Cybersecurity-A Structured Approach and Cause for Partnership
When it comes to cybersecurity, the reality is apparent every time we see the news: We have individual victories, but we are certainly not winning the war. The risks are real. Our response to cyber threats is a set of choices.
Reasons why cybersecurity has emerged as a challenge are both historical and multidisciplinary. Success requires comprehensive solutions and it is clear that we are playing catch up. Indeed, the hardware and software we use was created with a focus on time-to-market versus secure interoperability. Companies propped up a perimeter-password-malware signature model for too long. The focus on audits and long-gestating standards fails to evolve in time with the real-world threats we see. And the asymmetric battle has organizations attempting to build perfect walls, whereas malicious actors target a few bad bricks, or a helpful person who lets them inside. Ultimately, cybersecurity is a form of crime. We reduce vulnerabilities, but the risks remain.
The measurable results for the City of Avondale show that the model establishes a strong baseline of security, minimizes impacts of cyber events, and is a platform on which more advanced efforts can build
Addressing cybersecurity for small and medium-sized businesses and governments (“SMBGs”) is especially unforgiving. Numerically, these entities represent the large majority of organizations in our nation. They have tight resource constraints and often lack needed IT expertise. In the end, SMBGs are our largest engines of economic growth, are the most prone, and introduce significant risks into the collective of vendors, customers, and partners that CIOs must support in today’s business environment.
CIOs know that a viable approach revolves around fundamental resilience and risk distribution. For Avondale, we shaped our model with the following tenets:
1. Administrative— Terms for data security, ownership, breach notification and disengagement as part of standard contract and procurement language.
2. Policy— A fresh ITC policy with at least bi-annual security assessments. The results connect to the organization’s annual financial audit and cyber insurance. IT staffs treat audit findings as a key part of our continuous improvement, with high urgency on resolving anything discovered.
3. More Secure Humans— Training programs must educate users, program managers responsible for compliance, IT professionals, and certified cybersecurity professionals. Some vendors are making real strides in this area.
4. Recoverability— Mature disaster recovery into true Business Resumption, providing the capacity to quickly recover the organization’s assets back to a safe and running state. Cloud-based offerings work well in this area.
5. Risk-based Priorities— Invest in the biggest problems first. For us, this was preventing and recovering from spam and phishing attacks, vulnerabilities from loose permissions and unpatched systems, human habits, and extending firewall coverage.
6. Risk Distribution— Distribute the operating environment to provide redundancies and spread failure points. Done well, this strategy takes advantage of vendors who aggregate compliance needs for a higher service level than most organizations can achieve on their own. The vendor community has come a long way and made this strategy viable.
7. Awareness/Response— Monitor technical infrastructure, applications, databases, user activity, and network flows for anomalies.
8. Shared Intelligence— Commit to anonymized sharing of cyberintelligence data to contribute to research and prediction. This raises the bar for everyone. Related, feeds are available from reputable sources that help prevent connections to most malicious sites (and their payloads).
9. Vendors Progress— Work with vendors to achieve pattern-based detection, automated response and alerting, and piloting the new technologies they create.
10. Joint Response— Commit to partnerships and talent development channels. We need to create cybersecurity professionals to fill the talent deficit. Let us teach this cohort to make meaningful, day-to-day improvements in the security profiles of organizations versus acting with an audit-centric view. We must also act together when emergencies do occur.
The work is hard, but not insurmountable. The measurable results for the City of Avondale show that the model establishes a strong baseline of security, minimizes impacts of cyber events, and is a platform on which more advanced efforts can build. The approach teaches the organization that cybersecurity cannot be solved by simply buying a tool or service. Cybersecurity will always require vigilance across our organizations. And anyone who remains in denial is positioning us all for greater harm.
In Arizona, we have emerged as a national leader in the areas of talent development, effective cyberintelligence, secure operations, and joint response. We accomplished this through true cross-sector collaboration targeting over 300 organizations. At alliance meetings, we have active partners from the FBI and Homeland Security, businesses, state and local governments, academia, and non-profits.
The results? On the educational side, students and volunteers at the joint ACTRA-Arizona Cyber Warfare Range created a successful public-private lab that teaches, tests commercial products, and contributes to economic development. Our area organizations created a shared workforce development program for technical professionals, helping them integrate threat intelligence into daily operations at our businesses and governments. And in the end, these efforts have helped attract and retain top cybersecurity professionals in the Valley of the Sun.
In being proactive, the region has been focusing for years on issues that have only recently emerged as major topics nationally. Arizona’s cybersecurity community is executing on initiatives that others are only now beginning to understand and discuss. The ACTRA community is actively involved in direct defense of the critical systems in the state. The alliances are integrated across sectors, support unparalleled private–public-law enforcement collaboration, and allow joint response when members are targeted. Area cybersecurity professionals serve the country through national efforts, such as information sharing, intel analysis programs, and contributing to standards development created under Presidential Executive Order. Indeed, one moonshot we are contributing to is a flexible framework that will allow protected sharing of cyberintelligence among Information Sharing & Analysis organizations (‘ISAO’) throughout the United States.
The fact is that success on the cybersecurity front begins with each person recognizing the power of their individual actions. We have the power to change the whole equation. Breaches in the news media confirm that we are only as strong as our weakest point in this global environment. As such, the cybersecurity age is a call to service. And we all need to be part of the solution.