to take a more structured approach, to do more what they already do today. Cybersecurity still has a rather negative image. All too often it is put in a corner, simplified and reduced to a very small subset of it’s technical side, put in a box and labeled as “things that tend to annoy” people, that “hinder” people, make it “more difficult” to do their job, just “cost money”, cause “administrative overhead”. Things such as “the need to have strong passwords that need to be changed every X months”, or the “purchase & deployment of complex tools & expensive technology”, etcetera. On top of that, quite often, security is linked directly (and uniquely) to legal requirements. “We’ll only do what is absolutely necessary to be compliant.” Let’s be honest – are all of the “annoying” technological controls really needed? Perhaps, perhaps not. Do those technical “annoying” controls help to create a positive image? No, not if you only look at the controls and tools.

At the same time, you’re probably being exposed to many IT (Security) suppliers, resellers and vendors that come and go, trying to sell shiny (often expensive) appliances, next-generation cloud solutions, pushing for the implementation of “best practices”, and so on, claiming that their products will take care of your security challenges. Buzzwords bounce off the walls of your meeting rooms, your eyes glaze over & you stare at the door, while the sales representative gives his or her very best, using tens & tens & tens of cleverly crafted powerpoint slides to try to convince you that you have problems you have never heard of, issues you didn’t even know existed, requiring to be solved by something you don’t really want to buy. Causing fear, uncertainty, and doubt. Scary.

No wonder people don’t believe in cybersecurity. Nobody really tells you “WHY” you need certain things, in a way so it really relates to your own business. And that’s probably what distinguishes the adoption of cybersecurity from an airbag. (Ok, I know, all cars probably have airbags by design nowadays, you don’t really get to make a choice… and in my humble opinion, that’s exactly what cybersecurity should be like as well)

Long story short, of course you need (a more elaborate version of) Cybersecurity. The impact of incidents to your critical systems has the potential of putting you out of business or causing serious damages. You shouldn’t wait until it happens, in fact, I hope it never happens to you. But you may not get a second chance if it does. It would be the business equivalent of crashing your car at high speed without any form of protection. I’m well aware that GDPR and other legislation already “force” you to look at cybersecurity… but in all honesty, compliance should never be your main driver. You should know exactly what to protect, and why. And if you can’t fill in the blanks yourself, don’t put your head in the sand, but ask someone that can help. You owe it to yourself, your business, your employees, your legacy.

If you’re still not convinced, please contact me & let me know why. I’d like to hear about your concerns and arguments. I promise I won’t try to convince you if you’re not willing to give it a shot.  I’ll listen and wish you all the best!  Meanwhile, please read on to see how we would approach cybersecurity risk management if you were to hire us 🙂

4. Cybersecurity Risk Management: where to start?

In order to be more successful at cybersecurity, you’ll need to start with what matters to most to you: Your business, the critical components that drive & support your business, the value of those components, and the exposure to risk of those components. Your business processes are real, your business goals are real, and you can measure those things. The vulnerabilities, threats, and risk are real too, and it represents, by definition, the same value. Your business is your business. You know what you’re doing and why. Those are facts.

In other words, a more effective & efficient approach towards improving your cybersecurity would be to look at things from a risk perspective, focusing on the most important things first, and to take decisions in line with those risks and certain variables (such as the impact of each risk to the C-I-A-A pillars).

If you don’t want security to be just “annoying”, you (and all of your employees & co-workers) have to be fully aware & convinced about the “why” (or “why not“) you’re doing things in a certain way. This awareness is fundamental and also helps you to determine what you need (and if you need something in the first place). This level of awareness leads to an improved ability to take very conscious decisions, based on the identification of risks to your business. In the end, cybersecurity (and it’s implementations) will be more successful, valuable, useful, productive, efficient & effective to you and your company.

All of this requires you to do a professional exercise, applied to your own environment, specific to your company. By design, all decisions & solutions will be tailor-made to your company as well. Yes, some of the implementations may have some effect on how you work on a daily basis and may be considered “annoying”. But at least it should be clear to you why you need them. And if it’s not clear, do the exercise again (before simply dismissing the control).

This exercise is an ongoing process, called “Risk Management“. Of course, if this “fancy buzzwords” sound a bit posh or scary, feel free to use another term as well. You could call it “protecting your business” if you’d like. In any case, you’re probably already doing it one way or another, so you might as well take a more structural approach to it, making sure you don’t forget about anything important and making sure you’re focusing on the right things.

