Part 1: Market Trends Impacting Cybersecurity and Compliance Program Design
Over the last five years a number of high-profile hacking and data breach events have created a tectonic shift in terms of executive level awareness and interest in cybersecurity. This website provides a visual image of the data breaches by date and size:
As the media became intrigued with Hacking and cybersecurity and began to sensationalize the criminal events and activities performed by various groups executives and boards of directors became more aware of the risk that their organizations, employees and customer were facing on a daily basis.
These breaches exposed consumers and businesses to significant criminal exploitation and risk; the very thing that regulatory compliance such as PCI, HIPAA, SOX, NIST and others were created to mitigate. Based on these trends PCI, HIPAA and other regulatory bodies began to implement more aggressive enforcement of regulations, resulting in the increase of fines, penalties and other disruptive actions against organizations that have been breached or that are found to be out of compliance.
The increase of Data Breaches, Phishing, Ransomware and Regulatory actions over the last 24-36 months has caused an increase in executive level attention and awareness on cybersecurity and regulatory compliance. This has resulted in many executive teams and boards of directors to allocate more capital and operating budget towards cybersecurity and compliance. These groups are also beginning to work through the process of how best to measure, track, report and communicate about these topics among themselves and their management team, employees, vendors or partners.
At this point in time, there is significant work that needs to be done throughout the industry in terms of establishing effective cybersecurity and compliance risk metrics and measurements, how best to report against these metrics, and how best to communicate and collaborate about these topics. Cybersecurity and Compliance teams are struggling with how best to communicate to Executives and Board of Directors about these topics as the level of knowledge and understanding of cybersecurity and compliance topics at Executive and Board levels of organizations is still developing. That said, the number of training and certification courses around these topics that are specifically designed for Board Directors and Executives is increasing significantly. Many Executive Teams and Boards still approach cybersecurity and compliance topics through two main lenses or perspectives: A) Are we fulfilling our Fiduciary Duty, and B) How do these topics impact our Risk Management program and approach.
Note: Vertek has completed a series of Executive Level Presentations on How to Communicate About Cybersecurity to the C Suite and Board of Directors. Reach out to us at www.vertek.com for a copy of those presentations.
The increase of threats and risks, the diversification of threats and attack methods are core items and trends to consider as companies attempt to design and build sustainable cybersecurity and compliance programs. At the same time, cybersecurity and compliance awareness, education, comprehension and communication at all levels of an organization, are additional items and trends to understand and consider as a company begins to design and build their programs.
TECHNOLOGY & BUSINESS TRENDS
Below are a few additional trends to take into consideration while designing a cybersecurity or compliance program:
- Security scans and services being performed by traditional Security Operations Centers (SOCs) are expanding. This expansion of scanning and services is beginning to transform the traditional SOC into a Security Intelligence Center (SIC). Security Intelligence Centers provide all of the same scanning, reporting, remediation support services that SOCs provide but are also scanning and reporting on threat types and activities at a local, regional, national geographic, financial, political levels. This provides a holistic view of cyber, physical, financial and military or criminal threats occurring across a country or within a specific, state, city or physical location. Read more about this trend by viewing this video: https://www.darkreading.com/operations/from-soc-to-sic-transforming-security-operations-centers/v/d-id/1324523
- Threats are becoming highly focused, more targeted and organized and can be orchestrated utilizing unsuspecting human & cloud (or other) technology assets. There have been many recent alerts published by the federal government and various agencies such as the FBI about the increase of Phishing, Spear Phishing and Whaling. General Phishing is a broadcast email that is cast out to thousands or millions of email addresses at one time. Spear Phishing typically targets a group of people, an organization or a large number of organizations while Whaling targets specific individuals and through social engineering methods, spoofs or exploits those individuals causing them to disclose passwords, send sensitive data, provide access to protected systems or wire transfer small or large amounts of money. These trends are alarming and increasing in frequency but they can be directly mitigated with Security Education Training and Awareness, policy documentation and ongoing enforcement and education. Over the last 12-36 months the number of books, articles and presentations at major industry events such as RSA, Blackhat and Defcon around of “Hacking the Human” has increased. Hackers and criminals are exploiting human nature and the general lack of cybersecurity and risk understanding, awareness or consciousness within employees and consumers. This is a “back to future” trend where hackers and criminals are utilizing malicious physical techniques for committing crimes and fraud and blending those techniques with cyber-attack methods. These Social Engineering attack trends need to be taken into consideration when developing cybersecurity and compliance programs.
- Cybersecurity and Compliance programs across most industry segments are still immature and are evolving. They are also still being integrated into larger more established Risk Management programs. Using the CMMI maturity model as a baseline (0 being reactionary and unautomated 5 being fully automated and proactive), a large percentage of organizations across most industries are at a low maturity level in terms of their cybersecurity and compliance programs. That said, with the rate of change occurring around threat types, methods and frequency, and the trends mentioned above, even organizations that have mature cybersecurity and compliance programs are needing to re-architect and optimize their architecture, organization design, service types and programs. This includes determining how best to integrate cybersecurity and compliance into existing Risk Management and Governance programs, models and methods.
- Businesses and organizations of all sizes and types are targets – not just large global enterprises. Also, cyber insurance is becoming pervasive in the market. The majority of industry research published over the last 3 years has highlighted that small businesses across all industries and geographies are being targeted and are more prone to cyber-attacks. They also have a larger mortality rate post attack than larger more financially viable companies. While cyber insurance is becoming pervasive the need to have an experience attorney and broker involved in the process is high. There are many exclusions and nuances to cyber insurance contracts that need to be considered prior to securing the insurance. These nuances can provide the insurer an opportunity to refuse coverage in the event of a breach or social engineering occurrence.
- The government is becoming more active in terms of promoting cybersecurity awareness and assisting local businesses with responding to attacks. Over the last 36 months, the government has increased its awareness campaigns and regional activities to work with states, cities, local municipalities and commercial businesses and leaders to share information and intelligence on cyber-attacks and threats. Organizations such as Infragard are actively involved with local businesses and leaders and work with the federal government and agencies to create information and intelligence sharing and distribution pipelines to better prepare organizations for threats and assist them with responses to cyber, terror or criminal attacks.
The trends mentioned above are critical items to consider when approaching how best to design a sustainable cybersecurity and compliance program.
Look out for Part 2 of this series that will cover Cybersecurity Program Design and Build Considerations.