Artificial intelligence has now become a structuring lever for companies: 70%¹ have already placed it at the heart of their strategy. So far, most deployments relied on conversational assistants capable of returning information—sometimes enriched with internal data—but whose interactions with the information system (IS) remained limited.

A major shift is now underway with the emergence of agentic AI. Unlike simple chatbots, AI agents do not merely answer questions; they reason, decide to call tools, and trigger actions. They may send an email, schedule a meeting, update a record, initiate a transaction, or soon, carry out even more sensitive operations. Their promise in terms of automation is substantial—and so is their potential impact on the attack surface of the IS.

Because once an AI system acts, central questions arise: on whose behalf is it acting, with which permissions, on what perimeter, and under whose control?

Those questions are even more critical given the rapid evolution of use cases: 51%² of organizations have already deployed an AI agent for employees, while 59%³ of workers acknowledge using non‑approved AI agents. Beyond individual usage, each business unit may be tempted to deploy its own agents to fulfill local needs. This fuels a form of agentic Shadow IT, where agents multiply in a fragmented way, with heterogeneous architectures, variable controls, and frequently incomplete governance.

In this context, Identity and Access Management (IAM) must return to the center of the security strategy. Every piece of data an agent can access, every resource it can modify, every action it can execute must fall under a centralized access control with, traceability, and a governance framework.

This article analyzes the security of AI agents through the IAM lens—not as one brick among others, but as a structural safeguard required to frame their usage and sustainably protect the information system.

From conversational assistants to AI agents: how they interact with the IS

How can an AI agent act on an application?

The ability of an AI agent to interact with enterprise applications relies on the emergence of new protocols, among which the Model Context Protocol (MCP) is gaining prominence. This type of protocol enables an AI agent to communicate with third‑party applications through an intermediate layer, often implemented as an MCP server.

The MCP server acts as an exposure and orchestration component. It receives requests generated by the model, translates them into executable calls, and forwards them to the application’s API. To achieve this, the MCP server provides the model with tools, describing the actions it is authorized to invoke. Once the server is declared in the conversational interface or agent environment, the model can decide—based on user intent and its own reasoning—to call one or several of these tools.

From a security perspective, this raises a key question: how is the end‑user authenticated, and how is this identity propagated—or not—to downstream services? In modern architectures, user authentication typically relies on OpenID Connect (OIDC), while API access authorization relies on OAuth 2.x through access tokens. The challenge for an agent is to ensure that tool invocations and API calls occur through a controlled delegation model.

Is the agent acting with its own rights, with the user’s rights, or through a hybrid mechanism?

Let’s illustrate this with a real-world use case: scheduling a meeting. The user asks: “Schedule a meeting with the team tomorrow at 10 a.m.” The AI agent interprets the request and uses the “Calendar” tool exposed by the MCP server. It sends the minimal structured request (participants, date, time, subject). The MCP server then calls the enterprise calendar API to create the event.

The mechanism seems simple. In practice, it represents a major shift: the model is no longer a passive assistant but an active intermediary between human intention and technical execution.

An inherently opaque operating model

This architecture introduces an immediate security difficulty: in many cases, the integration layer only has partial visibility over the originating context. It receives a structured request but not the full initial prompt, the model’s internal reasoning, or why it selected a specific tool. The IS therefore sees an action without necessarily being able to reconstruct the chain linking user demand, agent reasoning, tool invocation, and final effect.

This loss of context becomes even more problematic when the API call is made using an OAuth token: depending on the architecture, the target service may only see a technical identity (service account / application) rather than the real end‑user. This undermines attribution, abuse detection, and the ability to apply conditional policies differentiating human and agentic actions.

In other words, the agent interacts with the IS in a partially opaque manner, breaking with traditional application patterns and complicating real‑time control, auditing, and accountability.

A fast‑emerging technology introducing new security challenges

AI agents introduce new use cases—and new risks—that must be addressed at the IAM level. Four challenges stand out.

Challenge 1: Inventory of AI agents

Most organizations lack a comprehensive inventory of deployed agents and the tools they connect to.

This lack of visibility arises from two factors:

• usage often develops outside traditional governance processes;
• integration modalities are heterogeneous (MCP, proprietary connectors, local code execution, platform‑native features, etc.).

The issue is not only inventorying the agents themselves but understanding their entire execution chain: interface, exposed tools, target applications, accounts used, data processed, and flows generated. Without visibility, no meaningful governance is possible.

Challenge 2: Attribute and govern AI agent permissions

Traditional IAM systems often lack a native, standardized object to represent an AI agent as a fully governable non‑human identity.

As a result, integration layers are registered as technical apps or service accounts. This leads to well‑known risks: excessive privileges, poor separation of duties, coarse controls, and inability to distinguish a human action from an agentic action.

The risk becomes substantial as the agent may become a privileged indirect access vector into the IS.

Challenge 3: Authenticate AI agents

Authentication presents the third challenge, on two distinct levels. First, the end user must be properly authenticated to ensure that the agent is not operating without an identity. But the agent itself—or at the very least the component acting on its behalf—must also be authenticated so that specific policies, appropriate restrictions, and proportionate oversight requirements can be applied to it.

This dual requirement is unprecedented in its complexity: with AI agents, the system must simultaneously manage the identity of the requester, the identity of the executing system, and the precise relationship between the two.

Challenge 4: Trace agent‑driven actions

The final challenge is that of traceability. In many current architectures, logs primarily allow us to observe the technical call sent to the target service. However, it remains difficult to reliably reconstruct:

• which user originated the request;
• which agent decided to execute it;
• the business context;
• the intermediate reasoning steps.

This lack of auditability undermines detection, investigation, and accountability. When a sensitive action is triggered, it must be possible to determine whether it resulted from a legitimate instruction, a misinterpretation, an autonomous deviation, an abuse of privilege, or a compromise of the input context—for example, through a prompt injection attack.

IAM as the reference framework for securing AI agents

Core IAM principles remain unchanged

In light of this transformation, one point must be made clear: the fundamentals of IAM do not disappear with agent-based AI. On the contrary, they become essential once again.

A well-managed information system is based on a few simple and robust principles:

• centralize authentication via a reference IdP;
• avoid generic accounts when nominative identities are possible;
• enforce least privilege;
• govern entitlements over time;
• ensure robust logs;
• clearly separate roles and execution perimeters.

AI agents do not invalidate these principles—they expose existing weaknesses and require adapting the IAM execution model to a new class of digital actors.

A four‑step security trajectory

1. Inventory use cases and agents

Identify:

• deployed agents,
• environments,
• tools,
• target apps,
• accounts and tokens,
• accessible data.

This inventory exercise is not merely a secondary documentation task; it is a prerequisite for any coherent access control policy. To carry it out, commercial tools are emerging, such as Microsoft’s Agent 365 solution.

2. Introduce a dedicated identity type for AI agents

The second step involves recognizing AI agents as a specific category of non-human entities. This classification is essential because it enables the implementation of differentiated policies: prohibitions on certain actions, restrictions to specific areas, requirements for prior approval, enhanced monitoring, or conditional restrictions.

This distinction is fundamental. A traditional application does not have the same level of autonomy, nor the same risk profile, as an AI agent capable of selecting a tool on its own, chaining together multiple actions, or reacting to an ambiguous context. IAM must therefore be able to determine not only who is acting, but also how the system is acting.

For example, a user may have the right to send an email or create a change request. This does not mean that an agent can execute this action without safeguards. Depending on the sensitivity of the process, a dedicated policy may require human validation, a restricted scope, or a complete prohibition.

3. Link authentication and rights to a central IdP + the end‑user

The third step involves bringing authentication under the purview of a central identity provider, so that access rights are managed consistently. The goal is twofold: to prevent the uncontrolled use of over-privileged technical accounts, and to ensure that the agent operates, as much as possible, within the limits of the permissions held by the user who initiated the request.

This does not mean that the agent must be transparent from a security standpoint. On the contrary, the challenge is to apply a logic such as: “even if the user has the right, the agent does not necessarily have the right to do so alone, in any context, and without additional oversight.

4. Introduce human approval for certain agent‑initiated actions

Securing AI agents cannot rely solely on authentication and authorization. It also requires defining the acceptable level of autonomy based on the criticality of the actions in question.

Three models are typically distinguished

Human‑in‑the‑loop

This is the most secure mode. The agent prepares the action, but its execution is contingent upon explicit validation. This approach should be prioritized for sensitive operations: financial transactions, changes to permissions, external communications on behalf of the company, access to sensitive data, actions with irreversible consequences, etc.

Its key advantage is that final validation is handled by a control interface independent of the agent’s reasoning. Even if the model has been influenced, manipulated, or simply deceived, the user or operator retains control over the decision.

Human‑over‑the‑loop

In this model, humans do not approve each action individually but oversee the execution and retain the ability to interrupt the process immediately. This approach may be suitable for frequent, well-defined, low-risk processes, provided that monitoring is effective, and the shutdown mechanism is fully operational.

Human‑out‑of‑the‑loop

Here, the agent operates autonomously without immediate human intervention. This level of autonomy should only be considered for very low-criticality use cases, in strictly bounded environments with limited scopes of action, robust compensatory control mechanisms, and explicit tolerance for residual risk.

For a CISO, the logic is simple: the greater the business, regulatory, or security impact, the closer the human oversight must be to the execution.

A clear target state—still constrained by several limitations

Functional obstacles

The target security model can be clearly defined. Its implementation, however, encounters several major functional obstacles.

The first obstacle concerns the lack of granular authorization mechanisms. Today, a user may want to ask an agent to perform a precise action on a precise resource. Yet available mechanisms often require permissions that are far broader than necessary. Processing an email may require opening access to an entire mailbox; scheduling a meeting may imply extended access to the user’s full calendar; interacting with a repository may require read or write permissions far beyond the expressed need. This mismatch is particularly problematic in an agentic context. Because an AI is inherently non‑deterministic in the way it selects and chains actions, overly broad access rights mechanically become a disproportionate risk. Secure adoption therefore requires moving toward finer‑grained, contextualized, temporary authorization mechanisms, proportionate to the specific request being made.

The second obstacle concerns authentication and identity propagation. In many cases, current architectures still rely on technical accounts, shared secrets, or authentication mechanisms that fall short of mature IAM governance standards. The target state, in contrast, requires that each action be explicitly linked to (i) the user originating the request, and (ii) the fact that this action was executed by an agent — which implies distinguishing between the identity of the initiator and the identity of the executing system, while documenting the delegation relationship between the two. In practice, this refers to controlled delegation mechanisms such as OAuth “On-Behalf-Of (OBO)” flows: the agent (or its orchestration layer) calls an API while carrying an authorization derived from the user, but with additional constraints (limited scope, reduced duration, contextual checks, conditional access policies). The objective is to reduce reliance on over‑privileged technical accounts while preserving a usable chain of accountability. At this stage, however, the market does not yet offer a fully homogeneous and interoperable model that covers authentication, fine‑grained authorization, traceability, and agent governance at scale.

A final foundational obstacle is traceability: every action must be linked explicitly to a clear and intelligible chain of responsibility. Without this capability, there can be no robust auditability, no effective control, and no defendable governance in front of business stakeholders, auditors, or regulators. And this obviously comes at a cost for SIEM platforms…

A fragmented market complicating security

From the perspective of enterprises, the difficulty is not only technical: it also relates to the overall maturity of the market. Agentic capabilities are proliferating faster than the security and governance standards needed to frame them in a consistent way. As a result, organizations must deal with heterogeneous solutions, in which identity models, audit capabilities, and control mechanisms vary significantly from one vendor to another.

