What better place to organise the Dell and VMWare's roundtable on the theme of 'The Cyber Vault' than the former vaults of the National Bank of Belgium, under the hotel 'Fourth' on the Grand Place of Leuven? A group of fourteen CIOs and CISOs, from various sectors, met in this former vault turned into a tasteful and authentic dining space that still breathed the atmosphere of the bank vault, thanks to stylish lighting, clangorous steel doors and reinforced concrete walls.
The fellowship immediately jumped into the core of the subject when each of them was asked to
present themselves and talk about their scenario 'when all the rest has failed'. How do they ensure to reliably recover all business-critical data in case their organisation is under siege of a cyber-attack? What is their last resort, their final 'insurance' to help the company survive and take a fresh 'restart'?
The 'tour de table' immediately showed a clear difference in the participants' level of cyber security maturity. Was that linked to size, the nature or the activity of the organisation? Not really! After all, without exception, IT has become crucial to the functioning of each company around the table. Cyber security is thus essential to all of them. Still, the focal point of current security practices of most of them is on control, prevention and detection.
The further one moves towards the later phases of the NIST model (towards recovery), the less
concrete the exact measures become. The most mature organisations in the group described their
approach as a 'risk acceptance' attitude' : they accept the fact that a cyber-attack will happen, they have mapped those risks and concentrate on how to be up and running again as soon as possible
after the crisis.
One of the most important critical success factors for developing a sound cyber resilience strategy is the awareness, the sense of responsibility and buy-in of the (top) management. The CISO or CIO's first task is to usher or demand an executive view on security from the board. Unfortunately, it usually takes a few serious cyber incidents to arouse this interest. And even if there is such
awareness, it remains a challenge to determine where the priorities of a recovery scenario should lie.
What needs to be recovered in the first place? Where do the priorities lie? Which department and which functionalities get priority. If the CISO is sent out on his own to make this mapping, there is a good chance that he will come away empty-handed because every business owner is convinced that his department is crucial and that all his data is essential. Theoretically, this is not a problem. However, budgetary and practical constraints demand that choices be made, and priorities be set. The latter is an exercise that top management must undertake together. The decisions that need to be made are business decisions. The CISO can then get to it, together with the CIO and the business owners, and draw up a plan of approach. In the subsequent phase, too, priority must be given to raising employee awareness. After all, providing the necessary technical solutions is entirely pointless if the organisation is not aware of the risks.
This brings us to the next issue: how do you demonstrate or calculate the business case for a cyber resilience programme? After all, investments have to be made, in technology, in the organisation and in people. Costs that must be set off against the risk. For certain sectors, that exercise seems pretty straightforward. Companies may be able to estimate the direct costs of one day of non-activity. And on that basis, they may even be able to judge whether or not to pay the ransom. However, the impact of a cyber-attack goes much further: there are the hidden risks for the products, the customers, the ecosystem, next to the reputational damage and, of course, all the indirect costs associated with a restart. Moreover, paying the ransom is no guarantee that the decryption key will be delivered. Moreover, according to some CISOs around the table, your organisation then becomes a sitting duck for the cybercrime community, a perfect target for a new attack.
One of the speakers highlighted an interesting focus of his resilience plan, namely providing the
necessary protection for the people themselves, especially the IT team. After all, when the company is the victim of a successful cyber-attack, the reflex is to blame the IT and or the cybersecurity team. They, too, easily interpret the situation as a failure, which obviously does not contribute to productivity and can cause severe human damage. For this reason alone, it is not unwise to provide external teams to take care of things at the right time, including providing proper professional crisis communication. Measures such as these can relieve the pressure on the team and ensure that people work constructively on solutions instead of being paralysed by feelings of guilt and stress. This also applies to the key people in your organisation, not just executives but also those experienced colleagues who can make the business run on instinct and gut feeling, even without IT support. Identify those people. Highlight their role in your playbook and provide the necessary (if needed manual) support in case of.
For specific 'critical' sectors - and that scope is getting bigger and bigger over time - the government also imposes formal requirements. Think of the banking world, organisations responsible for critical infrastructures such as utilities, ports and airports. The current tense geopolitical situation has put nation-grade security back on the (political) agenda, and investments in specialised government institutions have risen accordingly. But here, too, there are no conclusive solutions. Even if all possible measures have been taken and compliance checks have been ticked off, it remains impossible to prove that there are no gaps left. Zero risk does not exist. Moreover, other sectors that you would intuitively expect to be top priorities - such as healthcare and energy distribution - are not yet on the NIS list. The investments in making these sectors watertight are of such a nature that they can only be done step by step.
Norms and standards such as the ISO norms, or methodologies such as the NIST framework, are very useful, but they are not sanctifying according to the panel. They should be seen as a foundation, a valuable tool for methodologically working out a cyber resilience strategy. The latter, however, can be nothing more than customisation, taking into account the uniqueness and the specific context of the organisation in question. Too much focus on 'compliance' can even be dangerous because it gives a false sense of security or provides a formalistic umbrella to hide underneath. "We are safe and secure because we ticked all the boxes". It does not work like that.
It is indeed crucial to have a 'clean' - read 'uninfected' - version of your core business data that is kept in a completely separate and protected environment, to enable you to restart your business activities in case of a cyber disaster. In this context, one of our CISOs suggested working according to the IAD model where infrastructure, applications and data are separated. Infrastructure and applications can both be set up in a mutable/immutable mode. The data itself can be protected from manipulation via WORM facilities. An approach that indeed meets the need for a separate protected environment with data that was made immutable. Still even that cannot fully guarantee that the isolated, immutable data was not already contaminated…
And even if a 'clean copy' is provided, thorny questions remain, such as the appropriate recovery
point and what to do with the interdependencies not only between the applications but also
between the systems and data of the players within the ecosystem.
Nevertheless, everyone agreed that setting up a proper resilience plan is a correct but insufficient
step. Then do tests and set up simulations that are as realistic as possible. These will very quickly
show you where the gaps are in your plan and that you should foresee scenarios that allow for an
efficient and effective decision-making process and crisis communication.
Cyber resilience is a particularly crucial and topical issue: it is about the survival of one's organisation. And the threat is becoming more real every day. Everyone around the table indicated they were lying awake because they did not yet have conclusive solutions. Our CIOs and CISOs frankly admitted that they constantly seek information and inspiration from their peers. Many voices were raised to invest more time in these exercises and start an open debate across companies and sectors. To be continued for sure.