The cyber security industry is increasingly recognising that they need to adopt mature risk management and monitoring practices in order to elevate the profession and function. The move to this paradigm will allow security practitioners to deliver better value to organisations.

Task

Place yourself in the shoes of a new cybersecurity manager who has recently started working at a startup car rental company in Australia and New Zealand, RideWell, founded in 2018, offering a seamless car rental experience with a fleet of connected smart cars. Ridewell is highly dependent on technology, which supports its user experience and has allowed it to scale and operate with a relatively small team.

As part of your first 90 days within the company, senior management have asked you to evaluate the company and produce a 10 minute presentation on why it would make sense for RideWell to invest in moving from a basic security monitoring capability to advanced cyber risk monitoring practices.

Presentation

Transcript

Intro

Hi everyone, thanks for dialing in today. We’re here today to review my most pressing task as your Cybersecurity Manager: whether we should move from basic security monitoring to advanced cyber-risk monitoring practices. 

Today we are going to:

• Have a look at what basic security monitoring is and talk briefly about why it’s not enough
• Be introduced to advanced cyber-risk monitoring
• Look at the difference between the two and the benefits of changing
• Before I conclude with proposed next steps.

First let’s set the scene. Cybersecurity is not just another risk to add to the register, to say one is to greatly underestimate the scope and scale of the challenge – that one event could ruin our business. Cybersecurity is asymmetrical warfare: our adversaries only need to find one vulnerability to be successful, but we need to protect everything. 

We have a range of ways to protect ourselves in this war. We use standards: ISO27000 series, a bit of the NIST CSF, we’re improving our Essential 8 maturity and due to our government contracts we’ve recently adopted the Protective Security Policy Framework and ACSC ISM. And our IT security team which regularly passes compliance tests who have a range of controls in place. 

You’ve all read the Deloitte report, you read about DriveNice – a company not dissimilar to ours, with similar cybersecurity measures – and the disaster they suffered. Let’s find out how we can avoid their fate.

Overview of basic security monitoring

First let’s have a closer look at our current approach, basic security monitoring.

We have a dedicated IT security team who are busy protecting us. They’ve implemented data loss prevention measures, regularly patch software and operating systems, restrict admin access and keep backups. They also have a range of technical controls in place to deter and prevent attacks, as well as to detect and recover from them. These controls are all monitored with systems, logs and other devices.

Monitoring is key to maintaining situational-awareness. Situational-awareness is knowing what’s going on around us so we can be ready to respond. Our team does a great job at monitoring, collecting a wide range of data from controls such as: firewalls; system logs; intrusion detection and prevention systems; and they are currently investigating options for a Security Incident Event Management system which will bring it all together. 

This all sounds very complicated, so why do I call it basic security monitoring? Because  although it is technically complicated, it is strategically simple. When I say basic security monitoring, I mean that we simply try to watch everything, when we see something, we respond. 

It’s a simple plan, but like most simple plans it’s difficult to execute. Watching everything generates a lot of data, a lot of alerts that need attending to: like when I’ve forgotten my password, again. All this data means a lot of analysis, and a lot of analysis means a lot of resources – which we don’t have, which nobody has. In fact, our IT security team and others like them around the globe, do such a good job at gathering data, that sifting through it – finding the needle in the haystack – is now one of big data’s biggest problems. No joke. 

Overview of advanced cyber risk monitoring

Now let’s have a look at how we as a business can help them to find the needle in the haystack.

Globally we aren’t finding the needle, around 70% of data breaches are detected by external parties, not by internal security teams (Amjad et al., 2016, p. 123). How can our security team filter an ever growing haystack of data so that it can protect our business? Yes, technology can help: automation, smarter tools, maybe even AI. But technology alone will not solve the problem. Increasing the complexity of our systems will exacerbate the problem (Amjad et al., 2016, p. 124), increasing the opportunity for miscommunication and negatively impacting overall security (Malatji et al., 2019, p. 241).

Now that we’ve got a good overview of where we are and the challenges we face, let’s look at advanced cyber-risk monitoring. This is it in a nutshell: the business and IT security working together to identify what matters to the business, so we can put in appropriate risk management strategies, enabling IT security to focus their resources on protecting what matters to the business.

What’s important to your division? Which of your assets need protecting? When was the last time IT security came to you and asked you these questions? 

As a business, we inform IT on which tools and systems we need so that we can operate. Doesn’t it make sense that we also inform them on which assets are most valuable and where we should focus our cybersecurity resources? 

We need to move beyond seeing cybersecurity as purely a technical problem and involve the business in decision making, because it also involves assets, people and business processes which are not technological in nature. 

The benefits of shifting to cyber risk monitoring

When the business and IT work together to identify risks, we create a number of benefits. Let’s see what these are.

By moving to advanced cyber-risk monitoring, we can define and monitor business events – things that impact our business – rather than IT events, Luke’s forgotten his password again. This will transform the ‘needle in a haystack’ challenge of IT security monitoring to a more focused activity, allowing IT to prioritise their resources in a more efficient and effective manner. 

We don’t need to start from scratch. This approach will allow more efficient use of our existing controls and it is compatible with standards and frameworks (Malatji et al., 2019, p. 245) we already use, in fact if you dive into the standards, you’ll see that we should be doing this already. 

Cyber-risk monitoring will create connections between parts of the business which share risk. This will improve our situational-awareness by facilitating rapid communication before, during and after a cyber event. 

