The round table "World class strategies for building cyber resilient organisations" is an initiative of CIONET in partnership with Dell and VMWare.
Cyberattacks: The question is no longer 'if' it will happen but 'when' it will happen (Luc Verbist,Greenyard).
As the title indicated, this round table of 12 CIOs and CISOs dived into the question 'how to minimise the impact of a cyber-attack and assure business to continue as effectively as possible?'.
According to Patrick Van den Branden, Group IT Security Officer at Euroports Belgium, the likelihood of a cyber-attack is no longer even in question. The examples in the sector are legion. Together with the entire management, a cyber strategy was drafted: 'entire' because it requires a team effort from the whole organisation, and 'management' because the exercise has to be steered top-down in the first place. Patrick also sees it as a 'step-by-step’ process. He uses the metaphor of a ladder of which the first step has to be low enough to reach. That process starts with identifying the risks. Then, by estimating the potential business impact. After which, a list of mitigation actions is drawn up, with particular attention to protecting the 'crown jewels, i.e. the most critical business activities. The actions are situated on three axes: 1. The Human axis: Constantly working on awareness throughout the organisation; 2. The Technology axis: choosing the suitable technological systems and tools (SIEM, SOC,...) and 3. The axis of Governance: setting up IT security policies, Incident response plans, BCP and DRP,...
Finally, Patrick states that you cannot buy a Cyber Security Culture anyway. It is a process that takes three to five years. It should push the organisation to a higher cyber maturity level: from awareness and over behaviour to ideally arriving at a new normal.
An interesting comment from the group was the importance and priority that must be given to the 'inside threats'. The company's employees, especially the IT teams, with their privileged access rights and position of power, require a special monitoring and security approach.
Luc Verbist, Group IT Director of Greenyard, testified about their systematic approach, using the NIST framework in a structured way, although adapted to the specific context and priorities of Greenyard. And since the Greenyard group is a highly decentralised environment, there is a substantial investment in the necessary programmes that make it possible to 'measure' (and know) throughout the organisation. Of course, all measures come at a cost. Clear agreements are thus made with the board. Agreements are also made with customers, suppliers and partners to guarantee continuity as best as possible. And Greenyard is not averse to keeping 'manual' systems on hand 'just in case’. According to Luc, it is a must - certainly in their sector - that the entire supply chain (from supplier to customer) is involved in order to achieve effective results.
Wim Van Langenhove, IT Area Lead Security & IT Risk at ING Belgium, endorsed the added value of the NIST framework, which has also served as the basis of ING's own framework. Wim then went into more detail about their Foundation Controls: the quality of the CMDB, which is crucial, the Risk Measurement Model that goes with it, the classification (CIA rating) of the different applications based on their importance to the business. As part of their cybercrime resilience programme, the controls were defined at both group and local levels in collaboration with the CISOs. Cybercrime scenarios are analysed together, run-books are defined so that all teams know exactly what to do in each scenario. And DDOS attacks are regularly simulated to thoroughly test the systems. Suppliers' contracts are also systematically scrutinised with the request to modify them if they do not perfectly pass the joint exercise with different use cases.
Incidentally, Wim confirmed - as also reported in the media recently - that ING, together with Microsoft, has set up an online training platform for IT security with a view to training cyber experts (see link for De Tijd readers); an investment that can also contribute to the shortage of cyber security skills in the market in the longer term.
Steve Kenis, Sales Manager Benelux Data Protection Solutions (DPS) at Dell Technologies, partner of this roundtable, summarised the core conclusion nicely with the witticism that 'cyber security is the new disaster recovery. In other words, most organisations do indeed have robust detection capabilities, but the key question remains how an organisation can recover if there is a blockage. Frameworks such as NIST certainly have their added value, but companies must make their own solutions based on the consideration of risks versus costs. And above all, keep an eye on safeguarding the crown jewels. When assessing the investments of proper cyber security, one should always make sure they are weighed against the costs of a real worst-case scenario happening.