More than meets the eye: Operationalising cyber best practices
Cybersecurity standards can significantly improve an organisation's posture, but its effectiveness depends on a proper implementation that is linked to the organisation’s desired cybersecurity outcomes – and not as a checkbox exercise.
Speaking to GovWare, Siddharth Deshpande, Field CTO - Asia Pacific and Japan at Palo Alto Networks, shared an anecdote about an organisation that had put in place a mechanism to classify all its data.
But while this ticks the checkbox for “data classification”, it turned out that there were no controls in place to act on it. Specifically, there was nothing to prevent data classified as “sensitive” from leaking outside the organisation, he noted.
Going beyond the letter of the standard
Such examples are common across the industry, says Deshpande. In another anecdote, a business had encrypted its data but did not adequately protect the identities of employees with access to the encrypted data.
“You want to understand the spirit of the standard, not just the letter of it. You want to understand why data needs to be classified and therefore you need to bake that into the compensating control.”
Deshpande was quick to clarify that he isn’t criticising organisations in similar situations, but merely highlighting the fact that everyone is at different points of the maturity curve.
“And as organisations realise the importance of embedding security and risk management practices into the workflow of their business, these things start getting implemented – and leveraging technology instead of being manual processes.”
So when is the right time to implement standards and best practices? The sooner the better, says Deshpande, who cited technology’s current darling, generative AI, as an example.
“The best practice I would suggest is embedding some of these standards, practices, and outcomes you want into the workflow of experimental projects such as generative AI as they are piloted.”
The reason? Today’s experimental project is going into tomorrow’s production environment. And coming in cold at that point is going to be a “hard sell”.
“But if you're prepared to be there as they are piloting these projects and embedding it into their workflow, that increases the chances that these practices will be operationalised in a much better way when it eventually hits the mainstream,” Deshpande explained.
How ready are you?
Is it possible to walk into any organisation and quickly tell when standards or best practices are not being implemented correctly? According to Deshpande, a “big symptom” is how long it takes to get answers to simple questions.
“I want to know who are my riskiest users, or which are my exploitable assets that are exposed to the internet? And how does it map to all the compliance standards that we have in place?” he asked.
Organisations that have to scramble by reaching out to multiple individuals or collating manual reports might not have everything fully in place, he says, noting that manual efforts are “not scalable”.
“The really good outcome would be if you have a place where you can answer those questions in an intuitive way for the business; if the cybersecurity standard helped you evolve your cybersecurity program to a point where you can answer business questions. That, I think, is a sign that it has been implemented properly.”
“Also, is the organisation getting better at tracking cybersecurity metrics as a result of having the standards in place? It's often not a direct correlation. But if the organisation is getting better at reporting and measuring cybersecurity metrics, it means that the standards they have implemented are done with the correct intent and in the correct direction,” he said.
Primed for success
Of course, nobody likes change, including the new processes or procedures required for a new cybersecurity standard. How can cybersecurity leaders establish trust and help ease the transition?
“I think the first thing is to put together a cross-functional group involving the leaders from different stakeholders. You need to make sure that you openly communicate the delta or the gap in effort required to attain the new standard.”
It is worth noting that cybersecurity standards don’t materialise overnight. The cybersecurity teams that can demonstrate that they have spent the time preparing for the business will likely foster trust from the get-go, says Deshpande.
“It shows that the team is proactive and that stakeholders can come onboard knowing this is something that can be worked on in a practical sense,” he said.
A new standard is also a litmus test of the current cybersecurity ecosystem that is deployed: “This is a very important gauge of your provider. If your vendor is a true partner in your journey, they would be aware that your industry is coming up with a new standard, and would have the ability to provide support for that when it's released.”
“It's not just whether the [new] standard is supported. It's about whether your technology vendors and their platform can support the evolving needs of the industry.”
It goes back to the people
Ultimately, the strongest pillar of any organisation is its people. This makes it vital to establish a culture of trust where employees are empowered to make the right decisions to protect the business, says Deshpande.
“When you have reached a point where the users in your company are empowered to ask the correct questions, and they're not fearful, that means there is an open culture around improving your cybersecurity defences.” – Siddharth Deshpande, Field CTO - Asia Pacific and Japan, Palo Alto Networks
He pointed to how CEOs and leading executives of firms are increasingly being impersonated on various channels. A culture of fear and uncertainty around cybersecurity could cause employees to be fearful about raising the alarm.
“When you have reached a point where the users in your company are empowered to ask the correct questions, and they're not fearful, that means there is an open culture around improving your cybersecurity defences.”
“In a culture of transparency and openness, employees can become your biggest asset by following cybersecurity processes and thinking on their feet. They might say: I’m being asked to do something that is not normally requested; I am empowered to ask or verify this attempted communication in the interest of the business.”
“When we start applying the same principles of risk and trust that we do in the physical world to the digital world, that's a good indicator that an organisation has made good progress with building a culture of security in the organisation,” he summed up.