More than 700 IT professionals and executives attended the CISCO security event held in Warsaw.
Michael Ganser Senior VP Central Europe gave a powerful opening presentation ‘Security as an Enabler for the Digital Era’.
‘Digital transformation represents the beginning of the most significant transformation in our lifetimes’.
Security however, is a barrier preventing many organizations from fully embracing the potential of digital transformation, and was named as one of the top 2 challenges by business executives. It is understandable why organizations are wary, as a recent FBI report suggested that Ransomware will be a $1 billion dollar industry next year. Michael added a chilling thought to this, quoting John Chambers ‘There are two types of companies: those that have been hacked, and those who don’t know they have been hacked’.
‘It is time for the Industry to step up to the plate’ and be an enabler for digital transformation.
To help IT organizations face the challenges of Cyber Security Cisco, together with CIO.NET organized an Executive workshop for more than 50 Senior IT leaders. As part of this workshop Bartosz Górczynski, Christian Tijsmans and Paul Wilkinson facilitated three Oceans99 business simulation games.
The goals of the simulation sessions were to explore:
- What is the role of an executive manager in understanding the issues and of setting strategy and policy?
- What should leaders be doing to ensure a change in attitude and a discipline in behavior?
- What should leaders do to balance the right investments in Cyber Security and Cyber Resilience?
- What actions can YOU take away and directly initiate in YOUR organization?
Christian opened the workshop referring to Michael’s keynote and showing how one hospital lost all access to IT systems for one week! Crippled by hackers demanding a ransom of $3.6 million dollars. Putting lives at risk! He presented some findings from an the ISACA survey ‘State of Cybersecurity – implications for 2016’ which stressed that 82% of board directors are either concerned or very concerned about Cybersecurity.
‘Concerned is one thing, but are they committed to taking ownership and accountability’.
What can and should leaders do?… Welcome to the Oceans 99 Business simulation
In this business simulation game: “The owner of the Bank of Tokyo has decided to exhibit three world renowned objects. The ‘Star of Africa’, the ‘Jewish Bride’ and a ‘Bugatti 59’. The challenge for the team is to bring the objects to Tokyo, on time, safely and securely, and to have them exhibited, however there are rumors that Oceans 99 a criminal organization wants to steal the objects… In the game the various stakeholders make use of Information systems for planning, for managing, for transporting, for monitoring the objects and for booking and selling tickets, there are many opportunities for Oceans99 to exploit vulnerabilities.
The teams were given the tasks of designing a Security Policy, Performing a Risk assessment and developing a Strategy for investing in security counter measures. Observers were given ‘CISCO key security messages’ – which they used to observe how the teams worked, and to give feedback during reflection between the exercises.
What happened next?
Each team had to communicate and collaborate. There was confusion of roles and responsibilities, lack of board commitment, too much focus on technology solutions and not enough understanding of critical business assets that needed protecting. The risk exercise focused on technology and system updates, none of the teams positioned ‘People’ as the biggest threat. In the strategy exercise teams had difficulty making a business case for security countermeasures as there was a poor link to business language…..
How did we create this situation? Below are just one or two of the discoveries made during the reflection period after each game exercise.
Policy exercise reflection:
- Too much detail; No one person (CISO) knows all the details. It must be a collaborative and iterative approach to shaping and agreeing the ‘business’ security policy; There was no board ownership – ‘no time, no interest and it’s an ‘IT’ thing’!
- On a positive note the CISO engaged with and involved all roles (however the majority stated that this was not the case in their organizations).
Risk Exercise reflection:
- No formal decision making mechanism or process for agreeing which risks are high impact and high probability. Too many assumptions and everybody insisting THEIR risks are the most important.
- Too much focus on technology risks. No balance between People, Process and Technology. People were not classified as a high risk yet teams know that the biggest threat comes from inside the organization (such as phishing attacks).
- On a positive note – One team used information from incident monitoring and logging to expose vulnerabilities and threats (however the majority stated that the incident systems in their organizations did not provide this level of security related insights to help with Risk management).
Strategy exercise reflection:
- IT Security strategy = Business strategy.
- Not knowing or understanding is also a ‘vulnerability’ the need to use external expertise to expose vulnerabilities.
- The need to invest in training and awareness initiatives.
- One a positive note – one team made a business case relating back to the critical assets (credit card information and image of the bank) to gain an investment from the business (however the majority stated this type of business case was not common in their organizations).
At the end of the day we asked the teams to record ‘what are your key takeaways and learning points from this exercise? What concrete action are you going to take away’?
These are the consolidated Key takeaways (and the number of times mentioned).
