As the world deals with one of the most destructive pandemics in history, we are now at a crossroads in understanding the role of security and risk. We have always been a reactive society when it comes to dealing with security and many organizations are seemingly more concerned about controlling costs than containing risk.
Although we definitely saw security’s importance in the organizational hierarchy spike after 9/11, as well as during the cyber breaches of the mid-2000s, the thought of spending more than 10% of any operational budget to secure company assets seemed ludicrous. According to research commissioned by IBM, a company should ideally spend around 13.7% of their IT budget on cybersecurity. However, just 14% of organizations spend more than 10% of their allocated IT budget on security. Although most companies who were surveyed had determined that security was a priority, the business case lacked the support of the executive or board to allocate the appropriate budgets
In an August 2020 article in CSO magazine, writer Bob Violina wrote: “When asked to identify which business initiatives will be most significant in driving IT investments at their organization in 2019, 40% of the IT executives cited the need to increase cybersecurity protections. That was tied with increased operational efficiency for the most common response, and finished ahead of improving customer experience, growing the business, transforming existing business processes, and improving profitability.”
Higher Breach Activity to Follow
While we often see the intent, we often do not see the execution and crucial follow up. For most organizations, data, segmentation, as well as governance tied to Continuity of Operation Plans are very immature. My belief is that organizations who have not converged domains to be managed in a cooperative manner across IT, OT, PS and IoT are now feeling the effects of not only the onslaught of the COVID-19 pandemic but will be seeing a dramatic upswing in breeches even greater than the numbers seen in 2019 and 2020 to date.
The COVID-19 pandemic illustrates the fact that most organizations have built security as a patch rather than a part of their overall risk posture. It is this that concerns those who understand that the ramification of this pandemic and our poor preparation to deal with the shift of workload from on-premise to remote has opened a portal for the bad actor and the nation-state syndicates.
Without immediate attention to assessing enterprise security/risk posture across the domains of IT, OT, PS, and IoT through a converged gap assessment and then tying this to governance across all the silos, I suggest that we are in for a long and dangerous road. The level of concern is highlighted by the lack of appropriate and effective reaction to operational effects government agencies, as well as corporate infrastructure, are experiencing during this shutdown.
However, it is comforting to see organizations such as NIST with its publication of NIST 1800-25 Data Integrity, Identifying and Protecting Assets Against Ransomware and Other Destructive Events, is clearly helping define what can be done to incorporate salient policies and procedures across all business units. We no longer can define cyber exclusively within the world of IT. It must be a converged conversation across the entirety of our business operations environment.
A Converged Solution
Multipurpose systems, as well as building processes that incorporate IT, OT, PS and IoT across the business silos, while defining a converged governance approach, are better positioned for allowing continuity of operation plan to work in times of global distress such as what we are seeing today. A converged kill chain must be in existence across all domains and the philosophy of correlated event-tracking should immediately be employed across IT, OT, PS, and IoT functions. The current gaps that are present within most organizations remain substantial.
It is critical that the unified and converged kill chain become an integral part of the process now and into the future to aid in uncovering the gaps across these domains.
The solution which the CSA Academy has illustrated as their Unified Kill Chain is an important step in defining correlated event tracking across domains and business processes. Inevitably, we are approaching a point of no return, especially after the effects of the COVID-19 Coronavirus pandemic are analyzed. Being able to completely understand the current crisis and create a strategic roadmap to help prioritize secured communication, identity/access control and secured cloud architecture is key. The ultimate goal is to build a proactive plan that defines the process of identifying and creating preventative strategies that will mitigate the risks inherent to the destructive nature of workforce disruption and business interruption attributed to the COVID-19 pandemic. The hope is that this horrific experience will convince organizations that their immediate attention is required to perform comprehensively unified and converged assessments that will align the organizational model with the IT, OT, PS, and IoT environment and define their current state of security in a converged interconnected world. This is now our new reality.
About the Author:
Pierre Bourgeix is the CTO and founder of ESI Convergent, a management consulting firm focused on helping companies assess and define the use of people, processes, and technology within the physical and cybersecurity arena. ESI Convergent was formed to not only help end-users but also manufacturers in defining the proper strategy to drive products successfully into the marketplace. As a thought leader in the Security Industry, Bourgeix has helped companies successfully launch and position products and solutions globally. ESI Convergent can produce market analysis, product briefs, product specifications, Physical and cyber assessments, and advisory practice surrounding cyber and physical security convergence in the security and risk management arena.