Secure by Design : Taking a Strategic Approach to Cybersecurity

Home , Information security, Secure by design

SECURE BY DESIGN : TAKING

A STRATEGIC APPROACH TO CYBERSECURITY

THE CYBERSECURITY MARKET IS OVERLY FOCUSED ON AUDITING POLICY COMPLIANCE AND PERFORMING VULNERABILITY TESTING WHEN THE LEVEL OF BUSINESS RISK PRESENTED DEMANDS A HOLISTIC RISK ASSESSMENT AND AGILE SECURITY ARCHITECTURE TO BE PROACTIVELY DEVELOPED.

INSIGHTS

all to protect themselves from 3 A STRATEGIC AND HOLISTIC 1 THE THREAT FROM 6 hacking . APPROACH IS NEEDED TO CYBERATTACKS IS CLEAR ADDRESS THE THREAT AND ACKNOWLEDGED That aside, cybersecurity is starting EFFECTIVELY to get the right level of attention Nearly all UK corporations have within large corporates. It is no The cybersecurity ecosystem is seen hackers successfully penetrate longer just seen as a policy issue, a disparate and encompasses their IT systems in an attempt to compliance issue, or an IT issue. professional services firms, steal, change or make public their Instead, it is now seen much more technology vendors, defence sensitive data1. Criminals are not as a strategic and corporate risk system providers, IT systems only targeting financial institutions issue, which has to be considered integrators as well as niche or looking for financial data, they throughout all internal project cybersecurity specialists. However are also now seeking personal data lifecycles and as part of ‘business- in most examples the focus of these of employees and customers, as-usual’, not just as a one-off organisations can be traced back to corporate intelligence and to hijack activity. Board members of many their roots; for instance many of the IT infrastructure for criminal use. firms now hold the CEO primarily professional services firms offer The UK Government’s National responsible for cybersecurity, with security audit services, building on Security Council recently the CIO as the second-most their financial audit experience into announced that attacks on responsible executive, showing the a new market to fill an emerging computer networks are among the importance of cybersecurity within gap. As a result, many services in biggest emerging threats to the UK, the organisation. the cybersecurity advisory market ranking them alongside terrorism tend to be based on audit and and flu pandemic as the key compliance checks against industry dangers to the UK’s security. and government standards 2 THE ELEVATING PROFILE OF including ISO27001 and CESG Recent high-profile attacks CYBERSECURITY HAS YET TO Assured Service (CAS). reported across a variety of TAKE REAL EFFECT industries include: Technology vendors and defence In a recent survey on behalf of the system providers have also been • Fiat Chrysler, who had to UK Department for Business able to offer cybersecurity advice recall 1.4 million vehicles in Innovation and Skills and but this has predominantly been the US for an upgrade to contributed to by 200 corporate focused on whether the hardware the computer systems, after directors, just over one third said and software within the IT security researchers cybersecurity in some capacity was environment of a company and its demonstrated they could discussed at every board meeting security architecture is fit for take full control of a Jeep and nearly half said it was discussed purpose at that point in time or at 7 Cherokee from 10 miles at most meetings . This is likely to the point of installation. Only a few away by hacking into its on- be a significant increase from 2 have developed genuine creative board computer system comparable responses 12 months capabilities by addressing both the • Carphone Warehouse, who ago. However, two thirds of board business and the technical risk acknowledged a serious members are not confident of their perspectives and therefore offering data breach that may have companies' in-house ability to fully advice in a more rounded holistic seen the banking details of defend themselves against way. This holistic approach requires 2.4 million customers stolen cyberattacks with only 4% being 3 knowledge of business risks and the by hackers "very" confident of their defences. security standards and how these • Hacking rings that have Despite this lack of confidence, can be applied to the technical targeted three integration of security into the architecture and end-user business pharmaceutical companies design of new products ranked environment. This must be in the last 18 months to get second to last in priority when underpinned by knowledge and access to details for their considering the development of 4 learning gained from recent financial gain new products and services. industry cyber-attacks to determine • Telstra’s newly acquired The limited amount of new the best prevention strategies to Asian subsidiary, Pacnet, manage risk. had its IT network hacked products being released within the into, just before the security area, together with the acquisition took place5. rapid increase in volume and criticality of the threats in recent Whilst the majority of firms are times shows that the level and actively engaged in setting up availability of technical knowledge security governance policies and of the cybersecurity field as a whole carrying out security audits to aim has not grown at the same pace as to safeguard themselves against demand. cybercrime, almost one tenth of UK firms have not acted in any way at