Will MCP become the standard?

Some vendors expose their applications through MCP servers or comparable mechanisms, while others favor more closed, native integrations within their own ecosystems. In practice, there is still no fully homogeneous framework that satisfactorily covers authentication, authorization, traceability, governance, and the nomenclature of exposed capabilities.

Two trajectories can be envisioned:

• The first would be convergence toward a standardized foundation enabling interoperability across agents, tools, and platforms. Such evolution would facilitate large‑scale deployment, improve user experience, and enable more coherent enterprise‑wide governance.
• The second would be persistent fragmentation. In this scenario, each vendor would continue to favor its own mechanisms, security objects, and integration models. The consequences for organizations would be significant: multiplication of blind spots, heterogeneous controls, difficulty centralizing supervision, and practical impossibility of applying a homogeneous IAM policy across the entire agentic perimeter.

In the short term, market signals point toward co‑existence: interoperability initiatives are emerging, but major vendors continue to build logically integrated ecosystems. For CISOs, this means thinking not only “tool by tool” but also in terms of the ability to govern a portfolio of agents spanning multiple vendors.

Toward enterprise AI agent registries

The rise of AI agents justifies the emergence of a new governance object: the AI agent registry. Because an agent is an autonomous system capable of triggering actions, it can no longer be treated as an invisible application component. It must be identified, qualified, assigned an owner, embedded in a lifecycle, evaluated according to its scope of action, and subjected to specific rules.

Such a registry must ultimately be able to answer several fundamental questions:

• Which agents exist within the organization?
• Who is responsible for them?
• In which environment do they operate?
• Which tools and which data do they have access to?
• Which authentication mechanisms do they use?
• Which human validations are required?
• Which logs do they produce?
• When must they be reviewed, requalified, suspended, or retired?

Some identity providers are beginning to introduce capabilities dedicated to this new category of non‑human identities. This is an important signal. But market maturity remains early, and governance cannot be outsourced entirely to vendors. The real issue is fundamentally organizational: defining a model of responsibility, control, and security that is adapted to the growing autonomy of AI systems.

When should organizations address IAM for AI agents? Right now.

The rise of AI agents marks a major evolution in the transformation of information systems. By shifting from a logic of assistance to a logic of action, these systems fundamentally reshape security concerns: the challenge is no longer limited to controlling the data an AI can access, but also the actions it can execute, the privileges it leverages, and the responsibilities it triggers.

In this context, IAM becomes a structuring pillar. It provides the foundation needed to make agents visible, control their entitlements, trace their actions, and define the conditions under which their autonomy can be accepted. In other words, securing AI agents cannot rely on peripheral measures: it requires an integrated governance approach that combines identity, access control, supervision, and human validation.

For organizations, the objective is not to slow down the adoption of agentic AI, but to frame it within a sustainable trust model. This means making structural decisions today: mapping use cases, integrating agents into IAM frameworks, distinguishing human and non‑human identities, adapting authorization policies, and defining safeguards proportionate to the criticality of the actions delegated.

As architectures become standardized and market offerings mature, the organizations best prepared will be those that treat AI agents not as simple innovative assistants, but as new actors of the information system, subject to the same requirements of security, traceability, and governance as any other critical component.

The question is therefore no longer whether AI agents will find their place in the enterprise, but under what conditions of control. For CISOs, the matter is clear: the ability to industrialize agentic AI will depend less on the performance of the models than on the robustness of the IAM and governance framework put in place to supervise them.

If you, too, are questioning how to manage access for AI agents or wish to deepen the security of these emerging use cases, we would be delighted to connect. Feel free to reach out to share your challenges or to explore together potential approaches tailored to your context.

1. Wavestone – Global AI Survey 2025  – AI Adoption and Its Paradoxes: Global AI survey 2025 | Wavestone)
2. PagerDuty (2025) More than Half of Companies (51%) Already Deployed AI Agents. Pager Duty, March 2025. Available at: 2025 Agentic AI ROI Survey Results (Accessed: 2 January 2026)
3. Cybernews (2025) Unapproved AI Tools in the Workplace. September 2025. Available at: https://cybernews.com/ai-news/ai-shadow-use-workplace-survey/ (Accessed: 2 January 2026).

Cet article Securing AI Agents: Why IAM Becomes Central est apparu en premier sur RiskInsight.

In recent years, regulators have consistently urged insurers to adopt holistic strategies that extend far beyond traditional disaster recovery—embedding resilience throughout business operations and the entire software development lifecycle.

This paper aims to offer a comprehensive perspective on resilience, bringing together operational continuity, cyber defence, and third-party risk management. It can serve as a strategic guide for CxOs, outlining how to identify the Minimum Viable Company (MVC), market insights into sector-wide impact tolerance, and anticipate the evolving landscape of regulatory and cyber resilience through 2030.

Minimum Viable Company (MVC) framework

The FCA’s Operational Resilience Policy Statement (PS21/3) challenges insurers to pinpoint their Important Business Services (IBS) and develop strategies for maintaining these during severe disruptions. Though MVC is not named explicitly in PS21/3 (FCA’s Policy Statement on Building Operational Resilience, published in March 2021) organizations are advised to define their “minimum operational footprint,” closely aligning with MVC principles.

Think of the MVC as your organisation’s lifeline: those indispensable services, processes, technologies, and teams that maintain trust and financial stability, even when everything else must be paused.

Most organizations keep their MVC lean, just 15–17% of total business activity, backed by robust lists of mission-critical applications, core infrastructure, key data, and vital third-party relationships. This isn’t just compliance: it’s about identifying a modular, scalable foundation that lets your business isolate issues, recover fast, and keep delivering during systemic risks.

Informed by our extensive work with top UK and global insurance organisations, an indicative list of Core Services typically is:

Further examination of trends in impact tolerance, detailing standard timeframes observed and strategic rationale for core services identified within MVC.

Note: The following ranges are intended as guidance, reflecting our market study and regulatory advisory. Actual tolerances may vary based on factors such as the jurisdictions involved, the organization’s risk profile, and its financial capacity.

Regulatory trends: 2025–2030 outlook

As the insurance industry navigates evolving operational demands, it is equally crucial to anticipate the shifting regulatory landscape that will define the coming years. The following outlook highlights the major regulatory trends projected for 2025 through 2030, outlining key compliance requirements and anticipated changes that will shape the UK insurance sector’s risk management and reporting frameworks.

It is important to recognise that as regulations in this area continue to develop, UK regulators such as the FCA and PRA are moving towards greater alignment with major European frameworks, including the EU Digital Operational Resilience Act (DORA) and the Network and Information Security (NIS) Directive.

This alignment reflects a recognition of the interconnectedness of financial markets and critical services across borders, and the need for consistent, elevated standards of operational and cyber resilience.

The FCA and PRA have issued consultations and guidance signalling their intent to integrate core DORA and NIS principles—such as enhanced third-party risk management, harmonised incident reporting obligations, and sector-wide resilience testing—into the UK’s regulatory regime. This convergence ensures that UK financial institutions, insurers, and service providers are prepared not only for domestic regulatory expectations but also for the demands of operating within a global and digitally integrated market.

Boardroom resilience checklist

In light of these forthcoming regulatory changes and strategic reforms, it is essential for boardrooms to evaluate and reinforce their organisational resilience frameworks. The following checklist is designed to guide leadership teams in proactively assessing their preparedness, ensuring robust governance, and embedding resilience into core decision-making processes.

• MVC coverage: Is your Minimum Viable Company (MVC) clearly defined, mapped, and stress-tested across operations to maintain delivery of essential services
• Impact tolerance benchmarking: Have you validated realistic impact tolerances through scenario analysis, and benchmarked them against peer institutions and regulatory frameworks
• Third-Party risk visibility: Do you maintain real-time insight into key external dependencies, supported by contingency planning and contractual resilience provisions
• Integrated resilience functions: Are your operational resilience, cyber security, third-party risk, and enterprise risk teams aligned in strategy, decision-making, and board reporting to support a cohesive resilience posture
• Incident Response preparedness: Do you have robust mechanisms for multi-channel incident reporting (internal and external) and active regulator engagement, supported by rehearsed playbooks
• Cyber insurance alignment: Is your cyber insurance coverage tailored to your specific risk landscape, and tested against evolving threat scenarios across business-critical assets
• Board accountability: Have board members been trained in resilience and security oversight, and do they receive regular briefings from integrated risk functions to ensure informed governance
• Resilience culture: Is a resilience-aware culture embedded across the organization —from executive leadership to operational teams — fostering proactive risk ownership and continuous improvement
• Regulatory awareness & horizon scanning: Are we tracking global and local regulatory developments (e.g. EU DORA, FCA SS1/21, SEC cyber rules), and ensuring readiness and board-level awareness of compliance obligations

The UK insurance and reinsurance sector is well-capitalised, digitally evolving, and strategically positioned for growth. But resilience (operational, cyber, and third-party) remains the defining factor for long-term success. 

By thoughtfully harmonizing operational resilience strategies across function with leading global standards, organizations can elevate their industry standing and secure enduring stakeholder confidence. This proactive approach not only ensures compliance with a rapidly evolving regulatory landscape but also fortifies the ability to mitigate cross-border risks and respond decisively to unforeseen disruptions. In a world where digital threats and supply chain vulnerabilities transcend geographic boundaries, developing internationally recognised resilience is both a regulatory imperative and a cornerstone of successful, forward-looking business strategy.

In conclusion, executives must embed robust, integrated resilience frameworks for sustained growth and stability. By cultivating a culture of proactive risk management and regulatory awareness, institutions can position themselves at the forefront of operational excellence, prepared not just to withstand challenges, but to transform them into opportunities for long-term success.

Cet article Resilience by design: strategic imperatives for UK General & Reinsurance Insurers (2025 – 2030) est apparu en premier sur RiskInsight.

Every year since 2020, Wavestone has identified Swiss cybersecurity startups in its eponymous radar. While AI has established itself as a cross-disciplinary subject in all fields, the 2025 Radar focuses on the use of artificial intelligence as a tool, not just as a subject to be secured, but as a technology at the very heart of the cyber response.

Several startups are using AI to automate, enhance or personalize their solutions:

Egonym uses generative AI to anonymize faces in images and videos while preserving useful traits like age and emotion — striking a rare balance between privacy and utility.

Hafnova applies real-time AI to detect, block, and report threats across critical infrastructures with high responsiveness and minimal delay.

Aurigin combats deepfake-based fraud in real time using multimodal AI that simultaneously analyzes voice, image, and text to validate identities. 

RedCarbon delivers autonomous AI agents capable of handling complex cybersecurity tasks such as threat detection, hunting, and compliance monitoring — significantly reducing analyst workload.

Baited leverages AI and OSINT to generate hyper-realistic phishing simulations, enabling organizations to test and train employees under real-world conditions.

It’s good to see AI becoming an essential defensive weapon contributing to the defense of our information systems.

Strong momentum around threat detection, response and monitoring

The second strong trend this year is the emergence or reinforcement of startups specializing in intrusion detection, suspicious behavior detection, incident response and continuous supervision.

This segment, already well established historically, is undoubtedly gaining strength with several new entries:

RedCarbon: AI agents for threat detection & automated hunting.

