When Cyber Security Breaches Are Inevitable, It's Time To Call For A New Approach
At the TED Conference in Vancouver this year, our Radical Innovators foundation hosted a forum with more than 60 of the world’s top CHROs, CIOs, and founders. On the agenda: how new technologies like AI and quantum computing can elevate our human experience, transforming how we work and live together.
Despite the hopeful purpose of this impressive community, we also felt compelled to host a session on a more troubling topic: how these same emerging technologies will supercharge cybersecurity threats. We asked thought leader and CISO of T-Mobile, Jeff Simon to facilitate this future of security discussion with an impressive list of very engaged tech execs.
Their interest in the subject was no surprise: The hyperscaling of cyberattacks in the cloud era is scary. According to research from Proofpoint, 94% of cloud customers were targeted at some point during every month of 2023. Of those targeted companies, 62% were successfully compromised. In the wrong hands, emerging technologies will increase the success rate of cyberattacks.
Coming out of that session, I followed up with a few of the radical innovators. The general sentiment was that successful hacks are now an inevitability, since the teams and tools at their disposal cannot scale to match the threat. “We need to start with the assumption that the system is already compromised,” says Ajay Waghray, CIO of PG&E Corporation, a California-based utility. “But my fear is most CISOs remain too narrowly focused on stopping breaches alone.”
So I dug a little deeper with Waghray to design a methodology to address this inevitability that any of us, particularly board members, can take to our technology leaders.
Enter the world of cyber resilience
During the pandemic I did a lot of research on team resilience. I found that resilience requires the ability to not just recover from a setback, but to bounce forward—to engage in a way that leaves us stronger than before. This mindset aligned with Waghray’s view of cyber resilience. He believes we need to do more than deflect cyberattacks: we need to build the capacity to sustain business operations during and after a cyberattack. He believes we do this by adding business continuity and organizational resilience strategies to more traditional information systems security.
Looking for solutions that help companies bounce forward, I met CEO Bipul Sinha. Sinha leads a hot cyber resilience firm called Rubrik and he says cyber resilience requires two key elements: knowing where sensitive corporate data lives (to quickly restore standard business operations) and the ability to evolve existing security policies to prepare the organization for future threats.
“Knowing that cyberattacks are inevitable, leaders must do advance work, to have the policies, systems and strategies in place so that when the attack happens, the business can keep moving forward,” says Sinha. “But the work doesn’t end there. You must learn and evolve in the aftermath of every attack to get stronger. And that requires a new organizational mindset.”
Venture capital is also taking note of the shift towards cyber resilience. Ravi Mhatre is partner and co-founder of Lightspeed Venture Partners, a global investment firm that boasts high-profile wins with companies such as Mulesoft, Nutanix, Nest, and Snap Inc. Mhatre says Lightspeed has significant stakes in several next-generation security technologies, with an understanding that threat mitigation and containment will be essential to building a truly secure enterprise. "We need evolutionary thinking about cybersecurity," he says, pointing to Lightspeed's investments in Rubrik, Wiz, 1Password, Arctic Wolf, Netskope and Cato Networks. “The way we see it, the current threat environment requires more than a strong perimeter."
Once you accept cyber resilience as the way forward, what do you do about it? Waghary identified four key elements of a cyber resilience and recovery posture: planning, practice, proactive detection, and partnerships. These elements are a great starting point for conversations about adopting a cyber resilience posture.
Planning: Recent changes to cybersecurity policy prioritize planning as essential to an effective cyberattack response. Some of these regulations require a public, regularly-updated resilience plan that extends far beyond traditional cybersecurity tactics to include a full recovery of business systems and the timely restoration of business operations. The board and executives must demand a policy for frequent, offsite backup; If backup procedures are not adequate to meet the moment, the business will not be able to recover without experiencing loss.
Recommended by LinkedIn
This will require some investment in technology. Front-line technologists like Nate Brooks, Technology Services Manager at American Family Insurance, need the right tools to manage an inevitable cyberattack. “We have a single pane of glass and real-time insights into our resiliency status, security footprint, and data observability,” he details. “This gives AmFam executives the peace of mind they need to protect our customers' data and keep our business running.”
Practice: Things can get chaotic during a cyberattack, even with a planned response in hand. Team members must know their roles and how to communicate with each other; And that requires regular fire drills.
Richard Agostino, Senior Vice President and the Chief Information Security Officer at Target says that running regular cross-organizational simulations can build institutional muscle memory and minimize the “fog of war” that can roll in during a cyberattack. It can also expose fail points and vulnerabilities in the plan, which should be continuously updated to reflect the evolving realities of the threat landscape.
“Even the best documented response plan is bound to fail in a crisis if the team hasn’t practiced together,” he says. “Regular simulations provide a safe environment for everyone involved with the response—from IT teams to senior leadership—to improve together, prior to a real-world crisis.”
Proactive Detection: Early detection is essential to limiting the impact of a cyberattack and quickly restoring the business. That means getting the right level of visibility into what’s happening on your network.
One way to do this is to deploy a security service edge (SSE) or secure access service edge (SASE) solution that controls access to a network—on-premises, cloud, or hybrid—and monitors the flow of information and activity. When successfully implemented, SSE and SASE controls provide advanced data protection capabilities that maximize your visibility of data flows and help you protect data wherever it moves and inspect cloud, SaaS, web, and private applications at a granular level.
In action, these controls enable you to flag suspicious logins, send alerts about anomalous activities, and automatically enforce counter-attack policies. “If you know when the attack happened and what was attacked—and you took quick action to limit the blast radius—you will have fewer systems affected,” says Netskope CEO Sanjay Beri. “You will protect more data, limit exposure, and recover more quickly.”
Partnerships: Cyber resilience is a team sport that begins with executive and board-level agreement on the resources required to build recovery and resilience protocols. The IT and InfoSec teams must also be aligned with the executive/board-level policy to ensure cybersecurity strategies and tactics match the new threat. Waghray also promotes collaboration with other players in your industry and the public agencies that set and enforce cybersecurity rules. Collaboration among experts at all of these levels can help keep cyber resilience best practices up-to-date.
So What Now?
Any leader who is concerned (as I am) that emerging technologies will supercharge cyberattacks needs to embrace a position of cyber resiliency. But this may take some doing. Many CEOs, CISOs, and Board members have invested significant time and treasure in the old model of cybersecurity. Budgets have already been set. Vendor relationships are already established. But we must not let groupthink and organizational inertia prevent us from adapting to the future.
It's this kind of intellectual flexibility that guides Rafi Khan's thinking. As CISO of NJ TRANSIT, he is responsible for security and resilience of the IT systems that nearly 500,000 commuters count on every day. "It’s imperative that nothing interrupts our business," he says. "We’re committed to the ongoing and necessary work that gives our data resilience and helps us reduce our risk as we face ever-evolving, and inevitable, cyber threats."
IT & Leadership, One Connection at a Time | Author on Professional Networking
3moGreat job, Keith! Sounds like an amazing forum. Super excited to check out your thoughts in the Forbes piece!
Associate @ Paul Hastings | Cybersecurity, Privacy Law
3moPlanning and preparing for these events is so important. Not only does it help organizations respond quicker, but it can also identify and remediate gaps before they can be exploited.