MINDFULNESS and your CYBERSECURITY Program
As you begin reading this article I would like you to imagine that your organization has just been a victim of a “cyberbreach”. You were notified that the majority of your sensitive data has been stolen from your organization and is now for sale on the Darknet. You engage your incident response plan and begin the process of containment, eradication, notification and the slew of other incident response activities that must be performed.
While you are engaged in the incident response cycle you start to wonder, how did this happen? If you have been paying attention to the breaches over the past few years they have a familiar pattern. Someone clicks on a malicious website link within an email that spawns a series of unfortunate events that result in the escalation of administrative access within the infrastructure. This access leads to the discovery of sensitive data sources and eventual theft of data from the organization.
Creating a culture of 'Cybersecurity mindfulness' has the ability to reduce the probability of a business being a victim of a successful cyber-attack
As technology and security leaders, we are bombarded with a never ending stream of new technologies, services and frameworks that claim they are the cure for the described “cyber breach”. I submit, that we must look deeper into the cause of these breaches, past the bolt on compensation we are so accustomed to applying and to look toward fundamentally changing organizational culture and mindset as it relates to preventing and reducing the impact of the “cyber breach.”An organizational philosophy that is responsive to this culture and mindset change and has been effective within industries that deal with life safety is the “High Reliability Organization”.
High Reliability Organizational principles have the potential to create a culture of “Cybersecurity mindfulness”. If we applied these principles and mindfulness to our cybersecurity program, it would have these characteristics.
• A preoccupation with the failure of Cybersecurity controls.
• Reluctance to simplify interpretations of risk exposure and threat data.
• Active observation, situational awareness and engagement of leaders and stakeholderswithin the Cybersecurity program.
• Recognizing that Cybersecurity is a business imperative and the need for the building of resiliency within the business to support that imperative.
• Listening to and involving subject matter experts from across the business.
• The creation of transparency, trust and accountability with a focus on continuous learning.
Driving High reliability principles, in particular mindfulness, within the business and its Cybersecurity program is no easy task. It is a cultural shift that can take years to take hold. There are some quick wins that I believe can make an immediate impact and have the potential for creating positive stakeholder engagement and for planting the seeds of “Cybersecurity mindfulness.”
Establishing a daily rhythm for your Cybersecurity staff is a great first step. This rhythm would start with a standing meeting first thing in the morning. This meeting would involve all the core Cybersecurity team members and would be focused on critical threat events over the last 24 hours. These critical events if deemed to be potentially harmful would be established as registered threat profiles and be managed day to day. As major threat events, exposure or incidents are discovered, and a communication would be released to stakeholders and leaders within the organization. If a daily communication is too much, a weekly summarization also works well.
A common practice in High Reliability Organizations is to establish a standardized communication approach. An example is the SBAR (Situation, Background, Assessment, Recommendation) approach. The SBAR offers an easy way to create communication that allows stakeholders to have common expectations related to what is to be communicated and how the communication is structured.
One of the easier ways to build mindfulness and increase stakeholder engagement is through an anti-phishing program that includes the regular testing of end users to their susceptibility of phishing attacks. These types of tests and the associated output lend themselves well to providing immediate success/fail feedback to the end user and rich and engaging reporting that can draw in stakeholders into the Cybersecurity program.
Performing threat event and scenario walkthroughs and collaboration is an excellent approach to drawing in subject matter expertise and developing a common understating of the most probable and harmful Cybersecurity incidents. The output of this collaboration would be a scenario catalog that would be linked to both Cybersecurity risk management and operational activities. This catalog would have both plain language descriptions that could easily be understood by multiple stakeholder types. This plain language approach and the bridging of the operations and risk management realms helps create a collective mindfulness across the entire Cybersecurity program.
I believe that applying High Reliability Organizational principles and creating a culture of “Cybersecurity mindfulness” has the ability to reduce the probability of a business being a victim of a successful cyber-attack. At minimum, I believe it has the potential to reduce the impact of a breach to a customer’s data and improve Cybersecurity investment prioritization.