The diagram below illustrates the complexity of the ‘cybersecurity industry’ and the diversity of companies that are within it, all offering slightly different services and advice to businesses from their own individual perspectives. Wavestone believes organisations need ‘Cybersecurity Domain Specialists’ that offer a more holistic approach to cybersecurity by drawing in the knowledge and expertise across all areas of the domain.

to occur. However, it is not unusual proactively build security into the 4 CORPORATIONS AND THEIR to find that a few months later they design of services instead of adding ADVISORS NEED TO have been subject to a cyberattack. layers of security at a later stage in ADDRESS AND MITIGATE To be cyber-secure requires hitting reaction to events. RISK AT A BUSINESS LEVEL a moving target: the assessment The cybersecurity market can and mitigation of cyber-attacks 5 HOW TO INITIATE THE become overly focussed on requires continuous and proactive “SECURE BY DESIGN” auditing policy compliance and risk management to be part of the APPROACH performing one off vulnerability security strategy. To address the challenge of “secure tests when the level of business We advocate that organisations by design”, the Chief Information risks demands a more holistic risk shouldn’t build a castle without Security Officer (CISO) should assessment across its entire estate internal protection within its walls, organise their team to provide and an agile security architecture to instead they should build along the expert support to all projects and be developed in defence, which is lines of the airport model with product development activities. monitored and reviewed on an multiple layers of security that Their objective should be to build on-going basis. monitor and adapt to threats as mutualised security services and to Some companies have independent needed. They should seek specialist increase the security competencies audits carried out which confirm professional support to ensure that of project managers, developers that they have fully met security ‘secure by design’ principles are and architects: compliance standards. They may adopted across the business and The first step should be to even have had their IT network permeate through all business • ensure that any project redesigned or upgraded to make it processes, products and services. management process harder for a cybersecurity attacks The objective of this approach is to includes an initial

“information security ABOUT US assessment to identify Wavestone is an international whether the project consultancy that provides involves a number of connected thinking, insight and security-critical areas. For capability to industry leading example, does the project organisations. We work require the usage of collaboratively with our personal data, of payment clients to plan strategic business information, confidential transformation and seamlessly turn data or a direct connection strategy into action. to Internet? Each affirmative answer will increase the level of attention required by the FIND OUT MORE project. Projects requiring a If you’d like to find out more, please high level of focus will often contact us by calling at +44 20 benefit from the including a 7947 4176, or via email at security expert in the [email protected] or project team. visit our website at • To ease the integration of www.wavestone-advisors.com security in the project, the CISO should also consider building security commodities. Capabilities 1http://www.computerweekly.com/news such as database /4500248063/Nearly-all-UK- encryption or strong corporations-have-been-hacked-a- authentication will be survey-shows 2 required by many projects. http://www.computerweekly.com/new The ability to standardise s/4500250565/Fiat-Chrysler-recall- security services is a highlights-importance-of-security-by- design keystone to ensure security 3http://www.finextra.com/news/fullstor will be really integrated into y.aspx?newsitemid=27707 all projects. 4http://www.fiercebiotechit.com/story/f • Finally, to enhance the inancially-motivated-hackers-break-3- security by default, the major-pharma-companies-18- training of the developers months/2015-07-10 5 and architects is required. http://www.computerweekly.com/new As of today, many project s/4500246705/Telstra-Pacnet-hack- shows-telcos-are-a-prime-targets-say- team members have a security-experts limited awareness of 6http://www.computerweekly.com/new security threats – as a result s/4500248063/Nearly-all-UK- applications are built corporations-have-been-hacked-a- without security embedded. survey-shows 7 Often, just before being put http://www.computerworlduk.com/ne in production, audits show ws/security/cybersecurity-now-being- numerous security flaws, discussed-at-most-board-meetings- survey-shows- adding delay to the project 3613503/ and increasing the cost as remediation is put in place. To fully implement a global, integrated “secure by design” culture in a large organisation is a long-term strategic activity and may take between 3 and 5 years. However, the first quick wins can be obtained in around 3 months with the support of a ‘Cybersecurity Domain Specialist’. It could deliver considerable cost savings as information security related costs can range from 2% to 20% of total www.wavestone-advisors.com project cost.