It will also benefit decision making. Giving the executive and senior managers confidence, which will streamline support for execution of our business strategies, as well as for IT investment. 

Recommendations

How do we promote collaboration on cybersecurity?

This is going to be a paradigm shift. ​

• We need to identify business events with business leaders and IT security being on the same page about what needs protecting, ​
• so we can monitor it and analyse the right data which we can use for ​
• improved intelligence and automation, to efficiently use our resources, and ​
• identify areas for continuous improvement.  ​
• We need to remember that the human element remains critical. We need people who think about what could happen, not just reacting to what has happened. We need people who can adopt an attacker’s mindset, who can find the holes that no one has detected, or even looked for. ​

We are looking to solve cross-cutting business challenges that require knowledge from across the organisation, to achieve this I recommend that we stand up a Cybersecurity Fusion Team (Amjad et al., 2016, p. 130) – this is a multidisciplinary team with members from across our divisions. It will bring together diverse perspectives and diverse data on business and cyber risk. The Fusion Team has an organisation wide remit, and to be effective must be independent of existing divisions with accountability to you. ​

Let’s have a quick before and after, and look at how our proposal fills the shortcomings of our current approach.​

The Fusion Team will produce benefits across:​

• Knowledge transfer: Non-technical staff become familiar with the technical realm, while technical staff build an understanding of business processes. This allows the definition of more effective monitoring (Amjad et al., 2016, p. 130). ​
• Incident response: Providing us with enhanced situational awareness, which enables more efficient and effective responses.​
• Continuous improvement: It promotes review of existing risks and identification of emerging risks and how we manage them.​

These benefits will allow us to be forward facing: looking beyond risk management towards resilience and business continuity; placing us to adopt advanced technical approaches such as threat hunting and prediction, so we can identify and survive the unknown unknowns, such as the ‘living off the land’ attack we recently saw on US critical infrastructure, where adversaries gained access and used legitimate system tools against targets – an attack which basic security monitoring is incapable of detecting. ​

Conclusion

We’ve reviewed our current approach to cyber security – basic security monitoring – which is simply watching everything and how it can lead to intractable haystacks of data.​

We learnt about advanced cyber-risk monitoring, identifying and monitoring business events rather than IT events, which enables more focused use of resources by monitoring what matters to us as a business. And looked at its benefits.​

Finally we were introduced to the concept of a Cyber Fusion Team. Bringing together knowledge and expertise from across our divisions, placing us in a position to be a forward facing organisation, ready to face the challenges of tomorrow.​

Endorsement

I’m seeking your endorsement to move forward to an advanced cyber-risk monitoring regime, with the aim of implementing a Cyber Fusion Team to drive the change and manage BAU post implementation. With your endorsement, I will draft up the functions and KPIs of the fusion team, its org structure and data sources.​

Thank you again, I appreciate your time and look forward to working with you as we take our business to a more secure future. ​

Any thoughts or questions?​

References

 Amjad, A., Nicholson, M., Stevenson, C., & Douglas, A. (2016). From security monitoring to cyber risk monitorin. Deloitte Review, 27(2).

ACSC. (2023a, March 15). Information security manual (ISM). Cyber.Gov.Au. https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism

ACSC. (2023b, May 25). People’s Republic of China (PRC) state-sponsored cyber actor living off the land to evade detection. Cyber.Gov.Au. https://www.cyber.gov.au/about-us/alerts/prc-state-sponsored-cyber-actor-living-off-the-land-to-evade-detection

Ahmad, A., Maynard, S. B., Desouza, K. C., Kotsias, J., Whitty, M. T., & Baskerville, R. L. (2021). How can organizations develop situation awareness for incident response: A case study of management practice. Computers & Security, 101, 102122. https://doi.org/10.1016/j.cose.2020.102122

Attorney General’s Department. (2021, July 7). Security Governance. Protective Security Policy Framework. https://www.protectivesecurity.gov.au/policies/security-governance

Davis, M. C., Challenger, R., Jayewardene, D. N. W., & Clegg, C. W. (2014). Advancing socio-technical systems thinking: A call for bravery. Applied Ergonomics, 45(2), 171–180. https://doi.org/10.1016/j.apergo.2013.02.009

Evans, J. (2023, May 24). Australia joins intelligence partners to blame China for US infrastructure cyber attack. ABC News. https://www.abc.net.au/news/2023-05-25/australian-intelligence-blames-china-for-us-hack/102390024

Intelligence, M. T. (2023, May 24). Volt Typhoon targets US critical infrastructure with living-off-the-land techniques. Microsoft Security Blog. https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/

Malatji, M., Von Solms, S., & Marnewick, A. (2019). Socio-technical systems cybersecurity framework. Information & Computer Security, 27(2), 233–272. https://doi.org/10.1108/ics-03-2018-0031

Refsdal, A., Solhaug, B., & Stølen, K. (2015). Cyber-Risk management. Springer.

UNSW. (2022). 2.2 Risk assessment. ZZCA9205-Cyber Operations (H322 Online). https://moodle.telt.unsw.edu.au/mod/page/view.php?id=4523374

Walker, G. H., Stanton, N. A., Jenkins, D., Salmon, P., Young, M., & Aujla, A. (2007). Sociotechnical theory and NEC system design. In Engineering Psychology and Cognitive Ergonomics (pp. 619–628). Springer Berlin Heidelberg. http://dx.doi.org/10.1007/978-3-540-73331-7_68