Swiss Security Hub: continuous monitoring of SAP systems with XDR integration.

Cyberservices : XDR platform based on the Google ecosystem.

Hafnova: real-time cyber supervision in critical sectors.

Tirreno: on-prem platform for online fraud detection with user trust scoring.

At a time when cyber-attacks continue to increase in number and complexity, preventive, contextualized and autonomous detection is and will remain key to strengthening operational resilience.

New ground explored: digital sovereignty and secure hardware

Among the notable additions, The Cosmic Dolphins stands out with its sovereign hardware approach:

The Cosmic Dolphins: Swiss smartphones with dual-zone OS (Shark Zone / Dolphin Zone), kill switch, and hardware-first approach to privacy.

Swiss innovation isn’t limited to software: mastery of the physical infrastructure is becoming an issue of trust, sovereignty and differentiation.

Key Figures

Geographical focus: undisputed predominance of Lausanne and Zurich, but other regions are gaining ground

Unsurprisingly, most startups are located around two main technological clusters: Zürich and Lausanne. This confirms an already existing trend since these two cities are hosting Swiss Federal institutes of technology (ETHZ in Zürich, EPFL in Lausanne).

These universities are providing a fertile ground for startups as they offer support in terms of infrastructure but also in terms of collaboration with students and labs. In return, intellectual property is shared between startups and universities. This model is a success for Switzerland as it allows to continuously improve the economy of these regions with a good balance between investment and research.

Nevertheless, other regions such as Geneva and Ticino are showing increasing dynamism, with several new startups emerging in this year’s edition. This points to a gradually diversifying ecosystem, supported by regional initiatives like innovation hubs and dedicated startup incubators.

Methodology

Wavestone’s Swiss Cybersecurity Startups Radar identifies new players in the Swiss cyber innovation ecosystem. Its objective: to provide a global and critical view of an ever-renewing environment.

• Startups were selected according to our eligibility criteria:
• Head office in Switzerland
• Less than 50 employees
• Less than 8 years of activity (established as of 2017)
• Business model around a specific product (software or hardware)
• Startups were identified and evaluated according to the following procedure:
• Open Source Intelligence (OSINT) data consolidation
• Evaluation in regard to above criteria
• Qualitative interviews with the startups

Cet article Cybersecurity Startups Radar: 2025, AI at the service of cybersecurity est apparu en premier sur RiskInsight.

However, although companies recognize the importance of awareness content, very few manage to effectively deploy solutions adapted to their teams’ specific needs. In fact, as much as awareness is a priority, choosing the most suitable tool remains a challenge. Companies are confronted to a diverse range of options, from standardized online training to interactive and personalized tools.

A radar of +100 cybersecurity awareness solutions

In an environment where cybersecurity awareness is becoming a priority, the awareness solutions radar proves to be a strategic ally for companies. This tool provides a clear and structured view of available solutions, helping organizations identify the ones best suited to their needs.

A decision-making tool

The radar provides a comprehensive overview of options available and helps assess the size of the market. Thanks to the radar, companies can quickly identify high-performing and innovative solutions, while also distinguishing essential ones. To achieve this, the solutions have been grouped into 7 categories:

1. Maturity Assessment: Solutions offering robust cybersecurity maturity and human risk evaluation tools, going beyond reports or questionnaires
2. E-learning: Solutions providing a variety of structured learning modules
3. Technical Training: Solutions specifically designed for technical audiences (cybersecurity teams, IT, developers, etc.)
4. AI: Solutions based on artificial intelligence tools
5. Chatbot: Solutions integrating an interactive conversational agent
6. Phishing: Solutions specialized in phishing attack simulations, distinct from e-learning modules covering the topic.
7. Games: Solutions focused on gamification, offering engaging cybersecurity awareness activities.

This radar aims to provide a condensed view of our benchmark and is not a ranking. It is a curated selection based on several criteria, including company size, market presence (primarily in France), and our expert evaluation. We have intentionally limited the number of solutions presented to ensure a clear and strategic overview.

The selection favors French solutions, in line with our client base, while also including a few relevant international players. Additionally, only solutions whose core offer is product-oriented, rather than consulting services, have been included, to ensure a product-focused approach.

A benchmark for a tailored solution

The radar is based on a benchmark of over +100 solutions available on the market, providing a comprehensive overview of the cybersecurity awareness solutions’ ecosystem.

The benchmark is designed to guide your selection towards the most suitable solution. Companies fill in their criteria to generate a refined list of options: types of content (phishing, passwords, social engineering, etc.), types of formats (quizzes, videos, chatbot, e-learning, etc.), availability and flexibility of the solution, target population, price, languages, etc. This process helps avoid arbitrary choices and ensures the selection of a solution that is truly aligned with awareness challenges and objectives.

Thus, without trying to be exhaustive, the radar offers a wide range of options to best meet your organization’s needs.

Integration process into the benchmark

The process of integrating a solution into the benchmark is intended to be straightforward. Once a solution is identified, it is analyzed and sorted based on specific criteria, along with feedbacks from our Wavestone consultants. In addition, meetings with solution providers allow us to refine our analysis through demonstrations and the collection of additional information.

As such, a solution with a clear and intuitive interface, offering transcriptions in multiple languages, and covering a wide range of topics (phishing, cloud, chatbot, etc.) in an innovative way will be particularly relevant. If it also receives positive feedback from our consultants, it will have a strong chance of being included in the radar.

The benchmark and its radar also come with detailed presentations of certain solutions. Thanks to our expertise and strong convictions regarding awareness, some solutions deemed relevant have detailed profiles that include a more precise overview of the interface and expert opinions, enriched by discussions with vendors. These presentations not only help select the most suitable tool but also highlight often more effective yet lesser-known alternatives.

Integration process of a solution into the benchmark and radar

Disclaimer

Please note that this radar is a reduced view of the associated benchmark. If you notice that a cyber awareness player you know is missing from this radar, contact us so we can evaluate and add them.

Acknowledgements

We would like to thank Guillaume MASSEBOEUF for his contribution to this radar.

Cet article 2025 cybersecurity awareness solutions radar: how can I find the right solution for my needs? est apparu en premier sur RiskInsight.

This summer marks a major breakthrough in cybersecurity with the publication of the NIST standards for post-quantum cryptography. This publication is the culmination of many years of work, the standardisation process having begun in 2016, while the mathematical research has lasted decades. 

This news has been eagerly awaited by the cyber community, because the threat is so real: a sufficiently powerful quantum computer would render all current asymmetric cryptography obsolete. This would mean the impossibility of exchanging encryption keys, as well as the possibility of digitally signing documents. In short, it would mean the end of confidentiality and integrity guarantees for communications. 

It’s difficult to describe the extent of the consequences, with secure communications on the Internet becoming near enough impossible. 

To counter this, 3 new cryptographic standards have been identified: 

• ML-KEM (CRYSTALS-Kyber), the new main standard for encryption and therefore key exchange 
• ML-DSA (CRYSTALS-Dilithium), the new main standard for digital signatures 
• SLH-DSA (Sphincs+), the backup solution for backup signatures should ML-DSA prove vulnerable.

Note that a “backup” solution for encryption, FN-DSA (FALCON), will be released in the near future. 

The standards are published, but the post-quantum efforts are not over – quite the contrary! 

Integrations begin: editors and developers in action 

Publication of the standards means that the next stage in the post-quantum security process can begin: integration of the algorithms by the major players and developers of technological solutions.  

This work has already begun, of course, and includes the integration of post-quantum algorithms into the development roadmap of Tink1, Google’s well-known cryptographic library. Also worthy of mention is the partnership between IBM and Thales2 for complete post-quantum security, from VPN to TLS to digital document signing. Finally, Microsoft3 has also indicated that efforts are now underway for a post-quantum transition of their services, from cloud to on-premise. Even Apple4 in the consumer sphere has launched the migration of iMessage to post-quantum algorithms. 

But beware, post-quantum security is not suddenly a reality. It is and will be a long process which relies, in particular, on the efforts of all IT service providers. It’s encouraging to see that market leaders are taking this subject seriously. 

It’s up to large organisations to act!  

Post-quantum security doesn’t just concern GAFAM: all major organisations need to start transitioning to this new paradigm. We recommend that you start thinking about and adopting a post-quantum security strategy now, as US agencies are obliged to do so under the Quantum Computing Cybersecurity Preparedness Act (2022).  

There are many major stages in this migration strategy, and it obviously has to cover conventional IT systems. But we mustn’t forget industrial systems and embedded systems (vehicles, trains, connected objects, remote systems, etc.). For each of these areas, the following elements need to be consolidated: 

• An inventory of data and its security shelf-life, particularly for long-lived data, in order to prioritise safeguards. 
• An inventory of cryptographic solutions used in-house, to identify their origins and responsibilities (in-house, open-source, suppliers, etc.). 
• Each use of asymmetric cryptography must be the subject of a transition plan, including a POC. Note that symmetrical AES cryptography does not require any transition, with the exception of the move to AES256 for ultra-critical data (sensitive over several decades). For legacy systems, beyond the migration of encryption systems, it may be necessary to re-encrypt part of the stored data. 
• The entire cryptographic chain will obviously have to evolve, from PKI to certificates, via the various encryption and signature systems. We’ll also need to pay close attention to performance issues, particularly in embedded environments.  
• New projects must take post-quantum security into account right from the design stage: 
  • With the inclusion of post-quantum security criteria in the evaluation of service providers.
  • All in-house projects must include the use of post-quantum asymmetric cryptography, requirements equivalent to AES256 for symmetric cryptography, and guarantees equivalent to SHA512 for hashing. 

Given the scale of the task, a complete ecosystem of suppliers is emerging to support inventorying, risk assessment (via library or source code scanning) and action plan follow-up. This is the case at Thales, IBM and Sandbox AQ.  

But beyond the tools, it will be necessary to embark on a real transformation programme, mobilising IT teams, the business lines concerned, and also purchasing if the supplier stakes are high.  

This migration is also an opportunity to think more deeply about the management of “crypto agility”, because let’s face it, these algorithms are fairly “new”, and it’s not impossible that flaws will be discovered that will require upgrades. The transformation programme should not lead to a “one-off” migration, but rather to the mastery of agile cryptography within the organisation.  

History shows that it takes 3 to 4 years to initiate and complete this type of migration. And it won’t be easy to make headway on this issue, so invisible is it to the business world. Let’s hope that regulations, particularly in Europe, will bring the subject into the spotlight! 

Risks and timelines: when to act?  

Estimates vary as to when a quantum computer will be able to “break” state-of-the-art RSA encryption. Most place it between 2030 and 2040, with a concentration of estimates around 2033-2035. The NSA requires exclusively post-quantum cryptography from its software, firmware and network equipment suppliers as early as 2030, from 2033 for certain others (e.g. O.S.) and 2035 for all its suppliers. Post-quantum cryptography should be available as early as 2025 in certain cases. 

Even if nobody knows exactly when quantum computers will be sufficiently sophisticated, not being ready by 2033 means accepting risks that will have a serious impact on the most sensitive data. 

However, another threat exists today. We are all now exposed to the risk of “Harvest Now, Decrypt Later”, which consists in the large-scale storage of Internet communications for future decryption with a quantum computer (or when encryption keys are leaked). This risk obviously concerns entities with very specific capabilities, namely state agencies or groups of attackers backed by them. Only those organisations whose data is of strategic interest to these agencies are most at risk. It’s this particularity that has prompted migrations for some specific players.  

