Martin Craigan shares the cybersecurity lessons he learned from a recent visit to the boardroom of a major bank.
The CEO began the conversation by saying the bank's $250 million annual investment in cybersecurity gave him confidence that the bank was safe from attacks.
“The other two people at the table, the CIO and the CISO, you could see them starting to squirm in their seats,” said Craigan, vice president for Asia Pacific at security firm Comvault.
“I started asking very simple questions about incident response plans, what they would do if they were breached, their processes and testing, etc. I was careful not to blame them, but it quickly became apparent to the CEO and other attendees that they weren't as prepared as they thought they were.”
Coming from a cybersecurity vendor, some might think this is a bit complacent, but it's backed up by recent research from Commvault, based on interviews with 400 IT leaders and decision makers, which highlights the stark contrast between business leaders' expectations and the lengthy recovery times reported by IT professionals.
The report found that 75% of business leaders want their operations to resume within five days of a cyberattack, but that actual recovery takes five to eight weeks.
Considering that 62% of Australian businesses and 68% of New Zealand businesses surveyed experienced at least one attack in the past year, this represents a significant amount of downtime.
Despite the increased focus on cyber resilience, only 4% of organizations consider themselves to currently have mature proactive capabilities, while 50% rate their cyber resilience as “very immature.”
Multiple Environments
Craigan said the root of the misunderstandings within the organization is the reality that senior business leaders don't understand the complexity of a technology environment that has around 5,000 applications.
“That means a variety of infrastructure environments, from private data centers to on-premise, to public cloud and the edge,” he said.
“The survey results highlight a significant gap between expectations of a quick recovery and the harsh reality of prolonged downtime.”
The key to improving this scenario is to prioritize your organization's “most important assets” and develop a plan to best protect them.
“They need to know what their priority applications are and what their most important applications are and come up with a plan to get them back.”
But even this prioritization can lead to misunderstandings and miscommunications.
“If you ask CIOs and business leaders what the 10 things are most important to them, I guarantee you that 90 percent of them will give you completely different answers,” Creighan says.
“So what's happening now is a cloud of confusion within organizations to continue operating after a breach. You need to have an agreed-upon plan, and it needs to be communicated and it needs to be tested.”
take a test
The solution doesn't lie in the technology itself, but in how it's deployed, the governance and processes around it, and thorough testing.
Commvault's survey found that more than 60% of organizations say they conduct testing, but Creighan questions how rigorous this is.
“Are they actually turning off the lights or are they doing a checkbox test from a documentation standpoint or are they just doing a tabletop exercise,” he said.
“Businesses need to do more than that. If things go wrong and they are attacked and hackers steal data, they need to know that they have an immutable copy of that data and can get it back as quickly as possible.”
“They need to figure out which applications are the priority ones and which are the most important ones and then come up with a plan for how and in what order they're going to bring those back.”
AU First Officer
Our security posture also took into account governance around processing and testing, compliance with regulatory controls, and artificial intelligence reporting.
Cragan recently attended the RSA conference in the US to catch up on the latest developments in cybersecurity, and came away with two thoughts:
“Firstly, I think organisations need to be mindful about the responsible use of AI,” he said.
“Walking around the RSA conference, I saw AI everywhere, but I think we need to be very careful about AI-washing, where people are just using AI terminology to get attention.”
“That's part of it, but secondly, we need to realize that leveraging AI can really help. We have a co-pilot called 'Arlie' (Autonomous Resilience) that writes code to integrate APIs into our perimeter and web security defenses,” he added.
AI automates processes, provides an end-to-end view, and acts as anomaly protection, making organizations more responsive.
Today, forensic teams must jump into action immediately after a breach to find answers to key questions: Where did the criminals come from? Was it three months, six months, or six weeks ago? Where should my recovery point start?
“By running AI across your data assets and using anomaly detection algorithms, you can better determine where to start recovering,” Creighan said.
“And this can literally shave weeks off your recovery time. So should you use AI? Absolutely! But use it the right way.”
Image credit: iStockphoto/Sergei Nivens