Ultimately, the outcome of the exercise will determine if you need to do something, and if so, what impact it will have on people, processes and technology. So, of course, cybersecurity will have a technological aspect, but that’s not necessarily the most important aspect, and certainly not the only one.

5. Our 5 FREE practical tips

As promised, please find below 5 FREE practical tips to improve your Cybersecurity risk management program:

a. Focus on the most important assets first!

Don’t start your “security improvement initiative” by purchasing or implementing technology or by doing an ethical hacking assessment on your entire environment. Trust me, it’ll create more noise than you can handle.  Take a systematic, pragmatic, methodological approach and start building security from the ground up, starting with your most critical assets. Do a proper Risk Management exercise. Document the risks, threats, vulnerabilities, etc. as well as which one(s) of the 4 (C-I-A-A) pillars are relevant for each specific asset.  Balance risk against the protection/mitigation controls, try to understand the impact of the risk vs the impact/cost of the control and make sound decisions. Make sure you fully understand the “why” before you do something. Implement the controls and then assess them.

b. Hey, wake-up, it’s 2019!

The old-school “perimeter-based” security / trust model, based on “everything outside is untrusted, everything inside (behind the firewall) is trusted” is no longer viable. In today’s world, it’s much more difficult to really define the actual perimeter. Many companies use a combination of onsite systems & systems/applications in the cloud, “allow” the use of mobile devices running all kinds of operating systems, are heavily investing in production/industrial automation & robotics, allow employees to work remotely, rely on suppliers to provide remote support, and so on…  Systems are everywhere, data is everywhere, users are everywhere, all the time. Each of these technologies and evolutions come with their own set of threats, risks, and vulnerabilities. On top of that, in reality, the most important & successful “attacks” originate from the inside anyway (intentional or accidental), undermining the traditional “trust model” entirely.   By all means, don’t be afraid of adopting new technologies & innovations, don’t be afraid of implementing a digital strategy and take advantage of automation… but please change your mindset about security accordingly, and don’t adopt a new technology unless you know what it really means to your risk posture. It shouldn’t matter where your users are, and it shouldn’t matter where your systems or data is. You need to be in control, making sure you protect the things you care about the most.

c. Segmentation

Segmentation & isolation is key. Group assets that have the same level of security and isolate them from systems with a different level of security. That way, you will be able to contain issues, prevent contamination to other (more important) parts of your business. Additionally, it will allow you to determine and implement appropriate controls for each group of systems in a controlled way. After all, industrial control systems require a different approach than an ERP system and are exposed to different types of risks.

d. Defense in depth.

Don’t rely on one solution, one vendor, one brand, one product. Don’t rely on just one protection mechanism. Make sure you have multiple layers of defense and take time to properly design the topology and architecture needed (before starting to buy tools and products).

Make sure your controls take all 3 phases of the lifecycle of data into account:

1. Transit (protect data as it goes from one place to another)
2. Processing (protect data when it is inserted into an application, processed by the application, represented & displayed to a user)
3. Storage (protect data at rest)

Don’t put all of your eggs in one basket. Consider the use of different types of controls, including preventive controls, detective controls, and mitigative controls.

Don’t just buy solutions without doing a proper risk assessment. Protect the things you care about the most, and prepare to contain an issue if something goes wrong. Keep in mind that you’re trying to protect your business, don’t take this lightly.

e. Identity & access management.

With people, systems & data everywhere, the ability to easily manage & control the identity (and access controls) of your users is becoming increasingly more important. There is no need to fight evolution or to be afraid of the adoption of cloud solutions… Of course it’s easier if things are in one place only, but that’s not how things work nowadays. So, as you take advantage of cloud services and applications, as you’re performing a digital transformation, please make sure to invest in techniques that allow you to manage identities and access controls in an easy way, across the entire landscape.

6. We can help

We’re more than happy to look at what you already have and define a roadmap for improvement (if any). We can certainly help you review your existing risk management program, and we can definitely help you build a new one from scratch. With almost 20 years of experience working in a production company, we know what matters the most and can help you improve your cybersecurity in a pragmatic way.

Of course, we will work closely with your IT/Security suppliers & partners and/or your internal IT staff. That’s a given.

Contact us to discuss further