But for all of them, given the efforts required and the risk zone by 2030, it’s in the 2025 action plan that the first phases of assessment and construction of the project plan must be planned! 

Cet article Post-quantum cryptography is here: what are the consequences and actions for large organisations?  est apparu en premier sur RiskInsight.

Recruiting in cybersecurity is increasingly challenging, with 4 million jobs currently unfilled – a 13% rise from 2022 (ISC2 2023). As studies over the past three years have confirms, this challenge is only deepening, leaving CISOs struggling to recruit, manage, and retain skilled professionals. Diversifying the talent pool is also a priority, with women making up only 25% of the workforce.

At Wavestone, we’ve been actively following this subject and have developed a benchmark to assess companies’ maturity level on this subject. With data from more than 20 organizations, we’re ready to share our insights.

In this article, we’ll dive into the results and focus on key topics such as career path, recruitment, trainings, and retention plans. And for those who stick around till the end, there’s a little surprise waiting for you.

If you’re a CISO looking for practical solutions or just interested in cybersecurity talent management, this article is for you. Let’s tackle this challenge together.

A Global Maturity Score of 45% in Cyber Talent Management

Current Cyber Talent Management maturity stands at 45%, indicating significant room for improvement in this emerging field. The gap between the lowest and highest scores ranges from 27% to 62%.

On a positive note, there are strong performers in every area, suggesting that companies can benefit from sharing best practices. Ultimately, the goal is to build skilled and resilient cybersecurity teams.

The Energy sector has the highest maturity level, while Public & Institutions have the lowest. The graph above compares the maturity levels of various sectors on a scale from 0 to 100%. The sectors include Energy (58.2), Luxury & Retail (52.4), Services (50), Finance (45.9), Industry (47.2), and Public & Institutions (36.1).

Developing Career Path to Give Growth Perspectives to Talents

The cybersecurity field is facing a clear talent shortage. In 2023, 4 million cyber jobs were unfilled, and the figure is still increasing. Organizations have a real challenge to retain their cyber talents and to attract new ones. Yet a well-defined career path could help them. From an HR perspective, it empowers individuals to take charge of their own development, serves as a framework for self-assessing competencies and areas for growth, and supports individual fulfilment. However, building an effective career path requires careful planning and can take over a year to implement.

During our interviews with CISOs and Cyber Talent Managers, we observed that while 66% of the organizations have started initiatives to build their first cyber career path, these efforts are not yet fully materialized.

Real-world example based on a client assignment…

• In a client project, after several phases of reviews and workshops on cyber jobs and skills frameworks, we identified 11 new cyber skills and 6 cyber jobs and integrated them into the repositories. This then led to the creation of an initial career path dedicated to cybersecurity workforce.

A well-defined career path is the cornerstone of Talent Management and represents a strategic advantage for organizations in retaining and attracting talents, prompting many to take action.

Tips to Diversify Your Recruitment Pool

The cybersecurity talent pool is both limited and lacking in diversity, making recruitment a critical challenge for organizations. Despite women making up 50% of the global population, they represent only 25% of cyber professionals (ISC2 2023). This highlights the urgent need for more inclusive recruitment strategies.

Nowadays, traditional job descriptions often demand too much, deterring potential female candidates. Only 27% of the organizations have adapted them. Studies show men apply if they meet 60% of the criteria, while women tend to wait until they meet 100%. Rewriting descriptions to be more inclusive, with input from female reviewers, can broaden their appeal.

In addition, few companies focus on internal (5%) or external (22%) branding, yet these strategies work. Transparent branding and communication can help to demystify cybersecurity roles, attract a more diverse talent pool and boost internal mobility, making them valuable recruitment tools.

Offering Trainings to Reduce Skills Gaps Within Your Organization

Cybersecurity skills gaps are a major issue, with 92% of professionals reporting deficiencies and 75% finding the current landscape the most challenging ever (ISC2, 2023).

Our benchmark shows only 33% of companies have a skills-mapped training catalogue, and 94% address training reactively, based on demand. This reactive approach misses chances for proactive skills development. Effective training is crucial for equipping employees with the skills needed to handle evolving cybersecurity threats and trends.

Real-world example based on a client assignment…

• Automated Training Paths: implemented an automated tool that can generate personalized training paths based on employees’ needs and skills level.
• Consolidated Training Catalogue: a unified training catalogue, mapped to the 17 new cyber skills and 16 new cyber jobs, offering a clear development roadmap for employees.

Enhancing Retention Through Effective HR Collaboration

Collaborating closely with the HR team to create a robust retention plan is essential for organizational success. While many companies have processes to support talent development, these are often not formalized, leading to challenges in daily management.

Companies need to start by assessing the unique skills and strengths of each team member and determine how to best leverage them for the organization’s goals. Conducting individual interviews is a valuable strategy in this regard. Managers can gain insights into each employee’s current career stage and future aspirations. This information allows them to craft personalized development plans that align with their goals.

However, it’s important to remember that a retention plan is not a one-size-fits-all solution. It should be flexible and adaptable, capable to evolve with the changing needs of your team and the cybersecurity landscape. By working with HR to implement a tailored, adaptive plan, you ensure that your cyber talent feels valued, motivated, and committed. Remember, effective retention is as crucial as attracting top talent, so make strategic collaboration with HR a key component of your talent management strategy.

A²BCⁿ framework: A Framework to Care for your Talents and Secure your Business

In conclusion, caring for talent is essential to securing your business. The A²BCⁿ framework provides a structured approach to achieve this. By focusing on Assessing and Attracting talent, Building Trust with your talents, and Caring and Nurturing your team, this mixed approach, blending cybersecurity and HR strategies, ensures an effective and resilient team ready to meet tomorrow’s challenges.

Cet article Navigating The Cybersecurity Talent Management Maze: A Guide for Talent Management Enthusiasts est apparu en premier sur RiskInsight.

The Cybersecurity Maturity Model Certification (CMMC) is a comprehensive framework designed to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI), shared with contractors and subcontractors of the Department of Defense (DoD) through acquisition programs, as defined by Executive Order 13556.

The CMMC 2.0 Proposed Rule, published on December 26, 2023, represents the latest evolution of the CMMC cybersecurity model.

On June 27, 2024, after adjudicating nearly 2,000 comments, following a 60-day open-comment period, the DoD submitted a draft of the CMMC 2.0 Final Rule (32 CFR) to the Office of Information and Regulatory Affairs (OIRA) at the White House.

The summited draft represents the final step before the CMMC 2.0 rule is published in the Federal Register. As the final draft has been submitted the focus now shifts to the timeline for when the CMMC 2.0 regulation will take effect and be enforced.

Before addressing this shift in focus, it is essential to understand that the security requirements, upon which CMMC 2.0 Level 2 is founded (NIST SP 800-171), have been mandatory for DoD contractors handling sensitive information since December 2017, when the DFARS clause 252.204-7012 was included in DoD contracts. However, during this period, compliance mostly relied on self-attestation without a robust enforcement mechanism, leaving the DoD unable to verify adherence. As a result, many contractors neglected to fully implement the required controls.

To address this issue, the DoD launched the CMMC program, which essentially serves as the mechanism through which the DoD will verify compliance with the requirements outlined in DFARS clause 252.204-7012 (NIST SP 800-171), mandated in contracts since 2017.

As the DoD puts it: “A key difference between the DFARS 252.204-7012 and CMMC Level 2 requirements is that compliance with NIST SP 800-171 under DFARS 252.204-7012 has not been consistently verified. Under CMMC, compliance will be checked by independent third-party assessors certified by DoD.“

The significant change introduced by CMMC, requires contractors to obtain certification through assessments conducted by a CMMC Third Party Assessment Organization (C3PAO) to demonstrate compliance to retain and secure DoD contracts.

CMMC Rulemaking Timeline

The CMMC rulemaking timeline is summarized below based on publicly available information as of July 17, 2024.

As with all federal regulations, CMMC requires a legal basis for implementation. Therefore, to determine when the CMMC 2.0 regulation will come into effect, we need to understand the rulemaking process behind CMMC 2.0, involving two rules from the Code of Federal Regulations: 32 CFR and 48 CFR.

For the CMMC 2.0 regulation to come fully into effect, two things need to happen.

1. The 32 CFR CMMC Final Rule has to come into effect. This rule outlines and codifies the CMMC program and will allow CMMC third-party assessments to begin, known as the “market rollout“.

The 32 CFR CMMC Final Rule is estimated to be published no later than October 26, 2024, after OIRA’s review of up to 120 days, and will come into effect approximately 60 days later, in late Q3 or early Q4 2024.

2. 48 CFR CMMC Final Rule must come into effect. This rule revises the DFARS clause 252.204-7021 to point to the CMMC program (32 CFR) and will introduce CMMC compliance as a contractual clause gradually over 3 years, known as the “phased rollout“.

The 48 CFR Proposed Rule was submitted to OIRA in May 2024. After a 90 to 120-day regulatory review and an initial 60-day public comment period, the Proposed Rule will undergo another 60-day public comment period, followed by a Final Rule review and adjudication process, estimated to take 150 to 280 business days. The 48 CFR Final Rule is expected to come into effect around Q3 or Q4 2025 but could be sooner, as it revises an existing, small clause (DFARS clause 252.204-7021).

The 32 CFR is the Starting Gun for the CMMC Race

While the effective date of the 48 CFR Final Rule (expected in Q3 or Q4 2025) will determine when the CMMC 2.0 regulation is mandatorily included in contracts, known as the “phase-rollout,” it’s a significant misconception that the pivotal milestone for the start of the CMMC race is the effective date of the 48 CFR.

Indeed, the kickoff for the CMMC race will be determined by the effective date of the 32 CFR Final Rule (expected late Q3 or early Q4 2024), not the 48 CFR Final Rule.

The 32 CFR Final Rule will trigger the “market rollout“, which will allow CMMC assessments to begin. Once these assessments are available, prime contractors (e.g., Lockheed Martin, Boeing, Raytheon) will likely require subcontractors to obtain CMMC certification as soon as possible, well before DoD does through the “phased rollout“, to maintain their competitive edge and mitigate the risk of non-certified suppliers jeopardizing their own certification status.

Midnight Rulemaking and CMMC 2.0

In the past 6 months, there has been a notable acceleration in the CMMC rulemaking process. This is evident in several key milestones, including the publication of the 32 CFR Proposed Rule in December 2023, the submission of a 48 CFR Proposed Rule to OIRA in May 2024, and most recently, the submission of the 32 CFR Final Rule to OIRA in June 2024. This phenomenon is often referred to as “Midnight Rulemaking“, which describes the rush to finalize regulations in the final months before a presidential administration concludes.

Thus, if we anticipate the 32 CFR Final Rule to be finalized and effective in late Q3 or early Q4 2024, given the Department of Defense’s strong motivation to complete the CMMC regulations before the U.S. 2024 elections, there is a very strong possibility it will become effective before November 5, 2024.

