Cybersecurity – A Comprehensive Approach to Balancing Risks & Rewards
Key Considerations From CEO Prioritization to TSCM / Cyber TSCM Inclusion
Ask your CIO or CISO if your company is winning the cybersecurity war, and the reply may not be the confident, positive affirmation the CEO or the Board of Directors wants to hear. Why? Information security professionals know the cybersecurity war cannot simply be “won”. Maintaining corporate cybersecurity posture is a constant battle. The identity of attacker(s), the nature of the attack(s) and the weapon(s) used constantly change. To be effective, corporate cybersecurity initiatives must address the variability of the threats, and evolve as the attacker(s) and their tactic(s) change. But, how can corporations implement a comprehensive cybersecurity initiative while striking a balance between the risks and rewards of the stakeholders? In this article, a corporate counterespionage and TSCM / Cyber TSCM expert addresses the need for a comprehensive approach to cybersecurity, with consideration of the risks and rewards of internal and external stakeholders.
What is the focus of a comprehensive cybersecurity initiative? The Department of Homeland Security’s National Initiative for Cybersecurity Careers and Studies (NICCS) defines cybersecurity as “the activity or process, ability or capability, or state whereby information and communications systems and the information contained therein are protected from and/or defended against damage, unauthorized use or modification, or exploitation.” The NICCS definition focuses on cybersecurity as a means to protect and defend the communication systems and information from threats; the focus is not on the use of only authorized devices or authorized networks as a means of defending against threats. Instead, the definition refers to protecting and defending against damage, unauthorized use, modification or exploitation. “Cybersecurity initiatives that rely on limiting device(s) use and/or access to communications systems as a means of controlling threats do not work effectively simply because it is contrary to human nature for 100% of the people to follow the policy 100% of the time,” says Counterespionage Expert, J.D. LeaSure, President of ComSec LLC. He adds, “For an external stakeholder who faces the potential loss of their protected personal information (PPI), reliance on corporate policy compliance to protect PPI may very well be unreasonable risk versus the benefit or reward derived from a product or service.”
What does a comprehensive cybersecurity initiative include? It includes consideration for all devices, information or communication systems, and threats that should reasonably be expected to be present in the corporate environment, and/or that may have access to the system(s) or information contained therein. This includes threats from IMSI catchers, personal devices (e.g. IoT devices, wearables, mifi, mobile devices, personal apps, printers) and the umbrella of wireless connections referred to as “Near Field Communications” (NFC). If a corporation can reasonably expect the threat to be present, then the corporate cybersecurity initiative should address it. “Corporations should reasonably expect Apple watches, Fitbits, mobile phones, game apps, personal hot spots, etc. to be present in the work environment and/or to potentially access corporate information and communication systems. To fail to address these devices, the related software and/or the threat they pose puts internal and external stakeholders at significant risk,” says Mr. LeaSure.
How important is CEO and Board of Director involvement? According to CFO Network’s Taskforce Priorities, it is critical that the “CEO and the Board of Directors prioritize cybersecurity, and that senior management drives a culture of vigilance and accountability.” According to the taskforce, this includes “helping stakeholders understand the implications of a breach, and that cybersecurity is everybody’s job.” As with many company-wide efforts, if one department is dictating priorities for other departments, cooperation and cohesiveness can be difficult to achieve, and may drop off over time. If the CEO and Board of Directors affirm the priority and the CEO enforces compliance, the initiative has a better chance of success. As well, with Board and CEO involvement, risks can be assessed at the executive level, giving consideration for legal, financial, regulatory, and related overall executive level responsibility. “Both internal and external stakeholders benefit from the involvement of the CEO and Board of Directors; their involvement drives company-wide adoption of the cybersecurity initiative and ensures the initiative addresses executive level responsibilities,” states Mr. LeaSure.
Should corporations rely on IT department personnel to identify all threats and the appropriate risk reduction strategies? IT department personnel who: are properly trained, maintain the necessary skills/certifications, study emerging threats and research the appropriate risk reduction strategies play an important role in corporate cybersecurity initiatives. However, the identification of cybersecurity threats and development of risk reduction strategies must also include input from other related disciplines, such as TSCM / Cyber TSCM experts. “There are credible threats your IT department personnel are not trained or equipped to identify, such as electronic eavesdropping devices, mobile network man-in-the-middle attacks or IMSI catcher mobile network attacks. These threats are best addressed through periodic TSCM / Cyber TSCM surveys and input on risk reduction strategies by a TSCM / Cyber TSCM expert,” adds J.D. LeaSure. Internal and external stakeholders benefit from the input of experts with skill sets that compliment the overall objectives of the cybersecurity initiative.
Where can we find current information about cybersecurity risks and risk reduction strategies? Making well-informed decisions is vital, but informed decisions require corporations to be vigilant about studying the changes. Remaining aware of emerging threat(s), mode(s) of attack and risk reduction strategies is critical. Sources of relevant information include, but are not limited to:
- Subject matter experts (e.g. consultants specializing in network administration, risk management, counterespionage, corporate governance, TSCM / Cyber TSCM, etc.);
- Government and industry reports providing information on trends, threats, types of breaches, hacks, etc.;
- Case studies, service provider alerts, expert blogs and newsletters; and
- Industry organizations publications and communications.
“When corporations remain diligent about studying the changing threats and the appropriate risk reduction strategies, internal and external stakeholders benefit. Knowledge is power, and knowledge that is current is even more powerful!” adds Mr. LeaSure.
A comprehensive cybersecurity initiative focuses on the protection of corporate information and communications systems. The initiative addresses devices, information and communication systems, and threats that should reasonably be expected to be present in the corporate environment, and/or that may have access to the communication system(s) or information contained therein. The cybersecurity initiative is prioritized by the CEO and Board of Directors, and the CEO ensures corporate objectives are achieved and risks are reduced to acceptable levels for both internal and external stakeholders. The initiative also includes periodic TSCM / Cyber TSCM surveys and the involvement of a TSCM / Cyber TSCM expert in the development of related risk reduction strategies. The initiative also ensures trained and qualified personnel perform cybersecurity duties, that they are vigilant about remaining aware of the changes in threats(s) and the appropriate related risk reduction strategies. Overall, a comprehensive cybersecurity initiative must continually evolve as the attacker(s) and their tactic(s) change in order to ensure risks remain at acceptable levels for both internal and external stakeholders.
To learn more about including TSCM / Cyber TSCM in your cybersecurity initiative, contact ComSec LLC.
About the Author:
J.D. LeaSure (CCISM) is the President/CEO of ComSec LLC, a global provider of world-class counterespionage and TSCM / Cyber TSCM services. Learn more at https://comsecllc.com
*Cyber TSCM ™ is a trade mark of ComSec LLC
© 2015 ComSec LLC. All rights reserved.