Achieving operational excellence in cyber defence

In the cyber defence game, nothing is more effective than getting the balance right between talent, capabilities, and robust cybersecurity, to ensure rapid detection and solid protection against cyberattacks. Many companies however fail to get the equation right, leaving their processes vulnerable whenever threats appear.

The consequences of cyberattacks are becoming more significant as the Internet of Things (IoT) and cloud connect everything from bank accounts to sensitive data. Achieving best-practice operational effectiveness can deliver a wide array of security-related benefits, from fewer successful incursions to faster response times and quicker recoveries. Strong security can also reduce costs and risks for the business.

Lacking critical technologies and skills

Many organisations lack good enterprise-wide security hygiene — including basics such as rigorous vulnerability management and password policy compliance. For most, the number one operational problem boils down to people and skills; in the current high-turnover environment, firms often expose themselves by having only one person responsible for a security area. If that person leaves, all of the knowledge goes with them.

The constantly changing IT environment of most large enterprises can make it extremely difficult to keep track of and protect critical information. Ensuring that the security team knows where to find core resources requires robust information asset-management approaches, which can prove challenging because of business needs that may require the IT infrastructure to be elastic.

Operational level

Security staff must become more effective in engaging and partnering with the business. New approaches such as software-defined infrastructure (SDI), can make assets more dynamic, but while SDI can boost infrastructure security, it can also blur the context that security teams rely on at the operational level to understand normal versus abnormal behaviour.

Security often has insufficient visibility into the organisation’s asset landscape, due to the limitations of the tools and processes it uses. Another hurdle is time itself: most breaches happen within a few days, but the industry takes 7-8 months on average to detect them. Closing this gap should be a mandate.

Specific steps

Organisations have specific steps to take to improve their security operations, including:

• Assess security capabilities. Evaluate how effective security processes are in dealing with a threat, given the complications of IoT and cloud.

• Invest in talent where it makes sense. Given budget realities, organisations need to understand which capabilities really matter and outsource those that do not.

• Automate intelligently. Investigate the prospects for automating time-consuming tasks, such as dealing with threats like spear phishing, where the attacker personalises emails sent to recipients.

• Contextualise the collected threat data. Organisations must determine whether the security team understands enough about specific assets to contextualise threat data effectively.

• Know what you don’t know. The ideal complement to strong situational threat awareness is a comprehensive understanding of the company’s defence capabilities and the ability to control them effectively.

• Invest in a highly efficient operating model. IT functions are constantly evolving as IoT and cloud assets are brought into the network; the operating model must follow suit to offer high-level risk management. • Find a sparring partner. A sparring partner will apply all of the attacker’s creativity and intent to ensure that the company’s security innovations keep pace with the latest hacker advances. Done right, the sparring partner approach replicates real-world attacks to a far greater degree than is possible by running tabletop exercises, working through compliance checklists or conducting an annual penetration test. The approach reflects a statement by Joe Louis, past heavyweight boxing champion, who declared, “Everybody has a plan, until they’ve been hit.”

Risk management

An organisation’s cybersecurity game plan needs the right mix of talent, skill, capabilities and technology, but also requires something more — a robust operating model that focuses on the company’s risk management strategy to accomplish three goals:

1. Prepare the security team for the challenges ahead by delivering useful threat intelligence and providing a vulnerability management program that supports the company’s business strategy

2. Predict and detect threats using a combination of advanced security analytics and advanced operational monitoring capabilities

3. Respond to and recover from attacks quickly and with the least exposure possible by employing state-of-the art security incident-management approaches and adopting an active defence strategy.

There are few signs that the brutal assault on the digital assets of companies and institutions worldwide will diminish anytime soon; in fact, the opposite is probably true. Given this risk-filled environment, firms need the best operational security capabilities possible if they hope to attain the cohesion and clarity required to defend the organisation’s most valuable digital assets.

The writer is Accenture’s Managing Director for the Middle East and North Africa