Where does the ownership of cyber risk lie?

The growing number of data breaches and an increasing number of advisories from government departments are clear indicators that cybersecurity is no laughing matter. According to a commissioned study conducted by Forrester, 97% of Indian organisations have witnessed a business-impacting cyberattack in 2020. The impact of these attacks resulted in identity theft (44%), financial theft (38%), and ransomware payouts (33%) forcing organisations to rethink internal processes in managing threats.

Over the last three years, more than 16,000 vulnerabilities have been reported annually, creating a new normal for vulnerability disclosure. It’s difficult enough to distinguish noise from signal in a constantly evolving threat landscape. However, one other significant challenge takes place after vulnerabilities critical to the business have been identified. Security teams often struggle to determine who “owns” the asset and how the risk will be managed thereafter. The lack of clarity can leave unintended impacts on patching and mitigation efforts.

Responsibility for ensuring an organisation manages risk effectively does not lie with the CISO alone. In an increasingly digitised environment, organisations have devices connected across the network. For instance, cybersecurity managers encounter blind spots where IT networks are connected to operational technology devices, which are usually managed by physical security teams. Even today, many Indian organisations operate on legacy systems, whose technologies have not been updated since day one, making them vulnerable to cyberattacks.

A CISO can only be efficient in mitigating risk when the scope and scale of it are understood and aided by the entire organisation. A CISO may be the cybersecurity manager, but every business asset owner must have a basic understanding of the prerequisites for cybersecurity. Using car ownership as an example, a driver is not required to know how to assemble an engine. However, the driver is expected to know how to drive a car and be able to change a flat tire, but most importantly, listen to a professional mechanic when the need arises. Similarly, business leaders need to endeavour to comprehend the fundamental concepts of cybersecurity and take ownership for managing risk in their respective units.

What collaborative security ownership looks like

Accountability: The IT/ITeS enterprises in India are encountering innumerable cyberattacks due to unintended security exposure owing to the distributed nature of the supply chain. This drives the need for businesses to adopt policies that hold each asset owner accountable for end-to-end IT security management. It also puts the onus of foresight on the asset owner responsible for ensuring that security controls and remediation tasks are completed. Automated remediation workflows could also help with successful remediation tracking.

Prioritisation: Effectively prioritising vulnerabilities that are most critical to the business is fundamental in cybersecurity. To do this efficiently,  businesses need to adopt solutions that help them understand the actual, rather than theoretical,  impact of vulnerabilities. Internal service-level-agreements are a good step towards establishing clear goals and improving accountability.   

Create a “living strategy”: Progressive organisations understand that cybersecurity is linked to organisational goals. And as such, seek to understand the organisation’s cyber exposure gap and curate a cyber-incident response plan with the  C-suite. A CISO may be in-charge of cybersecurity, but an organisation’s C-suite must prioritise a cross-team leadership approach to make the security strategy flexible. This ensures that teams know that the “living strategy” is backed by their leaders.

Eliminate silos: The stark divide in the functioning of an organisations’ physical and cybersecurity teams are a thing of the past. In the present day, OT security requires collaboration with cybersecurity teams to monitor interconnected devices within the company. Cyberattacks on 67% of Indian organisations involved the company’s OT systems, fortifying the need for security leaders to dovetail OT and cybersecurity operations to manage and mitigate the risks arising due to the convergence.

Effective governance and communication: Every department relies on an organisation’s technical infrastructure, therefore it’s crucial for IT leaders to regularly communicate with relevant stakeholders to look for ways to improve productivity and security.

Making businesses in India more secure

With cyber threats expected to increase in India to 91% by 2022, it’s more important than ever for security and business leaders to be in lockstep with business priorities so they can effectively communicate the security programme to business asset owners. They should collaborate with business leaders not only to develop strategies and metrics to support organisational goals, but also to inform, set, and make decisions related to business strategies. Succeeding in this process will make the business and its stakeholders more secure. It will also provide a greater return on information security investment, and eliminate confusion on the ownership of risk.

The author is Adam Palmer, Chief Cybersecurity Strategist, Tenable