Don’t Wait for the Starting Gun to Begin the CMMC Compliance Journey

The DoD anticipates that it will take two years for companies with existing contracts to become CMMC certified, assuming they have already implemented the NIST SP 800-171 Rev. 2 requirements as per DFARS clause 252.204-7012. This extended timeline is due to several factors:

1. Once 32 CFR becomes effective, CMMC third-party assessments for CMMC Level 2 will commence, requiring organizations to achieve 100% self-attestation readiness before undergoing assessment. This preparatory phase demands significant time and effort.
2. On average, organizations spend between 12 to 18 months preparing for a CMMC Level 2 assessment.
3. Due to a shortage of CMMC assessors, organizations may expect to wait approximately 9 to 15 months (3 to 5 quarters) for a CMMC assessment.

Therefore, to stay prepared for future DoD contract opportunities and maintain a competitive edge, it is recommended that organizations begin their CMMC compliance process today.

Feel free to reach out to discuss your CMMC journey with us and explore how #Wavestone can assist you in navigating the intricate landscape of CMMC 2.0 compliance, supporting your path to certification, and enhancing your cybersecurity readiness into a strategic advantage.

Our CMMC 2.0 Compliance Services:

1. CUI Identification:
   • We assist in identifying Controlled Unclassified Information (CUI) within your organization to ensure compliance with CMMC requirements.
2. CMMC Assessment Scope Identification:
   • We help define and minimize your CMMC Assessment Scope to stay cost-effective and pragmatic. By clearly identifying the scope, we ensure that all necessary systems and processes are included while avoiding unnecessary complexity and costs.
3. CMMC Readiness Assessments:
   • Our experts conduct CMMC Level 1 and 2 readiness assessments, evaluating your current state against the respective assessment objectives (e.g., NIST SP 800-171A) to provide you with actionable recommendations.
4. CMMC Compliance Roadmap Definition:
   • We work with you to define a clear roadmap to achieve CMMC compliance, tailored to your needs, whether for CMMC clusters or all-in scenarios.
5. CMMC Implementation Support:
   • We offer comprehensive guidance and support throughout the implementation phase, helping you effectively integrate the required controls and reach CMMC 2.0 compliance.

Cet article Timeline Update: CMMC 2.0 and the Phenomenon of Midnight Rulemaking est apparu en premier sur RiskInsight.

These incidents, commonly referred to as “supply-chain attacks”, involve targeting an organization’s downstream third parties (e.g., partners, vendors) to gain access to valuable systems. In the Bank of America case, the compromised third party responsible for this breach, was Infosys McCamish Systems (IMS), an insurance process management services provider.

This breach resonates with the infamous SolarWinds cyberattack, where Nobelium hackers inserted malicious code into the SolarWinds Orion platform, enabling them to infiltrate numerous government systems, including the U.S.’ Homeland Security, State, Commerce, and Treasury, as well as private systems worldwide.

As corporate IT architectures are arguably a mere reflection of a company’s intricate web of business relationships, these events serve as a stark reminder that organizations are not isolated entities but rather hubs of interconnected and co-dependent partners and third parties. Achieving a robust cybersecurity posture requires more than individual efforts; it demands cultivating a secure ecosystem of thoroughly vetted trusted partners to effectively safeguard the entire supply chain required for product delivery (TPRM).

However, building such an ecosystem poses challenges. Many companies lack the resources to exclusively select leading, cutting-edge, and trusted third parties or may lack the leverage to demand transparency from existing partners.

Drawing lessons from the SolarWinds cyberattack, and amid heightened geopolitical tensions (see Chinese cyberattacks on U.S. infrastructure at an unprecedented scale), the Department of Defense recognized this challenge and responded with the development of a solution for securing the supply-chain ecosystem of the Defense Industrial Base (DIB) called the CMMC.

The Cybersecurity Maturity Model Certification (CMMC) is a comprehensive framework designed to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI), that is shared with contractors and subcontractors of the Department of Defense (DoD) through acquisition programs.

The CMMC 2.0 Proposed Rule Release, published on December 26, 2023, represents the latest evolution of the CMMC cybersecurity model, poised to supplant the preceding CMMC 1.0 with a more pragmatic approach. Following its release, the proposed policy underwent a 60-day open-comment period, which concluded on February 26, 2024. The new regulation is anticipated to be finalized by late 2024 or early 2025.

The CMMC 2.0 is aimed at safeguarding sensitive national security information by protecting the Defense Industrial Base’s (DIB) sensitive unclassified information from frequent and increasingly complex cyberattacks. It streamlines requirements to three levels of compliance and aligns the requirements at each level with well-known and widely accepted NIST cybersecurity standards. The specific security requirements and assessment types (self-assessment, third-party assessment, or DoD assessment) vary based on the level.

• Foundational (Level 1): Targets organizations handling FCI (e.g., contract performance reports, organizational charts). Compliance mandates strict adherence to the 15 security requirements outlined in FAR clause 52.204-21, through an annual self-assessment.
• Advanced (Level 2): Targets organizations handling CUI, including Controlled Technical Information, DoD Critical Infrastructure Security Information, Naval Nuclear Propulsion Information, and Personally Identifiable Information (PIIs). Compliance requires adherence to 110 security requirements based on NIST SP 800-171 Rev. 2. Assessments are conducted by third-party organizations known as CMMC Third Party Assessment Organizations (C3PAO) tri-annually or through an annual self-assessment, depending on the sensitivity of the underlying CUIs.
• Expert (Level 3): Targets organizations handling CUI for DoD programs with the highest priority. Compliance entails adhering to the 110 security requirements based on NIST SP 800-171 Rev 2 and an additional 24 security requirements based on NIST SP 800-172. These organizations undergo tri-annual assessments conducted by the DoD’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

Organizations must obtain a CMMC Level 2 Final Certification before scheduling a DIBCAC assessment for CMMC Level 3.

The results of all assessments conducted on DIB organizations are consolidated within the Supplier Performance Risk System (SPRS). The SPRS (pronounced “Spurs”) is Department of Defense’s web platform that collects, processes, and retrieves data on supplier performance within the Defense Industrial Base, enabling the DoD to map the DIB’s business network cyber maturity, assess supplier performance, and evaluate risks related to contractual obligations.

By deploying this mandatory certification model, the DoD is at the forefront of establishing a comprehensive, secure, end-to-end supply chain framework within the DIB, hopefully enhancing long-term U.S. national security. Simultaneously, the DoD underscores that security is no longer optional; it is an integral aspect of business operations.

CMMC 2.0 assessments are expected to become available around Q4 2024 (once 32 CFR is finalized). Prime contractors will expect sub-contractors to achieve CMMC compliance before Q3 2025, when CMMC 2.0 takes effect. Starting October 1, 2025, CMMC certification will be mandatory at the time of contract award.

If you require assistance navigating the intricate landscape of CMMC 2.0 compliance or need support on your path to certification, #Wavestone is ready to empower your journey. Reach out today and elevate your cybersecurity readiness into a strategic advantage.

Cet article The DoD Strikes Back: Enhancing Supply Chain Cybersecurity with CMMC 2.0 est apparu en premier sur RiskInsight.

Bug Bounty? A Bug Bounty program is a crowdsourcing initiative wherein ethical hackers are rewarded by companies for finding and reporting vulnerabilities.

In the ever-evolving landscape of cybersecurity, the banking and public sectors have increasingly embraced various vulnerability disclosure initiatives. Reflecting on Wavestone’s 2021 report, it’s crucial to understand the three key approaches that shaped the previous research:

• Vulnerability Report Channels (VRCs): These are the first step toward a bug bounty program, a web page providing basic instructions to hackers and a reporting channel.
• Vulnerability Disclosure Policies (VDPs): These policies outline how an organization receives and responds to disclosed vulnerabilities from external parties. The existence of a VDP implies the presence of a VRC as part of its framework.
• Bug Bounty Programs (BBPs): An advanced form of VDPs, and alongside the policy, BBPs offer financial rewards for reporting security vulnerabilities, incentivizing the discovery and disclosure of security issues. It can be accessible to anyone (public) or a small number of hackers (private).

These initiatives are not just procedural but bring significant benefits. They enable earlier detection of vulnerabilities, foster a culture of transparency and continuous improvement, and leverage the global cybersecurity community’s expertise to enhance security measures. By incentivizing ethical hacking, organizations can stay one step ahead of potential threats, protecting their data and systems more effectively.

Overview of Research

This study, leveraging data up to Q3 2023, examines the adoption and impact of these cybersecurity measures in the banking and public sectors. The research methodology involves a thorough analysis of current trends, regulatory landscapes, and the effectiveness of BBPs in enhancing digital security.

Banking sector insights

The banking sector, serving as the backbone of the global financial system, has shown a remarkable transformation in its approach to cybersecurity. The analysis of the world’s top 100 banks between 2020 and 2023 reveals significant developments in the adoption of cybersecurity measures. Here are some key insights:

• Increase of VRCs and VDPs: There was a marked increase in the implementation of VRCs and VDPs, by 2023, 34% of the top 100 banks had at least one active VRC, and 26% had implemented a VDP.
• Geographical Trends:
  • Dominance in Europe and North America: Banks located in the United States and European countries demonstrated higher adoption rates of VRCs and VDPs. Delving deeper into the continent analysis, Figure 1 shows that North America, with 72% of banks implementing VRCs against Europe’s 49%, continues to be ahead in adopting cybersecurity initiatives.

• • Asia and South America: Despite managing 46% of the assets across 43 banks, only one implemented a VDP, indicating a slower pace of adopting for these kinds of programs.
• Stale number of Public BBPs: The data showed a stagnation in the number of public BBPs, with only 5% of the banks operating a public BBP as of 2023. This suggests a cautious approach towards publicly inviting vulnerability disclosures.
• Notable Countries: The Netherlands stands out with a 100% adoption rate of vulnerability disclosure programs among its top banks. This demonstrates a strong national commitment to cybersecurity.
• Platform Utilization: Most banks preferred developing in-house programs for vulnerability disclosure, with a few opting for external platforms like BugCrowd, Synack, and HackerOne.

Luxembourg: A Case Study

Luxembourg’s banking sector case study focused on 5 retail and 17 private banks, provides a snapshot of current cybersecurity practices:

• Overall low Adoption Rates: Only a minority of the 22 banks have embraced structured cybersecurity programs. Specifically, only 7 out of 22 banks have established VRCs, including only 5 banks which adopted VDPs and just 1 bank which implemented a Public BBP.
• External hacker Interest: Some banks received external reports through OpenBugBounty.org, demonstrating hackers’ interest in showing vulnerabilities, despite not having a formal active program.
• Overall Trend: The sector shows a need for more consistent adoption of structured cybersecurity strategies, especially considering the high stakes in private banking.

Public Sector Analysis and Regulation

The public sector’s approach to cybersecurity, especially within the EU27, shows a complex and evolving landscape. Key aspects of this analysis include:

• Growth in Coordinated Vulnerability Disclosure (CVD): Compared with ENISA’s 2021 study, there has been a significant increase in the adoption of active CVD policies. The number of EU27 Member States with active CVD has risen from 4 to 11, indicating a growing emphasis on structured cybersecurity strategies.
• The UK’s Proactive Stance: Despite being outside the EU27, the United Kingdom has made remarkable efforts in implementing active CVD. This highlights the UK’s commitment to maintaining robust cybersecurity standards.

Conclusion and Future Outlook

As the digital world advances, the significance of vulnerability disclosure programs is increasingly clear. They represent not just a trend, but a fundamental shift in how organizations approach cybersecurity:

• The Rise of Vulnerability Disclosure: A dynamic and rapidly expanding area, these programs are becoming essential in the banking and public sectors.
• European Regulatory Momentum: With the EU’s NIS2 directive and forthcoming legislations like the CRA, there is a robust push for national CVD policies and organizational VDPs/BBPs.

