Censys: The World of Attack Surface Management
Philippe Lopez is the senior manager, international cyber risk, at Commonwealth Bank Hong Kong.
Opinions expressed by EM360 contributors are their own.
CEOs, and their chosen business leaders, must come to the realisation that they are Generals of the newest global battlespace: the cyber domain.
As an Industry leader, CEOs are in a privileged position to lead the strategy and operations of critical assets that are inextricably linked to the economic health of nation states. They contribute to the nation’s economic health through employment and taxes.
In some cases, businesses and their assets are sovereign critical assets, and will often be protected directly by the State (most notably seen in the last decade through the bailouts of key financial institutions during the Global Economic Crisis).
CEOs and business leaders must be accountable. And Generals must set a strong strategy. The strategy of successful business operations includes the protection of the assets that help achieve market penetration and dominance.
In this digital age, these critical assets are the people, processes and technology that innovate, create, build and sustain the critical digital infrastructure and services that enable a business to achieve its mission.
The CEOs mission is most usually to deliver and sustain a product/service that is a point of difference in the market, and to serve customers reliably and efficiently to make a profit.
In a digital marketplace, the mission assets are underpinned by data and information. Consequently, to succeed in the digital and cyber domain, business leaders must assume a data-centric strategy. Data is the key to business success. It must be protected.
Like any other General in the other battlespace dimensions: Land, Sea, Air and Space, the cyber General must formulate and establish a plan that has an effective offensive and defensive strategy.
This is a challenge, as human nature gravitates towards focusing on a strong offensive strategy, often at the expense of a solid defensive strategy. However, losing sight of your defensive strategy may be a catastrophic error in judgement in the cyber domain.
Why is that? Simply put, there is no financial parity in the cyber battlespace. It is orders of magnitude less costly for cyber threat actors to execute an offensive action, then for companies to defend their critical infrastructure. In the case of Distributed Denial-of-Service (DDoS), threat actors can subscribe to DDoS-as-a-Service for as little as $5 an hour, costing companies upwards of $100,000 an hour to combat against.
To succeed in cyber warfare, a good cyber General understands and executes the following 5 principles:
· Operations and capability are defined by the threat. The first step of planning is knowing your enemy. Threat Intelligence should drive the operational strategy and inform the capability definition. Is your Security Operations Centre (SOC) intelligence plugged into your strategy development and IT needs analysis?
· The strategic corporal. No matter how big your cyber security workforce is, it will never be able to scale to the global threat. Every member of your workforce must become a “strategic corporal”. They must all be inculcated with the principles of cyber security so that each and everyone can defend their patch of dirt. Is security baked into your culture?
· Remain flexible and agile. Manoeuvre warfare was a key differentiator for the success of the Germans during the first half of the Second World War. It took the west some hard-earned lessons to adjust and respond accordingly. Similarly, the TTPs (tactics, techniques and procedures) executed by cyber threat actors are becoming increasingly agile. It does not stop with one successful business case. What is your plan for continuous improvement of your cyber security posture?
· An army marches on its stomach. Ensure that your digital workforce, including your defensive function – your cyber security workforce – is adequately resourced. Are you setting aside adequate budget for cyber security?
· Accountability. Be accountable for your actions. A good General does not transfer accountability to their staff, they take ownership. They realise that they must take a proactive and ongoing role in the cyber security posture of their business. The CISO is not a goat on a tether. Are all your leaders accountable for assuring the protection of their assets?
One last point. Although some Governments and Regulators are working closely with big business to define how to protect the cyber security domain, they cannot be relied upon to be the “cavalry over the hill”. They may not be there when needed. Aim to be self-sufficient in the cyber battlespace, and you will be able to conduct business operations with freedom of action and manoeuvre.
Now CEOs – go forth and conquer!