Tick Box Testing Won’t Save You: The Hard Truth About Cybersecurity Preparedness
Martin Creighan tells a cautionary tale on cybersecurity from a recent visit to the boardroom of a large bank.
The chief executive began the conversation by saying that the bank’s USD250 million a year investment in cybersecurity gave him confidence that the bank was secure from attacks.
“Two of the other people at the table were the CIO and the CISO, and I saw them start to squirm in their seats,” said Creighan, the Asia Pacific vice president at security firm Commvault.
“I started asking them some very simple questions about their incident response plans, what happens if they are breached, and their processes and testing. I was making sure I didn’t throw them under the bus, but the chief executive and the rest of the table realized very quickly that they weren’t as ready as they thought they were.”
Coming from a cybersecurity vendor, one might think the story is a little self-serving, but it is also borne out in recent Commvault research based on interviews with 400 IT leaders and decision-makers. This research highlights the stark contrast between business leaders’ expectations and the prolonged recovery periods reported by IT professionals.
The report found that while 75% of business leaders want to resume normal business operations within five days of a cyberattack, real recovery takes five to eight weeks.
Given that 62% of Australian businesses and 68% of those surveyed in New Zealand experienced at least one attack over the previous year, that means a significant amount of downtime.
While the focus on cyber resilience is increasing, only 4% of the organizations believe they currently have mature, proactive capabilities. At the same time, 50% describe their cyber resilience as “very immature.”
Multiple environments
Creighan says the core of the misunderstanding within the organization is the reality that senior business leaders don’t understand the complexities of a technology environment where they might have around 5,000 applications.
“That means multiple infrastructure environments, from private data centers to on-prem, public cloud, edge—you name it,” he said.
“The findings emphasize the critical gap between the expectation of rapid recovery and the harsh reality of extended downtimes.”
The key to improving this scenario is prioritizing the organization’s “crown jewels” and setting up a plan to best protect them.
“They need to know their priority applications, their crown jewels, and have a plan on how they will bring them back.”
Even this prioritization, however, can be subject to misunderstanding and miscommunication.
“I can guarantee you that if I ask the CIO and the business unit leaders for their top ten in terms of crown jewels, it’s going to be 90% totally different,” said Creighan.
“So what is happening is that we are seeing this cloud of chaos which takes place in organizations around remaining operational after a breach. There needs to be an agreed plan which needs to be communicated and tested.”
Take the test
The solution lies not so much in the technology as in how it is deployed, the governance and process around it, and extensive testing.
The Commvault research found that upwards of 60% of organizations say they test, but Creighan questions how rigorous this is.
“Do they actually turn off the lights, or are they doing tick box testing from a documentation point of view, or are they simply doing tabletop exercises,” he said.
“They need to go further than that, and they need to know when everything bad hits the fan, and they are attacked, and the hacker takes their data that they have an immutable copy of that data and can bring it back as quickly as possible.
“They need to know their priority applications, their crown jewels, and have a plan on how they will bring them back and in what order.”
AU co-pilot
The security stance combined governance around processing and testing, adherence to regulation controls and reporting with artificial intelligence also on the radar.
Creighan recently attended the RSA conference in the U.S. to stay current on cybersecurity developments. He came away with two prevailing thoughts.
“Firstly, I think that organizations need to be careful about the responsible use of AI,” he said.
“Walking around the RSA conference, I saw AI everywhere, but I think we need to be very aware of AI washing, as in using the terms of AI just to get attention and make people think you are using it.”
“There is that, but secondly, we also need to realize that utilizing AI can really help us, and we have a co-pilot called ‘Arlie’—for Autonomous Resilience—which writes code to integrate APIs into perimeter and web security defense,” he added.
AI’s ability to automate processes, deliver end to end views and take a role in anomaly protection will all improve organizational responses.
Currently, forensics teams spring into action after a breach, and they need to find answers to key questions. Where did the bad guys get in? Was it three months ago, six months ago, or six weeks ago? Where should the recovery point start?
“Running AI across data assets and using anomaly detection algorithms can give a good indication of where to start the recovery,” said Creighan.
“And that will literally cut weeks off how fast it takes to get back. So, should you use AI? Absolutely! But use it in the right way.”
Image credit: iStockphoto/SergeyNivens
