Enabling cyber-resilience in the era of emerging technology (Guest blog by BSI)
With the world moving towards a virtually digital space as a direct consequence of COVID-19, more and more organizations are now looking at transitioning to the use of emerging technologies and cloud-based systems. This opens a significant number of vulnerabilities pertaining to cybersecurity and governance. The burning question remains – why do organizations need cyber resilience?
Let me draw a direct comparison between traditional IT structures and cloud-based systems. Using traditional routes to manage your own IT would mean you were in control of your own destiny and the advantage of on-premises technology meant it was within your perimeter and within your control. With cloud-based systems, you are no longer in control, and you must have a trade-off between the benefits of cloud with elasticity and the speed to deployment, the avoidance of capital costs on an ongoing basis, and the move to an evergreen IT, which is an open cost. However, that trade off comes with the reality that you lose control and somebody else is now looking at managing that environment on your behalf.
The importance of a cloud security strategy
Having a cloud security strategy is crucial for organizations as it gives them a better understanding of the breadth of cloud services and in turn helps them navigate risks and enhance governance, especially those that rushed to Cloud without fully understanding its scope. Although the cloud is more advanced today, data breaches do still occur. For organizations to adopt an effective cloud security strategy they need to consider how they will integrate often disparate security solutions. This is necessary to maintain control over a dynamic infrastructure and technology landscape, but more importantly, it needs to strike a balance between security protection and compliance. Central to achieving this balance are two key actions.
Firstly, organizations should ensure that they deploy automated discovery of new virtual machines extending the organizational cloud landscape. This first step is necessary to enable the secondary action, i.e., the deployment of consistent security policies across the hybrid cloud environment. However, as more and more organizations move towards a cyber-physical model and increase their dependence on IoT, the risk continues to grow.
Safeguarding Operational Technology (OT)
Many organizations have increased their cybersecurity measures to protect their enterprise technology, however that only covers one side of the resilience equation. Companies need to also look aggressively at securing their operational technology (OT) – the manufacturing systems and software that control business processes, as well as the production of goods and services. OT arguably faces security challenges even more grave than classic enterprise IT. You can't take all the best practices from enterprise IT and simply apply them to that industrial world; they simply won't work. The advent of 5G wireless and other trends is starting to bring far more digital intelligence into business production processes. As the Internet of Things (IoT) meets legacy OT, an entirely new set of vulnerable targets emerge. When it comes to industrial IT, factors like confidentiality, integrity, and availability flip on its head. The two key priorities in these machine-led environments are safety and availability, therefore much emphasis needs to be laid on ensuring that board level discussions consider these differences between enterprise and industrial IT and safeguard them with the right security tools.
A phased approach
From a strategic perspective, organizations should follow a phased approach:
- identifying the assets of their environment
- detecting the risks those assets pose
- determining the response to the risks identified and the potential solutions/control responses to deliver management of those risks
- putting a framework in place for governance and recovery
- The final step would be to implement that framework in a sustainable, rather than project-focused manner.
When looking at the impact that IoT will have on the environment, globally, over 50% of people buying new cars consider security as a key purchase decision, putting evidence out there which indicates that placing security into the process provides a continual assurance in the decision-making process.
Original source: https://cybermagazine.com/company-reports/enabling-cyber-resilience-era-emerging-technology-0
Help to shape and govern the work of techUK’s Cyber Security Programme
Did you know that nominations are now open* for techUK’s Cyber Management Committee? We’re looking for senior representatives from cyber security companies across the UK to help lead the work of our Cyber Security Programme over the next two years. Find out more and how to nominate yourself/a colleagues here.
*Deadline to submit nomination forms is 17:00 on Tuesday 18 October.
Upcoming events
Get involved
All techUK's work is led by our members - keep in touch or get involved by joining one of the groups below.
Authors
Mark Brown
Brown has over 30 years of experience in cybersecurity, data privacy, and business resilience consultancy. He has previously held roles at Wipro Ltd. and Ernst & Young, among others. His wealth of knowledge includes extensive proficiency on the internet of things (IoT) and the expanding cybersecurity marketplace, always focusing on cybersecurity’s strategic enablement and risk protection elements.