I experienced my first IT audit back in 1987 when I was working as the Systems Manager for American Express in the UK. Back in the day, IT audits were a cat-and-mouse game between the auditors and those being audited. Could we get things ship-shape in time, stay one step ahead of the auditors and give them enough so they had their pound of flesh, all while trying to do our day jobs and keep the business running? We always passed the audit, albeit with a few areas of partial conformance, but hey, we were compliant!
In 2013, the Target Corporation’s network was breached, resulting in 40 million credit and debit card numbers and 70 million records of personal information being stolen. This was the second largest credit and debit card breach and cost credit card unions over 200 million dollars just to reissue cards. Guess what – Target was compliant too.
In today’s world of fast-paced digital transformation, simply being compliant doesn’t cut it. In fact, compliance can create a false sense of security. ISO/IEC 27001, the international management standard for information security, has recently been updated to enhance its focus on risk management. When we look at managing risks from a cyber perspective, we need to think about both managing the likelihood of bad things happening and managing the impact when they do – and it’s “when”, not “if”.
In February 2013, President Obama issued Executive Order 13636, “Improving Critical Infrastructure Cybersecurity”. Following this, in 2014 the NIST Cybersecurity Framework (CSF) was released, and then in 2018 was updated to version 1.1. The intent was to make an easy-to-understand cybersecurity framework that focuses on managing cybersecurity risk, while leveraging existing best practice for management and technical controls. The framework has 5 functions, 23 categories and 108 subcategories. It uses mappings to informative references to point the reader to areas of best practice (like ISO/IEC 27001, COBIT, CIS CSC 20, NIST 800-53) and provides guidance on implementation models (called Tiers) and cyber risk gap analysis.
So why the change in focus from compliance to risk? Much of the rationale is due to digital transformation, or DX. When we move from traditional business models to digital business models, we greatly increase the attack surface for bad actors (people who exploit a vulnerability, also known as “black hats”), and therefore increase our cyber risk. The more we digitise, the greater the risk. The other thing to consider is the move from in-house IT and monolithic outsourcing to cloud-based computing and multisource suppliers. The Target exploit was enacted through their HVAC (heating, ventilation and air conditioning) service provider. The attackers used simple exploits to gain access to the supplier and then on to Target, which was their… target. Lastly, the level of sophistication used by nation states (foreign governments) and organised crime is way ahead of most organisations trying to protect their digital assets. They use machine learning, artificial intelligence, social engineering and publicly available information to launch their attacks. Unfortunately, we have to be successful in defending all of the time; they only need to be successful in attacking once.
The combination of digital transformation, supply chain risk and advancement in the capabilities of bad actors means we cannot assume our traditional compliance will protect us; we need to assess our cyber risk on a daily basis. What have we changed? What new risks are we facing? What are the mitigations we need to apply? We make these assessments today, tomorrow, and we need to continue doing so on an ongoing basis.
So, what can you do? Start by asking three questions:
- How are you integrating cybersecurity into your digital transformation?
- What does your supply chain look like? Remember that supply chain risk from a cyber perspective is not about securing the supply of goods and services, although that is important; it is about understanding how your cybersecurity risk may have changed by including a third party in your ecosystem.
- How are you applying risk management techniques, systems thinking and agile ways of working to your cybersecurity capability?
The NIST Cybersecurity Framework, combined with an agile way of applying cyber risk management, provides an excellent foundation for DB Results’ digital customers. We have unique capabilities in this space and are helping both state and commonwealth governments prepare for the digital age. In a recent engagement with a large state-based government agency, DB Results created an ITIL Operating Model based on SIAM, a methodology for organisations to integrate and manage multiple technology service providers. We built a NIST CSF cybersecurity overlay, embedding best practice cyber controls and risk management processes across the agency’s business and IT operating model.
If you have any questions or comments, get in touch.