At Wavestone, we understand the importance of staying ahead in this evolving scenario. We are here to help you navigate these changes effectively. Reach out to us for expert guidance in strengthening your cybersecurity position.

Cet article Bug Bounty: Insight and benchmark on the banking and public sectors 2024 est apparu en premier sur RiskInsight.

You may have seen the big headlines pointing out talent shortage issues in the latest news – that is sadly not a fake news. The talent war really exists in the cybersecurity market. Over the past months, we read numerous articles, academic papers, reports on this emerging subject; we discussed with CISO and Talent Managers (a real full-time job!) and the 3 main challenges remain the same: how to recruit, manage and nurture our talents?

In this article, we have compiled the different situations, our observations, and the initial lessons we can draw from the actions put in place to meet these challenges.

Take a moment to analyse the strengths and weaknesses of your team to identify the complementary skills and competencies you need to look for…

Beyond just filling the roles, it is essential to gain a strategic vision of the skills to draw up a sustained cyber division. Your mantra for this stage must be: “Getting the right people for today… and tomorrow!”.

When people’ skills match their roles, tasks are performed efficiently, with everyone contributing to a more (cyber)secure organization. I doubt anyone will contradict me here, but it’s often easier said than done.

Here are the first questions you can ask yourself to get moving in the right direction…

Do you know what you need? Have you defined all the cyber activities you need to run? Have you defined your “make or buy” (internalization vs outsourcing) strategy? Have you identified the skills and the people needed to run these activities?

This is a non-exhaustive list of questions that as an organisation you should ask yourself to better capture your need and know your people before launching a roadmap of actions.

Knowing your need and team is important as it: (1) helps for task allocation: before, cyber teams were smaller, therefore, versatility was crucial. Nowadays, bigger cyber teams make specialization possible and facilitate the optimization of complementary skills (2) helps to target training and development: having a clear vision on your team and its activities helps you identify skill gaps and provide the appropriate training and development opportunities to the people who need it the most. With the identified missing skills in one hand, and the identified needs in another hand, you can start seeking for your ideal candidates thanks to a job offer that speaks volumes (but don’t look for purple squirrels, they don’t exist)!

Keep an eye on the upcoming insights and focus on the cyber job descriptions topic!

Fueling Team Today, Attracting Tomorrow: The recipe for Sustained Cyber Teams

That is to concretely explain what cyber is and what its activities are. #transparency

Based on the discussions with CISO and Talent Managers, being transparent on the job description works and gives people a sense of belonging and purpose, which in turns promotes a better teamwork.

Let us share some concrete and easy actions that you can do to get things moving:

• Promote internally the cyber jobs and the people behind the jobs: by explaining concretely what working in cybersecurity means, what the positions available are, and what the people really do, you can inspire people to join your team, increase internal mobilities, strengthen the sense of belonging to the cyber division, and give perspective to your team.
• Promote externally your cybersecurity activities: make yourself visible by participating to cyber associations and key conferences (school events, collaborations with universities, research institutions, or organisations, etc.).
  • Organise/participate to upskilling/reskilling workshops (transferable skills).
• Include inspiring people in your recruitment process and branding (such as CISO, team lead, etc.

Cybersecurity is still an obscure topic for those outside the cyber world. To fix that, everyone needs to start explaining what they do.

Mastering the art of taking care of your people

By now, you must know that it’s a great asset to know who your team is, who your people are, who you really need to run the cyber activities, to have a great branding to attract people. But what will make the difference in the long run is to take good care of your people by offering a safe work environment and giving perspectives of evolution. When what is coming next is clear, it is easier for the people to project themselves in the company in the years to come.

And before taking care of their people, CISOs also need to take care of themselves. 40% of the CISOs say that they experience “high-stress” on a daily basis and 28% of them are close to burn-out (Cyber Workforce Study, ISC²). Tough to take care of people if you don’t take care of yourself first…

To avoid this, CISOs need to build a trusted relationship with their top management in order to be able to define the strategic objectives, prioritize the activities, obtain the resources, etc. And it is essential to know how to surround themselves with reliable individuals to delegate tasks and create an effective operational strategy.

Recruiting is just the beginning of the journey; nurturing is the ultimate goal. Nevertheless, organisations tend to forget (neglect) this last, but perhaps most important point. It’s like getting an ISO 27001 certification, quite easy (of course, it requires work!) but maintaining it, is the real deal.

In order to provide perspectives for team members, we need to establish career paths with their “pathways” and the means available to evolve on these paths: skills required per job and key milestones, training catalogue, internal mobilities, personalized evaluation process, etc.

Nurturing your talents means helping them to develop and strengthen their skills/capabilities through trainings, teamwork with colleagues or with cyber associations, giving them perspective of evolution/growth within your company. As a human-being, we need to know where we stand and where we are going, we need a vision to get us moving (in our life #existentialcrises).

If we take the example of the Maslow’s hierarchy of needs, people need to have a sense of belonging and feel that they are useful. Thus, part of nurturing talents also means creating a “team spirit” via rituals. It is not a secret that a friendly work environment/atmosphere is a crucial criterion when choosing a job and can increase people’ productivity by 12% (University of Warwick, UK), especially for young people nowadays.

Giving perspective of growth/evolution is essential, especially for experts. Many organizations still view management as the only path to success, but in certain sectors like industry, we can observe a shift. Expertise is increasingly valued as an alternative success route to management; some may combine both, but it is not a necessity. Therefore, expertise circles are key to give recognition to experts in and outside of their organisations – give them the opportunity to attend specific cyber events that can also enables them to grow their network and acquire more skills.

In a nutshell, attracting and nurturing talents take time, and talent recruitment emerges as a pivotal element in corporate strategies. By embracing diversity and promoting gender convergence, we venture into new dimensions to build robust, thoughtful, and resilient teams.

We aim to open the cyber field to those unfamiliar, fostering diversity, and creating vocations. Let’s reach out to people; and let’s not wait for them to come to us.

We have created a benchmark tool to explore this multi-faceted topic (along with the ongoing research) and assess organisation’s maturity. Reach out to us if you would like to be part of it! We would be very delighted to share with you the good ideas we have collected on the market… and the traps to avoid.

Unicorns (don’t misunderstand me, I am not talking about start-ups), Purple Squirrels, Ninja, Rockstars, don’t exist but if we combine diverse profiles, we can get this highly qualified team!

Cet article The Quest for Cybersecurity’s Purple Squirrels: How to Find and Keep Them est apparu en premier sur RiskInsight.

Acquisitions are an ideal time for attackers. With heterogeneous levels of security or uncontrolled interconnections, it becomes possible to attack the acquiring company by rebound, using the acquired company as a gateway.

To manage these risks, cybersecurity must be a key factor in the success of acquisitions and mergers, from the due diligence phase onwards.

Variable cyber needs

Cyber due diligence can bring significant value to cyber, IT and business teams. The results can be used to support decision-making at several levels.

1. Understanding the level of maturity of the target company: analysing security practices and identifying gaps in relation to the acquirer’s standards in order to understand the cyber risks incurred during the integration of the new IS.
2. Test the level of security of a solution (mainly IT or Cyber): ensure security and resilience to confirm the value assessment (compliance with secure development practices, absence of critical vulnerabilities, preventive security measures, etc.).
3. Estimate the cost of the integration: assess the cost of upgrading on the basis of the security debt and the charts to check the relevance of the operation and negotiate the acquisition price which absorbs the integration costs as far as possible.
4. Assess reputational risks: ensure compliance with regulations, particularly on personal data, and the absence of intrusions that could damage the reputation of the acquirer after the transfer of ownership.

Cyber due diligence remains nonetheless a special exercise. The company under review (target) does not yet belong to the acquiring company, and the constraints imposed by the teams in charge of the operation or by business teams can be tough.

A business context to take into account when choosing the cyber due diligence method

On the acquirer’s side:

• The budget: the choice of method is correlated to the availability of cyber security teams or a dedicated budget for calling in an external service. It is preferable to secure a contingency with the M&A teams before any operation, to leave yourself a margin of choice.
• Time: business or competitive constraints can have an impact on the due diligence period. The choice of method depends fundamentally on the time given to the cyber teams to conduct their investigation.

On the identified company side:

• Size: the due diligence method must be consistent with the size of the target company’s information system, the nature of its assets and the types of technology used.
• The “balance of power”: the difference in weight between the acquirer and the target company has a major influence on the possibility of conducting an in-depth and transparent cyber analysis (ability to obtain information, evidence, interviews, tests, etc.).
• The core business: the valuation must focus on what makes the identified company valuable, particularly when it comes to an IT product or know-how.

Based on these criteria, as well as existing processes, the cyber and M&A teams work together to choose the method best suited to their needs and the situation.

Cyber due diligence for every operation

Non-intrusive methods

The cybersecurity team may opt for non-intrusive due diligence methods when they have limited resources or when the target company is coveted by other potential acquirers.

1) The security essentials questionnaire is used to measure the pre-identified company’s maturity in terms of the key areas. It has the advantage of being easy to deploy, without imposing a major burden on either the target company or the acquirer.

• Our conviction: it is particularly well suited to assessing the cyber maturity of small companies (fewer than 50 employees). This questionnaire is to be defined by the cyber security teams in collaboration with the IT and M&A teams.

2) “Automatic” cyber-scoring tools can be used to measure the level of security of assets exposed on the Internet. They have the advantage of providing security teams with an immediate view. Beware, however, that their results can be simplistic, as these tools only focus on the tip of the iceberg (what about partner management, cloud security, etc.).

• Our conviction: we do not recommend prioritising their use in a cyber due diligence context, but they do have the advantage of providing a wealth of additional information quickly if your company has already subscribed to an offer.

In-depth methods

The cybersecurity team can opt for more in-depth due diligence methods when they have the human or financial resources and a “favourable balance of power” in the negotiation of the operation.

1) The Due Diligence questionnaire, based on the acquirer’s internal cyber standards, is used to measure the target company’s level of maturity and to identify any deviations from its own policies and standards, an essential prerequisite for quantifying the potential cyber integration costs.

• Our conviction: this is the most widely used method on the market, and enables us to prepare for the integration (integration scenario, cost scenario, planning, etc.). This questionnaire is to be defined by the cyber security teams in collaboration with the IT and M&A teams.

2) Cyber assessment platforms (such as Cybervadis, Risk Ledger, CyberGRX…) can be used to assess the target company’s level of maturity in relation to benchmark security standards, and sometimes even to obtain upgrade action plans.

• Our conviction: the use of platforms is worthwhile if the target company is already registered/assessed. This also allows to pool resources with your “third party” approach (see RiskInsight article on third party management here). Otherwise, it often takes too long.

3) The technical audit provides an in-depth measurement of the level of exposure of a company or asset. Although penetration testing remains the most comprehensive audit, there are other types of tests that are easier to implement in a due diligence context (AD configuration scan, architecture audit, EDR report, report on penetration tests already carried out, etc.).

• Our conviction: it is generally impossible to carry out tests before closing (the assets have not yet been purchased). In the absence of comprehensive tests, the free version of PingCastle provides a simple, accurate and rapid overview of the security level of Active Directories.

While Cyber Due Diligence is a necessary pre-requisite for all M&A operations, it should serve as a leitmotiv for bringing together cybersecurity, M&A, and IT teams to best guide companies in their transformation.

