Updated: Nov 22, 2019
At Reverie Hotel, Time Square Saigon, On November 2019, I was speaking on a advisory session for CEO, IT Directors, CIOs, COO about the cyber security. There were around 20 - 25 CEO, CIO, COO, IT Directors ofdifferent companies were joining this session.
Why cyber security? because everyday almost 1+ million security threats are adding up to the pool of thrats to attack, share or take over our digital assets. This asset can be from our personal level to coporation level. I started with the very grass root level and then brough to the point which can let the audiences a set of bullet points which will help them to go back an start to work on them immediately for protecting their digital assets. The key line of prespective is here
The price is light is less than the price of darkness.
Though this article I will share you the key bullets of that advisory session. I belive most of the reader know singhealth, this is a well named healthcare provider in Singapore. but since 2018 to now, it got serise of attacks and their information security failed to prevent/metigate those attacks and ended up lose hug amont of sensitive data, information. So now the situation of the singhealth user is like - most of the user cant take their laptop to home, have two laptops - one for office only and another they can take home, two phones etc. Required to spend signification amount of investment on information security aspect.
Their situation is like this picture. They were been in comfortable zone which did create different loop holes in their security system and finally due to multiple attacks they are in panic zone now.
This is a great lession learn. The companies who are in comfortable zone now, not paying attention, not developing their capabilities in information security space by learning, not investing the minimum amount, they will all end up at the panic zone and also will be forced to pay too high as well. Remember the quote?
The price is light is less than the price of darkness.
Cyber security is not something which you can just tick off a set of check list. It requies constent improvement in multimple dimention and that is only possible to building up a Cyber security culture in the organization. To build up the culture, there are the key elements pays the roles
Molding and farming of these three can create the right culture in an organization which can successfully tacket the cyber security issues of an organization. On this aspect the start point of views which I shared are
What’s your understanding of threat or cyber intelligence with respect to your organisation’s operating environment? •
How does cyber threat intelligence play a differentiating in your organisation’s cyber security strategy? •
Do you operate a SOC? Is it effective? What you can do to make that effective?
How can it be further improved with the evolving threat landscape?
Internal threats were cited as a big concern for many organisations, is this also an issue in your organisation?
How do you mitigate risks associated with employees with poor cyber hygiene? • Is cyber security skill-set difficult to acquire? If yes, how are you currently addressing this within your organisation?
Would you rather develop in-house capabilities or hire ready-made professionals with cyber expertise?
Do you see a combination of both as part of your cyber security strategy?
What sort of information do you need to put together a resilient cybersecurity strategy?
What sort of cybersecurity tools are needed to implement your strategy? •
From which channels do you procure threat intelligence? E.g. design own tools, subscribe to one or multiple cloud-based intelligence services provided by security Vendors/Managed Security Services?
Most of the organization is far behind the cyber security capabilites so even many of them dont know they are already being compormised over and over. So I also share a key points where any organization should be starting assessing their cyber security status and then start their journey of building the defense macanism -
Organizatoinal Culture: Assess and define the level of organizational culture.
Business Stratigy and Scale: Clearly understand what is the business stratigy, focus in last 5 years and next 5 years, and also consider the scale of growth.
Company Turn over: Assess and consider closely the companity turn over rate, as it ties of organizational culture, security culture is a part of that
System Architecture: What is the present system landscape, their capacity, what is the % of legacy system, how well patched and what kind of security tool in place.
These are the things actively they should not consider as well -
Previous assessment report: Dont accept those report, those may having very green but actualy true picture can be very different. So dont look at them and become bised.
Financial Condition: Your financial condition is nothing to consider at the first stage of assessment, if you do you will lose the big picture.
Incident report: It was not report, does not mean that did not happen. There is a number of organization did not even realize they were being hacked when their information was outside the market for months. So dont be happy by not seeing the insident reports.
So let's pay attention to your information security. You can be in any role in the organization, CEO, CIO, Director, Manager or even a staff, you are part of the information security. Every digital asset you use in digital space in the company is the asset of the company andi t's your reponsibility to learn and keep the digital asset safe.
Need help? Reach me any time!
John Masud Parvez
CIO, Organizational Transformer,
Founder and President of VSHR (Non profit)