In collaboration with Kearney and AWS

Enterprises’ operational technology (OT) is increasingly exposed as it moves online and becomes interconnected. With automated systems now employing application programming interfaces (APIs) to exchange real-time information across networks, the risk of data breaches (via software updates and unauthorized access) is rising. Those were two key takeaways from Kearney’s recent interviews with leading cybersecurity practitioners.

At the same time, new technologies, such as crypto attack tools and ransomware-as-a-service, are now readily available on the dark web, making it easier to launch an attack. Concurrently, bad actors are getting better at disguising their activity and intentions. Indeed, organizations, rather than individuals, are increasingly drawing on their R&D capabilities to carry out sophisticated attacks employing more automation and greater stealth.

The risks arising from these technological shifts are being exacerbated by socioeconomic shifts, such as the rise of working from home, a cost-of-living crisis, and greater geopolitical tensions, as nation states now see cyber weapons as one of the most cost-effective means of waging war (see figure 1).

As policymakers grasp the dangers, governments are increasing regulatory requirements and oversight on businesses, particularly those designated as critical infrastructure, with greater financial liability for cyber negligence and non-compliance. 

Today, cybersecurity is often bedeviled by cultural, talent, and communication challenges, particularly between the C-suite and the IT professionals. All too often, IT and cyber metrics fail to align with operational or financial outcomes, meaning business leaders don’t give them enough attention.

As a result, cybersecurity is still largely reactive and tactical, rather than proactive and strategic, leaving enterprises overexposed. A lack of management support and understanding of the nature of their cyber risks, together with the recession and talent shortages, means expenditure is not being optimized for maximum impact on the situational cyber risk of the enterprise.

In many cases, an undeserved assumption and assignment of trust to products and services is introducing a significant form of cybersecurity risk. Lax practices associated with “bring your own device” programs have opened the door to corporate systems. Third-party support organizations are also often granted an unwarranted level of trust and excessive privileged access to key IT and OT systems. This large and unnecessary risk can be greatly reduced with nominal investment. Right-sizing privileged access should be an early priority.

To address these challenges, enterprises need to work their way through a three-stage process (see figure 2). The first stage is to implement key foundational concepts and controls that enable you to reduce your risk surface area and to firefight effectively. The second stage involves developing cybersecurity as an integral part of the culture and assignment of resources to address risk and to become a driver of business value. In the final stage, you are ready to judiciously select the emerging advanced technologies and techniques that promise cybersecurity excellence and focus more on superior operational integrity and the delivery of top- and bottom-line financial impact. In our interviews with expert practitioners, it was clear that very few businesses have made it to this third stage.

Begin by generating a full picture of the status quo: consider exactly who has access to organizational systems, infrastructure, and data and on what basis by identifying and challenging all areas of “assumed trust.” Revisit your outsourcing arrangements to identify potential vulnerabilities. At the same time, the business should identify its critical assets (which are increasingly likely to be data and information), the threat to operational technology, and how much risk it can tolerate. For those critical information assets, consider the risks across the entire data life cycle: data can be compromised when it is created, transported, stored, consumed, and disposed.

Once you have a full picture, you can begin to prioritize your efforts and isolate functional system environments wherever possible, eliminating all unnecessary privileged accounts from production. Compartmentalize sensitive data and minimize copying or even access. It is also important to build awareness across the organization, while developing an incident preparedness and response playbook, which outlines how to explore and respond to a disruptive incident on the basis that it is likely to be cyber compromise.

These measures are the foundations of a modern cybersecurity strategy—if they are not in place, they should be given greater executive and management focus and effort and developed as a priority.

Operational resources and capital investments are crucial to effectively counter cyber risks. But not all CEOs and CFOs recognize that cyber investments can significantly move the needle and generate an attractive return. Developing a business-led cybersecurity strategy framework will help to build that understanding. This framework should clearly link the cybersecurity business case (based on a reduction in attacks and breaches) with the value assigned to the risk. Note, investment in cybersecurity should be dictated by risk, rather than compliance.

Cybersecurity metrics need to show both the impact of the cyber threat on core business functions and the impact of threat mitigation efforts over time. For example, the business needs to track the number of incidents where precautions failed to preclude realization of the threat, the time to contain and recover from each incident, and the business impact of the incident. Our research showed that the more mature cyber organizations had business-aligned metrics reviewed with the board and senior management.

The overarching goal at this stage is to build a security culture fully integrated with the business functions, and led from the top of the organization and practiced to the bottom. That will require security to be embedded in IT and development practices, together with the recruitment of appropriate talent and the upskilling of the existing workforce. Robust authentication, authorization, and “need to know access” processes are key to creating the necessary zero-trust capabilities. For more on this topic, see: Transformative technologies: zero trust—the new touchstone in cybersecurity.

During this stage, expertise in cybersecurity becomes a clear source of competitive advantage. It is now very apparent that cybersecurity capabilities are essential to maintaining the company’s market position. As past investment decisions have yielded positive top- or bottom-line results, the business leadership recognizes that investment in cybersecurity will enhance overall operational integrity and improve historic performance by avoiding lost productivity.

In the third stage, the business will be employing advanced cybersecurity technologies and techniques, such as behavioral AI-enabled mechanics (rather than signature-based detection solutions) for advanced authentication and authorization. Using the power of data generated by users (within the boundaries of ethics and privacy), as well as third-party data, leads to greater accuracy, personalization, and more context for cybersecurity measures.

Before you can build the kind of value-accretive cybersecurity strategy outlined in this article, you need to honestly answer some tough questions that will help you determine which stage you are in and what you should do next:

• Are you in denial? Does the leadership believe that the threat isn’t significant, that the business isn’t a target, or that existing defenses are adequate?
• Has the organization passed the buck to a third party? Have you effectively outsourced responsibility to cybersecurity to vendors, in the mistaken belief that it isn’t strategic?

If you have answered “yes” to either of these questions, then you need to focus on getting the basics right. If not, consider the following:

• Do you know how much to spend on cybersecurity? What is the dollar value on your risk appetite, and can you weigh it against your investments in cyber?
• Do you consider security to be an intrinsic part of your business value?’

If you have answered “yes” to these questions, then you may have successfully created a cybersecurity culture and are ready to explore advanced technologies and techniques (stage three).

Figure 3 summarizes the key actions you need to take to become a leader in cybersecurity.

As Steve Schuster, director for AWS security response and engineering, noted in an interview with Kearney, every organization will face a security issue at some point in time. But he stressed that “you can choose how to limit its effect.” If you prepare well, you can minimize the impact on the company’s reputation.