Finally, there are situations in which Cyber Due Diligence could not be carried out (confidentiality, tight schedule, competitive pressure at the time of the operation, etc.). Cyber Due Diligence is often transformed into a 360° audit carried out post-signing/closing. This audit has a new objective: to help define the integration strategy.

–

We’d like to thank Arielle Attias for her contribution to the writing of this article.

Cet article Cybersecurity: an essential part of the Due Diligence est apparu en premier sur RiskInsight.

While there have been significant advancements, there are also challenges. For instance, Samsung’s sensitive data was exposed on ChatGPT by employees (the entire source code of a database download program)[1]. Compounding these challenges, ChatGPT [OpenAI] itself underwent a security breach that affected over 100 000 users between June 2022 and May 2023, with those compromised credentials now being traded on the Dark web[2].

At this digital crossroad, it’s no wonder that there’s both enthusiasm and caution about embracing the potential of generative AI. Given these complexities, it’s understandable why many grapple with determining the optimal approach to AI. With that in mind, the article aims to address the most representative questions asked by our clients.

Question 1: Is Generative AI just a buzz?

AI is a collection of theories and techniques implemented with the aim of creating machines capable of simulating the cognitive functions of human intelligence (vision, writing, moving…). A particularly captivating subfield of AI is “Generative AI”. This can be defined as a discipline that employs advanced algorithms, including artificial neural networks, to autonomously craft content, whether it’s text, images, or music. Moving on from your basic banking chatbot answering aside all your question, GenAI not only just mimics capabilities in a remarkable way, but in some cases, enhances them.

Our observation on the market: the reach of generative AI is broad and profound. It contributes to diverse areas such as content creation, data analysis, decision-making, customer support and even cybersecurity (for example, by identifying abnormal data patterns to counter threats). We’ve observed 3 fields where GenAI is particularly useful.

Marketing and customer experience personalisation

GenAI offers insights into customer behaviours and preferences. By analysing data patterns, it allows businesses to craft tailored messages and visuals, enhancing engagement, and ensuring personalized interactions.

No-code solutions and enhanced customer support

In today’s rapidly changing digital world, the ideas of no-code solutions and improved customer service are increasingly at the forefront. Bouygues Telecom is a good example of a leveraging advanced tools. They are actively analysing voice interactions from recorded conversations between advisors and customers, aiming to improve customer relationships[3]. On a similar note, Tesla employs the AI tool “Air AI” for seamless customer interaction, handling sales calls with potential customers, even going so far as to schedule test drives.

As for coding, an interesting experiment from one of our clients stands out. Involving 50 developers, the test found that 25% of the AI-generated code suggestions were accepted, leading to a significant 10% boost in productivity. It is still early to conclude on the actual efficiency of GenAI for coding, but the first results are promising and should be improved. However, the intricate issue of intellectual property rights concerning this AI-generated code continues to be a topic of discussion.

Documentary watch and research tool

Using AI as a research tool can help save hours in domains where regulatory and documentary corpus are very extensive (e.g.: financial sector). At Wavestone, we internally developed two AI tools. The first, CISO GPT, allows users to ask specific security questions in their native language. Once a question is asked, the tool scans through extensive security documentation, efficiently extracting and presenting relevant information. The second one, a Library and credential GPT, provides specific CVs from Wavestone employees, as well as references from previous engagements for the writing of commercial proposals.

However, while tools like ChatGPT (which draws data from public databases) are undeniably beneficial, the game-changing potential emerges when companies tap into their proprietary data. For this, companies need to implement GenAI capabilities internally or setup systems that ensure the protection of their data (cloud-based solution like Azure OpenAI or proprietary models). From our standpoint, GenAI is worth more than just the buzz around it and is here to stay. There are real business applications and true added value, but also security risks. Your company needs to kick-off the dynamic to be able to implement GenAI projects in a secure way.

Question 2: What is the market reaction to the use of ChatGPT?

To delve deeper into the perspective of those at the forefront of cybersecurity, we’ve asked our client’s CISO’s, their opinions on the implications and opportunities of GenAI. Therefore, the following graph illustrates the opinions of CISOs on this subject.

Based on our survey, the feedback from the CISOs can be grouped into three distinct categories:

The Pragmatists (65%)

Most of our respondents recognize the potential data leakage risks with ChatGPT, but they equate them to risk encountered on forums or during exchanges on platforms or forums such as Stack Overflow (for developers). They believe that the risk of data leaks hasn’t significantly changed with ChatGPT. However, the current buzz justifies dedicated sensibilization campaigns to emphasize the importance of not using company-specific or sensitive data.

The Visionaries (25%)

A quarter of the respondents view ChatGPT as a ground-breaking tool. They’ve noticed its adoption in departments such as communication and legal. They’ve taken proactive steps to understanding its use (which data, which use cases) and have subsequently established a set of guidelines. This is a more collaborative approach to define a use case framework.

The Sceptics (10%)

A segment of the market has reservations about ChatGPT. To them, it’s a tool that’s too easy to misuse, receives excessive media attention and carries inherent risks, according to various business sectors. Depending on your activity, this can be relevant when judging that the risk of data leakage and loss of intellectual property is too high compared to the potential benefits.

Question 3: What are the risks of Generative AI?

In evaluating the diverse perspectives on generative AI within organizations, we’ve classified the concerns into four distinct categories of risks, presented from the least severe to the most critical:

Content alteration and misrepresentation

Organizations using generative AI must safeguard the integrity of their integrated systems. When AI is maliciously tampered with, it can distort genuine content, leading to misinformation. This can produce biased outputs, undermining the reliability and effectiveness of AI-driven solutions. Specifically, for Large Language Models (LLMs) like GenAI, there’s a notable concern of prompt injections. To mitigate this, organizations should:

1. Develop a malicious input classification system that assesses the legitimacy of a user’s input, ensuring that only genuine prompts are processed.
2. Limit the size and change the format of user inputs. By adjusting these parameters, the chances of successful prompt injection are significantly reduced.

Deceptive and manipulative threats

Even if an organization decides to prohibit the use of generative AI, it must remain vigilant about the potential surge in phishing, scams and deepfake attacks. While one might argue that these threats have been around in the cybersecurity realm for some time, the introduction of generative AI intensifies both their frequency and sophistication.

This potential is vividly illustrated through a range of compelling examples. For instance, Deutsche Telekom released an awareness video that demonstrates the ability, by using GenAI, to age a young girl’s image from photos/videos available on social media.

Furthermore, HeyGen is a generative AI software capable of dubbing videos into multiple languages while retaining the original voice. It’s now feasible to hear Donald Trump articulating in French or Charles de Gaulle conversing in Portuguese.

These instances highlight the potential for attackers to use these tools to mimic a CEO’s voice, create convincing phishing emails, or produce realistic video deepfakes, intensifying detection and defence challenges.

For more information on the use of GenAI by cybercriminals, consult the dedicated RiskInsight article.

Data confidentiality and privacy concerns

If organizations choose to allow the use of generative AI, they must consider that the vast data processing capabilities of this technology can pose unintended confidentiality and privacy risks. First, while these models excel in generating content, they might leak sensitive training data or replicate copyrighted content.

Furthermore, concerning data privacy rights, if we examine ChatGPT’s privacy policy, the chatbot can gather information such as account details, identification data extracted from your device or browser, and information entered in the chatbot (that can be used to train the generative AI)[4]. According to article 3 (a) of OpenAI’s general terms and conditions, input and output belong to the user. However, since these data are stored and recorded by Open AI, it poses risks related to intellectual property and potential data breaches (as previously noted in the Samsung case). Such risks can have significant reputational and commercial impact on your organization.

Precisely for these reasons, OpenAI developed the ChatGPT Business subscription, which provides enhanced control over organizational data (such as AES-256 encryption for data at rest, TLS 1.2+ for data in transit, SSO SAML authentication, and a dedicated administration console)[5]. But in reality, it’s all about the trust you have in your provider and the respect of contractual commitments. Additionally, there’s the option to develop or train internal AI models using one’s own data for a more tailored solution.

Model vulnerabilities and attacks

As more organizations use machine learning models, it’s crucial to understand that these models aren’t fool proof. They can face threats that affect their reliability, accuracy or confidentiality, as it will be explained in the following section.

Question 4: How can an AI model be attacked?

AI introduces added complexities atop existing network and infrastructure vulnerabilities. It’s crucial to note that these complexities are not specific to generative AI, but they are present in various AI models. Understanding these attack models is essential to reinforcing defences and ensuring the secure deployment of AI. There are three main attack models (non-exhaustive list):

For detailed insights on vulnerabilities in Large Language Models and generative AI, refer to the “OWASP Top 10 for LLM” by the Open Web Application Security Project (OWASP).

Evasion attacks

These attacks target AI by manipulating the inputs of machine learning algorithms to introduce minor disturbances that result in significant alterations to the outputs. Such manipulations can cause the AI model to classify inaccurately or overlook certain inputs. A classic example would be altering signs to deceive AI self-driving cars (have identify a “stop” sign into a “priority” sign). However, evasion attacks can also apply to facial recognition. One might use subtle makeup patterns, strategically placed stickers, special glasses, or specific lighting conditions to confuse the system, leading to misidentification.

Moreover, evasion attacks extend beyond visual manipulation. In voice command systems, attackers can embed malicious commands within regular audio content in such a way that they’re imperceptible to humans but recognizable by voice assistants. For instance, researchers have demonstrated adversarial audio techniques targeting speech recognition systems, like those in voice-activated smart speaker systems such as Amazon’s Alexa. In one scenario, a seemingly ordinary song or commercial could contain a concealed command instructing the voice assistant to make an unauthorized purchase or divulge personal information, all without the user’s awareness[6].

Poisoning

Poisoning is a type of attack in which the attacker altered data or model to modify the ML algorithm’s behaviour in a chosen direction (e.g to sabotage its results, to insert a backdoor). It is as if the attacker conditioned the algorithm according to its motivations. Such attacks are also called causative attacks.

In line with this definition, attackers use causative attacks to guide a machine learning algorithm towards their intended outcome. They introduced malicious samples into the training dataset, leading the algorithm to behave in unpredictable ways. A notorious example is Microsoft’s chatbot, TAY, that was unveiled on Twitter in 2016. Designed to emulate and converse with American teenagers, it soon began acting like a far-right activist[7]. This highlights the fact that, in their early learning stages, AI systems are susceptible to the data they encounter. 4Chan users intentionally poisoned TAY’s data with their controversial humour and conversations.

However, data poisoning can also be unintentional, stemming from biases inherent in the data sources or the unconscious prejudices of those curating the datasets. This became evident when early facial recognition technology had difficulties identifying darker skin tones. This underscores the need for diverse and unbiased training data to guard against both deliberate and inadvertent data distortions.

Finally, the proliferation of open-source AI algorithms online, such as those on platforms like Hugging Face, presents another risk. Malicious actors could modify and poison these algorithms to favour specific biases, leading unsuspecting developers to inadvertently integrate tainted algorithms into their projects, further perpetuating biases or malicious intents.

Oracle attacks

This type of attack involves probing a model with a sequence of meticulously designed inputs while analysing the outputs. Through the application of diverse optimization strategies and repeated querying, attackers can deduce confidential information, thereby jeopardizing both user privacy, overall system security, or internal operating rules.