- Critical assets must be identified (and agreed) with the business; identify the real “crown jewels” not the commonly ‘assumed’ ones, this MUST be agreed with the business owners. (12)
- Risk management is an ongoing exercise with Business & IT; You need to monitor ongoing incidents and breaches to update the risk profile and prioritize countermeasures; democracy in building the risk register (everybody has a role to play in identifying risks). (11)
- An IT Security strategy MUST be part of the business strategy. This requires business engagement, involvement, alignment and ultimately convergence of strategies; Business first strategy – focus on business goals; big picture MUST be kept in mind at all times at all stages; make clear connection between company’s goals and IT security to gain resources for investing and protecting key assets. (9)
- Employee (and external partners) awareness and training is crucial as most breaches are from inside the company; On-going awareness programs (People as the most significant risk), including on-boarding new employees; people are a critical asset in an organization for detecting and responding to security – if they understand the need. (7)
- IT needs to play the role of ‘Glue’ in the Cyber Security area (linking technology components to critical assets and risk mitigation countermeasures); IT to become a facilitator – dialogue with the business; leadership/facilitation is a critical success factor; Use an external facilitator for the dialogue between IT and the business (if the IT maturity or relationship isn’t aligned). (6)
- The simulation should be training for all employees involved in security; Today’s simulation showed how 11 different voices were translated into 1 coherent strategy, addressing business needs and threats; the simulation helped us look at the problem from different angles – different teams, different stakeholders including the business; very valuable way of learning and experiencing; great way to observe how people behave and interact; interesting experience – direct cooperation of key stakeholders, ability to assess current capabilities. (6)
- Involve the board from the beginning, and in every step (Policy, Risk, Strategy); no success without business commitment; Have ALL important business roles in the discussion or you can forget about it (only as strong as the weakest link). (5)
- To convince the business to invest in security solutions we must make the business case very carefully, in relation to the critical assets and business impact, not IT terms and IT impact; find the right balance between IT ‘asset’ protection (general) and business ‘asset’ protection (specific), agreed with the business. (4)
- The critical assets must be reflected in the policy and strategy and communicated across the organization to ALL employees; this was the biggest takeaway – protecting your ‘crown jewels’ in ongoing structures & systematic approach – if not you’ll lose! (4)
- Lack of leadership leads to chaos (clearly defined role and responsibilities for both business & IT in terms of cybersecurity. NOT just IT). Having Leaders and managers involved doesn’t mean success – It is engagement, involvement and commitment from ALL; clearly defined responsibilities of EACH person in Cybersecurity. (4)
- IT security depends upon People, Process AND technology. We focus too much on the technology and point solutions and not enough on processes and people. (3)
- The importance of open communications (and understanding); clear and simple communication. (3)
- Create understanding, If unsure about any vulnerabilities use internal knowledge (incident management and monitoring) or buy the knowledge externally (security expertise). (2)
- Take time in defining the policy; update the policy as an ongoing exercise.
- Iterative process (Policy – Risk Assessment –Strategy).
As Michael stated in his opening keynote ‘It is time for the Industry to step up to the plate’. What will the IT leaders in the workshop now do to deal with the Cyber Security challenges facing their organizations?
Concrete actions to take away:
- I am going to increase my risk management process in my business.
- I am going to facilitate the dialogue between business and IT to recognize critical assets.
- I am going to improve the processes to identify critical assets and embed these findings into our processes and procedures.
- I am going to ensure more learning and awareness in Cybersecurity for my personnel.
- Review of security policy in terms of key assets
- Review the security training in the organization and make it ongoing.
- Ensure everybody has a role to play in security
- Sharing the experience and learning within my organization
Even in this small, intense, time pressured situation it was interesting to see how senior IT leaders and decision makers all focused around ‘technology solutions’ and not around the ‘people factor’ nor fully understanding the business impact. It was also interesting to see that although 82% of board members are ‘concerned or seriously concerned’ about Cyber Security, the majority of delegates do not experience board level commitment and ownership within their organizations.
This session showed how a business simulation – or interactive, experiential learning session, can not only create awareness but also change attitude, by creating new insights, and more importantly capturing new behaviors that the delegates owned and agreed to take-away. The simulation exercise can be played with both business and IT roles to create a shared understanding and shared commitment. After all security awareness should result in behavior change to prevent the human factor being the most damaging security risk.
The key CISCO security messages that the observers used to observe and give feedback to the teams during the exercises:
- Security is an essential element of digitization. Lack of Security is a major impediment to the successful adoption of disruptive innovation such as IoT/IoE.
- Security should never be treated as an afterthought – it should be budgeted and embedded into every IT project.
- 1+1 should equal 3, not 1.5. Complexity is the enemy of effective Security. Investing in point security solutions only increases OPEX due to integration issues and lifecycle cost – it does not increase the level of Security.
- No point product can ever address the Security challenge – only a Security SYSTEM can achieve this.
- Security is a highly sensitive subject and a matter of trust. Only trust a Security vendor with considerable market pedigree.
- Be comfortable and prepared to spend based on quality. You are unlikely to purchase the cheapest house alarm to protect your family – why would you do so for your IT?
- You will be hacked – it’s just a matter of time. Be prepared remediate your IT.