Cyber Resilience Framework: A Must Have for Digital Response

By Neeraj Parashar, Senior Manager-Digital Solution Architect, Business Process Services, Wipro

Recently, a cyber-hacking team successfully hacked into a driverless car model’s AI system and was able control the car remotely. The team notified the company, who then issued a software update to patch the breach. Manufacturers of autonomous cars, gadgets and everything digital are equally vulnerable to hacks. As an increasing number of products leverage technologies such as the Internet of Things (IoT), they increase the available surface of attack. While it is almost impossible to build ecosystems that are immune to cyber attacks, the highly connected service industry is stepping up its efforts to address the problem. The need is for a realistic approach that effectively responds to a cyber attack, controls loss and returns operations to normal within a short span of time. Especially, with an increased preference towards a socio-digital culture, cyber security will be a key factor for businesses, brands and apps of all magnitude.

The service industry is vulnerable to threats at two levels. One is from hackers who can access customer transactions. The second is from hackers who can access organizational data related to product design, IP, supplier contracts or financial planning information. The first can lead to regulatory penalties and the second can threaten the existence of an entire institution.
Defending an organization against cyber threats is complicated. Cyber security does not add value to business,it only enables it.This makes it difficult for organizations to make the right investments. In addition, the threat environment is dynamic. This calls for an integrated management system-involving people, process and technology, that is often slow and cumbersome.In addition to this, organizations are hampered by an absence of governance. This means incidents go unreported in such organizations, which lack audits, controls and responses to incidents.

Cyber security cannot be ignored. In 2013, a published report, estimated that the cost of cyber crime was approximately $100 billion to businesses in the US. By 2015,a British insurance company estimated that number to have gone up four times, to $400 billion. According to a research report, by 2019 it is forecasted to be $2.1 trillion. The threat is significant. 20% of small to midcap companies have been a cyber crime target. Even organizations with modest budgets are now being forced to create a cyber security strategy.

The cost-effective approach

Given that budgets are likely to remain a constraint, what is the ideal approach to a cost-effective but resilient and scalable cyber security framework?

Planning begins with the mapping and rating of risk, in the order of severity to owners of the function and their response to an event. This is with the intent of prioritizing action and to minimize impact on reputation, bottom lines, employees and other stakeholders.

Tools for Cyber security

The Carnegie Mellon University’s Cyber Emergency Response Team Resilience Engineering Model (CERT-RMM) is a tool that covers assets, services and processes from an ownership, controls and indicators perspective. The tool can be used in dynamic environments to profile risk.
Other tools that can be used include Control Objectives for Information and Related Technologies (COBIT 5) with its fact-driven standards for end-to-end view of governance within an enterprise. COBIT 5 comprises the practices, analytical tools and models necessary to manage risk and can be applied to the 17 principles of the strategic COSO (Committee of Sponsoring Organizations) framework for improving governance through internal controls.

COSO is popularly used for COBIT and SOX compliance. Depending on a company’s facts and circumstances, making the transition to the latest COSO 2013 framework can take time -so it’s a good idea to begin the process as soon as possible. Companies may start by familiarizing themselves with the 17 principles and other COSO guidelines. They can follow this up by evaluating the current state of their internal control system and develop a plan for correcting weaknesses.

Currently the best approach for organizations is to develop a Unified Cyber security Response Framework that is guided by the numerous available standards.

Just as cyber threats continue to evolve, so do the required tools, standards, frameworks and maneuvers that a CIO must adopt. There are nine key areas that define the security framework which a CIO should consider in a dynamic threat environment: Predictive, Relevant, Actionable, Genuine, Meaningful, Accurate, Timely, Independent and Cost Effective – in short, PRAGMATIC metrics to develop a reliable level of immunity from attacks covering all relevant aspects.

The other aspects to consider include:

1. Audit Framework (ISO, channel-centric standardization at the back and customization at the front, corrective mechanisms).
2. Change Management Initiatives like training, messages, workshops and town halls that help build a cautionary culture.
3. Preventive Mechanism and Best Practices for data security, cloud migration, channel strategy, access management system and thick/thin clients.
4. Budget allocations, plans, development of committees and risk database development.

Developing the “what is to be done” aspect is important. As much attention and emphasis should be brought to “how it is to be done”, for the framework to be effective.

Creating scalable, end-to-end response to cyber threats

These days,a typical business has a number of relationships with vendors, partners, peers, regulators and customers. Collaboration within this ecosystem goes beyond the formal boundaries of the organization. Relationships are also volatile and governance of SOW, SLA and MoU are crucial for smooth business transactions.

In addition, there are a growing number of cyber physical systems (such as autonomous and connected vehicles) where data and automation play a crucial role in developing resilient systems against cyber threats.
Comprehensive and periodic risk-assessment that leads to renewed security standards is time consuming. Organizations are therefore advised to consider a technology partner who can bring an end-to-end and scalable Robotic Process Automation (RPA) centric digital resilience framework. A technology partner should be able to do the gap analysis anddesign a solution;using business logic and a presentation layer, then integrate the solution into the organization’s digital eco-system using best practices for easy and cost-effective maintainability.

Leveraging the advantages of RPA

There are three key advantages of RPA technology. First, it is cost-effective and scalable. It therefore does not have to be limited by the deficiencies of sample-based governance.Second, RPA uses data and predictive modeling to flag incidents and exceptions in real time. This is especially important, as services become available 24X7 and demand real-time monitoring and corrective action. And finally, the technology supports all aspects of business i.e. simple and complex processes and deviations, this way presentation layer gets seamless integrated via presentation layer and knowledge / rules with legacy system and offer robust support and resilience against any real and hypothetical vulnerabilities in ecosystem.
Though RPA is a cost-effective lever, still with an experienced and domain-centric technology partner or implementer like Wipro, who understands the industry nuances, aspirations and challenges and basis immersive experience of RPA implementation it offers rapid maturity of RPA deployment by unlocking a wider – and perhaps more important — set of benefits/outcomes in the context of cyber resilience frameworks in digital environments that include:

• Targeting risk areas within budgets based on cost and return analysis
• Governance mechanismsthat are fully automated for vendors and other stakeholders
• Customer experience that is consistent for global deployments with standardization at the back and customization in the front
• 24X7 availability of controls and recovery
• Enabling business to newer levels of market reach, customer base and delivery standards
• Deployment of training and other activities that builds an organizational that is sensitized to cyber threats and therefore able to respond faster
The sophistication of attackers will continue to grow, as will the opportunities for intrusion, as channels and touch points between organizations and partners/ customers proliferate. With RPA, many risk and compliance factors which causes delay in the cycle time of response can now be managed better.

Cyber security is not a technology capability alone. It also requires a pragmatic approach, driven by employee and stakeholder awareness. Thus, people engagement and involvement for addressing the problem is equally important. In other words, there cannot be effective cyber security without a unified approach that includes technology, process and people.

Leave a Reply

Your email address will not be published. Required fields are marked *