The challenges facing Security Managers in the cybersecurity era
An (almost) inhuman task
By Juan Manuel Gil Bote, Managing Director F24 Servicios de Comunicación S.L.U.
Working as a Security Manager is perhaps one of the most thankless professions around.
Although I am not a Security Manager myself, I admire all those who work to prevent incidents from occurring. This is because normally nobody notices when incidents occur and therefore, gratitude is pretty thin on the ground. However, when something does happen, everybody demands accountability.
Almost everyone agrees that we tend to underinvest in security. As a result, security managers are faced with an additional challenge and must harness their juggling skills to make the most of the available funds.
A further complication is the fact that threatening environments are on the rise in an increasingly globalised world. Issues such as cybersecurity, in which the interconnected world increases the exposure to risk. For example, when dealing with applied technologies such as IT/OT integration where valuable information is obtained for security purposes which generates larger volumes of data to be analysed or now with the issue of data protection and the application of the GDPR. While these challenges have been around for some time, they are new for professionals who often have not received any specific training in these areas.
Generally speaking, companies have adopted modern devices such as smartphones, although the warning systems for any serious incidents go through call chains that have proved to be inefficient, slow and highly dependent on human involvement. All crisis management studies emphasise the importance of a speedy response.
They all agree that the first few hours, sometimes even the first few minutes, are critical for preventing or minimising further damage (see Kaji, J., Devan, P., Khan, A. & Hurley, B.: Deloitte Insights. Stronger, fitter, better. Crisis management for the resilient enterprise., 2018). This is something that is flawed with the use of call trees, where small warning chains quickly clock up 30 minutes. It is not unusual for chains of over 50 participants to require time frames of up to an hour to set the response mechanism into motion.
In an informal survey taken by the attendees of the event “Open Day PICE 2018” on the topic of critical infrastructures in Madrid, most of the companies in attendance acknowledged typical damages reaching from one to ten million euros per incident, with an average duration of 12 to 24 hours. In the “golden hour”, as the first hour after the beginning of a crisis is often called, it is essential that the necessary steps are taken immediately to contain any damage that occurs. Significant losses can be caused by exceedingly slow communication in a crisis. The added value represented by a speedy response to an emergency situation translates into an exponential return on investment. Therefore, it is difficult to understand why warning models from the 1990s are still in use.
A new world has opened up with the numerous sources of information provided by interconnected monitoring devices. In addition to the component of security for the content they provide, this information must also be “digested” to contribute value to security management. As far as the former is concerned, there is greater awareness of the vulnerability of these devices, which in turn influences the selection process, particularly in the case of Critical Infrastructures.
However, there are huge shortcomings in terms of managing the information from these devices. Typically, there is little automation in place for data processing. Ultimately, the data converges in consoles monitored by operators. Therefore, once again, the human factor becomes a limiting factor in the process. As a result, early warning indicators often go unnoticed or receive a delayed response. As different areas can overlap here, in many cases, little importance is placed on the joint participation of IT and Security, thus unwittingly impacting an early security response.
Once again, we find technology providing opportunities which, although not costly, automate processing to prevent warnings from going unnoticed and reduce reaction times. This, in turn, helps to prevent any unintentional omissions by employees, whilst also making clear savings on the final cost generated by the incident.
Until relatively recently, one of the first things that came to mind when hearing the term “interconnected world” was the reputational impact related to social networks. The hope was to not find yourself all over social media in a matter of minutes due to an information leakage, in addition to collaborating with Corporate Communication to moderate the publication of fake information on social networks. A few companies have implemented network monitoring practices to obtain early information as an added source of data to be integrated into crisis management.
At present, as reputational threats now form part of crisis management, cybersecurity has become the new threat. Clearly, we are facing threats that are ahead of us and our knowledge. This generates the sense of facing an enemy with our hands tied behind our backs, as they are always one step ahead. Accordingly, the challenge involved in managing a cyber event comes down to one crucial factor, as demonstrated by the case of WannaCry: how to manage a situation in which your company is forced to shut down IT out of precaution.
The fact is, that hardly any companies are prepared for this: mainly because it is very difficult to use your normal technological resources to manage emergencies. For instance, the following systems may become inoperative: emails, telephony (most companies use VoIP), document repositories, monitoring tools, etc. It is a real challenge to react swiftly when you have a limited warning and document management systems.
The only resilient alternative in order to respond quickly to a cyber scenario and reduce the impact is to rely on external solutions that can be easily accessed from outside the company and which do not share technological dependence with it, namely, an external service system. From there, it must be possible to access essential event management documents, initiate warning processes with personnel repositories in multi-channel mode, and help to coordinate actions. Only from an environment that is separate from the company’s IT infrastructure, can an agile solution be found that provides the minimum guarantees in response to a cyberattack.
Given these reasons and scenarios, it’s easy to understand why I feel so much for Security Managers. In an increasingly constrained economic climate, we are facing the challenges of how to manage crises and integrate technologies and quasi-unknown cyber threats, all of which require significant talent to keep up-to-date and develop practical solutions to minimise the potential economic impact of current threats on a company.