Martin Riley, director of managed security services at Bridewell Consulting, discusses the problem of using compliance and regulation as a driver for cyber security strategy
Today, cyber security is a top five board issue — and not just for organisations operating in heavily regulated industries. The consequences of a cyber attack now stretch beyond disruption and revenue loss. Reputational damage, falling share prices and the potential for hefty fines due to regulatory breaches are a very real threat. And depending on the severity of a breach, a CEO’s position could even become untenable.
With the risks clear, many business leaders are looking to the industry for support, using regulation as a guide for best practice. However, while regulations such as the Network and Information Systems (NIS) Directive and the General Data Protection Regulation (GDPR) no doubt play a part in strengthening cyber security posture, too many organisations make the mistake of using them as a driver for cyber security strategy. Not only can this lead to huge amounts of investment in measures and controls that don’t always drive wider tangible benefit to the business, but it can also encourage a short-sighted approach focused on box-ticking.
Business leaders’ main responsibility is driving cyber security strategy from the top down, and a short-term tactical approach will not fit the bill. To stay cyber resilient in today’s landscape, organisations need to shift the emphasis from prevention to detection, containment and response, underpinned by the right services such as Managed Detection and Response (MDR) and validating recovery.
To drive real improvements in cyber security, business leaders need to consider whether their pursuit of compliance is being guided by the right intentions. While meeting regulations is a necessity, inconsistencies in enforcement across different regulatory bodies, and interpretation in guidance from different organisations, make the use of regulation as a driver for security improvements an unreliable benchmark.
Instead, leaders need to define their own cyber security objectives and transformation required to reach their business goals and adopt a strategy of continuous improvement through intelligence and automation. To achieve this, they need to access external expertise to help define the baseline of where their security strategy sits today and identify the scope of the opportunity.
Shifting away from a compliance culture
Assuming that a security certificate on its own will provide an adequate level of cyber integrity is also a risky move. A compliance culture can foster a mindset of reactivity rather than proactivity; where security teams only invest time and effort when renewing their certifications. And if the focus is just to ensure the ink is dry on certifications, employees are less prone to feeling accountable or responsible for upholding security best practice.
The focus should not be on simply adding more and more controls but implementing the right ones and using them effectively to understand and mitigate risk. This can be achieved by adopting a MDR strategy that goes beyond the bare bones of simple regulatory compliance, and is tuned to allow organisations to remain primed against emerging threats.
The role of MDR
MDR is a 24-hour cyber security service that combines modern security technology with human analysis, artificial intelligence and automation to rapidly detect, analyse, investigate and actively respond to threats, rather than simply generating alerts. And with the right solution in place, organisations can bring together existing investments in preventative security to reduce detection to minutes.
An MDR solution also allows businesses to develop a reference security architecture that facilitates the safeguarding of on-premise and legacy systems, SaaS solutions and cloud-based infrastructure applications. It also helps security teams to protect against and respond effectively to emerging security and user identity threats, while reducing the dwell time of any breaches.
The best forms of MDR utilise Extended Detection and Response (XDR) technologies, which allow detection and response across endpoint; network; web and email; cloud, and importantly identity, along with a service wrap that goes above and beyond the capabilities of the technology. This means all users, assets and data remain protected, regardless of where the attack comes from.
Similarly, by opting for a solution that leverages existing investments in Microsoft 365 licensing, organisations can consolidate security suppliers and reduce security technology budgets, whilst increasing security coverage and visibility. Security Orchestration Automated Response (SOAR) solutions such as Microsoft Sentinel can also dramatically improve the efficiency of implementing an early warning system.
Look beyond technology
While technology plays a critical role in an effective cyber security strategy, it alone does not provide the solution. Business leaders must also consider the organisation’s processes and people. If organisations don’t have the right processes or people in place to manage new technologies, it can be easy to revert to old habits.
Many organisations opt for a hybrid Security Operations Centre (SOC) to underpin their MDR strategy, which combines the cyber skills of in-house engineers, cyber security teams and an MSSP to create a single facility. MSSPs fill in the gaps in defences while upskilling in-house teams to stay on top of changing threats and technologies. This approach can also free in-house staff to drive projects and internal improvements while the MSSP takes the lead on high value incidents.
Staying one step ahead
If the goal is to improve cyber security whilst meeting your organisational goals, then regulations will only ever go so far in tackling the issue. Attacks will continue to plague all sectors and proper detection, response and remediation will be what makes the difference between those that make the news and those that don’t.
To improve cyber resilience, organisations need to implement a well-considered strategy centred around MDR. One that not only adheres to regulatory requirements but also improves an organisation’s overall security posture. This will lift organisations beyond the basic need to remain compliant with emerging regulations and instead transform them to better battle emerging cyber threats.
Often, this will entail an entire rethink of technology, processes and people. However, crucially, the transformation itself is never the end goal. Making sure the organisation has the right processes or people in place to manage the new technologies beyond project completion is critical. For businesses that lack their own dedicated and highly trained security response team, managed security services in conjunction with automation proves to be a compelling proposition.
What Liz Truss’s cabinet can learn from the EU Cyber Resilience Act proposal — Jeff Watkins, CPTO of xDesign, discusses what UK government legislation under Liz Truss’s cabinet can take from the EU Cyber Resilience Act proposal.
A guide to IT governance, risk and compliance — Information Age presents your complete business guide to IT governance, risk and compliance.