A pertinent example is the case of Microsoft’s AI-powered Bing chatbot. Shortly after its unveiling, a Stanford student, Kevin Liu, exploited the chatbot using a prompt injection attack, leading it to reveal its internal guidelines and code name “Sidney”, even though one of the fundamental internal operating rules of the system was to never reveal such information[8].

A previous RiskInsight article showed an example of Evasion and Oracle attacks and explained other attack models that are not specific to AI, but that are nonetheless an important risk for these technologies.

Question 5: What is the status of regulations? How is generative AI regulated?

Since our 2022 article, there has been significant development in AI regulations across the globe.

EU

The EU’s digital strategy aims to regulate AI, ensuring its innovative development and use, as well as the safety and fundamental rights of individuals and businesses regarding AI. On June 14, 2023, the European Parliament adopted and amended the proposal for a regulation on Artificial Intelligence, categorizing AI risks into four distinct levels: unacceptable, high, limited, and minimal[9].

US

The White House Office of Science and Technology Policy, guided by diverse stakeholder insights, presented the “Blueprint for an AI Bill of Rights”[10]. Although non-binding, it underscores a commitment to civil rights and democratic values in AI’s governance and deployment.

China

China’s Cyberspace Administration, considering rising AI concerns, proposed the Administrative Measures for Generative Artificial Intelligence Services. Aimed at securing national interests and upholding user rights, these measures offer a holistic approach to AI governance. Additionally, the measures seek to mitigate potential risks associated with Generative AI services, such as the spread of misinformation, privacy violations, intellectual property infringement, and discrimination. However, its territorial reach might pose challenges for foreign AI service providers in China[11].

UK

The United Kingdom is charting a distinct path, emphasizing a pro-innovation approach in its National AI Strategy. The Department for Science, Innovation & Technology released a white paper titled “AI Regulation: A Pro-Innovation Approach”, with a focus on fostering growth through minimal regulations and increased AI investments. The UK framework doesn’t prescribe rules or risk levels to specific sectors or technologies. Instead, it focuses on regulating the outcomes AI produces in specific applications. This approach is guided by five core principles: safety & security, transparency, fairness, accountability & governance, and contestability & redress[12].

Frameworks

Besides formal regulations, there are several guidance documents, such as NIST’s AI Risk Management Framework and ISO/IEC 23894, that provide recommendations to manage AI-associated risks. They focus on criteria aimed at trusting the algorithms in fine, and this is not just about cybersecurity! It’s about trust.

With such a broad regulatory landscape, organizations might feel overwhelmed. To assist, we suggest focusing on key considerations when integrating AI into operations, in order to setup the roadmap towards being compliant.

• Identify all existing AI systems within the organization and establish a procedure/protocol to identify new AI endeavours.
• Evaluate AI systems using criteria derived from reference frameworks, such as NIST.
• Categorize AI systems according to the AI Act’s classification (unacceptable, high, low or minimal).
• Determine the tailored risk management approach for each category.

Bonus Question: This being said, what can I do right now?

As the digital landscape evolves, Wavestone emphasizes a comprehensive approach to generative AI integration. We advocate that every AI deployment undergo a rigorous sensitivity analysis, ranging from outright prohibition to guided implementation and stringent compliance. For systems classified as high risk, it’s paramount to apply a detailed risk analysis anchored in the standards set by ENISA and NIST. While AI introduces a sophisticated layer, foundational IT hygiene should never be side lined. We recommend the following approach:

• Pilot & Validate: Begin by gauging the transformative potential of generative AI within your organizational context. Moreover, it’s essential to understand the tools at your disposal, navigate the array of available choices, and make informed decisions based on specific needs and use cases.
• Strategic Insight: Based on our client CISO survey, ascertain your ideal AI adoption intensity. Do you resonate with the 10%, 65% or 25% adoption benchmarks shared by your industry peers?
• Risk Mitigation: Ground your strategy in a comprehensive risk assessment, proportional to your intended adoption intensity.
• Policy Formulation: Use your risk-benefit analysis as a foundation to craft AI policies that are both robust and agile.
• Continuous Learning & Regulatory Vigilance: Maintain an unwavering commitment to staying updated with the evolving regulatory landscape. Both locally and globally, it’s crucial to stay informed about the latest tools, attack methods, and defensive strategies.

[1]  Des données sensibles de Samsung divulgués sur ChatGPT par des employés (rfi.fr)

[2] https://www.phonandroid.com/chatgpt-100-000-comptes-pirates-se-retrouvent-en-vente-sur-le-dark-web.html

[3] Bouygues Telecom mise sur l’IA générative pour transformer sa relation client (cio-online.com)

[4] Quelles données Chat GPT collecte à votre sujet et pourquoi est-ce important pour votre vie privée en ligne ? (bitdefender.fr)

[5] OpenAI lance un ChatGPT plus sécurisé pour les entreprises – Le Monde Informatique

[6] Selective Audio Adversarial Example in Evasion Attack on Speech Recognition System | IEEE Journals & Magazine | IEEE Xplore

[7] Not just Tay: A recent history of the Internet’s racist bots – The Washington Post

[8] Microsoft : comment un étudiant a obligé l’IA de Bing à révéler ses secrets (phonandroid.com)

[9] Artificial intelligence act (europa.eu)

[10] https://www.whitehouse.gov/wp-content/uploads/2022/10/Blueprint-for-an-AI-Bill-of-Rights.pdf

[11] https://www.china-briefing.com/news/china-to-regulate-deep-synthesis-deep-fake-technology-starting-january-2023/

[12] A pro-innovation approach to AI regulation – GOV.UK (www.gov.uk)

Cet article AI: Discover the 5 most frequent questions asked by our clients! est apparu en premier sur RiskInsight.

Given that human-risk remains significant, with human error accounting for 82% of data breaches according to the 2022 Verizon Data Breach Investigations Report, no wonder CISOs across European organizations are aiming for the most innovative and ground-breaking activities during this crucial time of the year.

Once key risks have been identified, it’s go-time: spread priority secure behaviors throughout your organization using the ultimate medium: gamification.

Fail to play, fail the Cyber Month game

From football matches to Monopoly fights, there is a game for everyone, and whichever your preference goes to, the chosen one will always elicit enthusiasm.

It is then only logical that when meeting an opportunity to learn secure behaviors, employees will favor a game rather than an e-learning that they will have to – let’s face it – painfully sit through.

Gamification is a winner, and although there are many reasons behind this fact, we have selected seven striking pieces of rationale that will shed a light on the benefits that gamification presents in a learning environment.

Gamification increases engagement dramatically

To feel involved in an activity, and therefore reach the holy grail component of attention, interactivity is key.

Games require action from the participant, which transforms the latter into a moving cog of their own learning process.

Additionally, the element of competition, whether between teams or against a fictitious villain, present in games serves as a powerful motivator, further promoting engagement.

Practice beats theory in a learning context

Practice accounts for 70% of the learning process. Why so? Because practice allows to make the materials tangible and embed them into real-life situations, that employees can directly link to their everyday practices.

Feedback and rewards stimulate positive behaviors

Games imply prizes and rewards to be earned. Not only does it contribute to foster motivation, but it also allows employees to access direct positive feedback about their actions and decisions, which comes with a sense of accomplishment and progress, further embedding the targeted secure behavior.

Games revamp the image of your cyber team

Cyberawareness games have the power to shift the perception that staff hold of your cyber team. Indeed, cybersecurity may seem like an obscure and complex area for many employees.

Offering games helps to make security concepts more tangible, accessible, and applicable into everyday life.

Further, if they are held in-person, they allow your cyber team to gain visibility with end-users and bring a sense of recognition and trust, which in turn will boost the impact of future awareness actions.

Learning together increases team cohesion

As if learning more effectively wasn’t enough, gamification also offers the valuable benefit of boosting team spirit.

Many awareness games provide the opportunity to work collaboratively to attain success. This way, employees leave with fond memories and appreciation on top of precious security tips.

Games allow repetition of security messages in novel and fun ways

When aiming to embed secure behaviors across an organization, repetition is crucial to ensure integration and implementation.

However, repeating awareness communications through the same channels may decrease the attention that employees pay to them.

Games constitute an innovative and enjoyable experience to reinforce security messages, making them stick over time.

Bonus: You collect valuable feedback and inputs from end-users

By interacting with staff through awareness games, your cyber team gets the unique opportunity to collect information on the most urgent security questions that employees ask themselves and uncover which are their biggest challenges in terms of security in their daily activities. This feedback is then useful to prioritise future awareness messages and review or implement processes to facilitate employees’ work life. For example, if staff repeatedly bring up the fact that they may see suspicious-looking emails but don’t know how to report them, this may lead to a special awareness campaign meant to remind employees of the way to report phishing emails, and the implementation of a phishing report button to facilitate the reporting process.

Leveraging gamification: The musts for organizing successful awareness games

Prior to establishing the success factors of an awareness game, let’s pinpoint what makes a fruitful one.

In order to prove truly effective, an awareness game should see its participants leave the activity with a clear idea of the security behaviors that they will change in their own office life.

To achieve this goal, we have identified a set of five key criteria:

A solid game will cover a priority awareness topic, based on the risks identified for the organization and ranked accordingly.

Then, the right level of complexity must be found, based on the level of knowledge of your staff.

Staff who already have a high level of maturity in terms of security behaviors will – at best – not learn anything new during an easy game, and – at worst – be bored or resentful towards the security awareness team for taking away some of their working time to cover elements they already know.

The reverse scenario would also be problematic: confronting beginner staff with a difficult game would only leave them confused.

Having an understanding of the level of security maturity of your target audience is therefore key to adapt the game for optimal results.

Thirdly, the game must have at its center a compelling story. The scenario must be intriguing and should unfold seamlessly. Additionally, it should be adapted to the context of the organization so participants relate to the events happening in the game.

To truly catch, and most importantly, retain employees’ attention, the game will have a strong focus on interactivity. Interactions can happen between the game master(s) and the players, but also between players themselves when collaborating in the context of the activity.

To further exploit this concept, the game may stimulate the 5 senses to render it even more engaging and immersive.

The final key element to an effective game resides in providing a good incentive. Again, there are multiple ways to achieve this: you can for example establish a scoring system to foster playful competition between teams, and implement rewards. Rewards may come in the form of goodies, prizes such as individual or team experiences, or even donations to the charitable organization of the participants’ choice. A solid incentive will boost voluntary participation to the activity, and a decision to participate that comes from the genuine willingness of staff will also be synonymous with higher motivation and involvement in the game for better retention of the shared secure behaviors.

Which awareness game is made for you?

To make your Cyber Month gamification dreams come true, let’s jump from theory to practice!

Take the quiz below to find out which cyberawareness game is tailored to your needs and objectives for maximal impact.

Loading…

Cet article How to activate gamification for an impactful Cyber Month est apparu en premier sur RiskInsight.

The ever-increasing threat of cyber-attacks on organisations around the world and their potentially devastating financial, reputational, or operational impact on the business means it has never been more important to position Cyber Security as a major issue in front of the C-Suite. The C-Suite holds ultimate accountability for an organisation’s approach to risk in both setting the appetite for Cyber risk for the business and ensuring sufficient budget & resource is assigned to manage Cyber risk to within the appetite. If they are not appropriately informed of the risks associated with Information Security (IS), the organisation may not put in place the correct and appropriate mitigations to protect the organization from their top threats and risks.

Failure to effectively protect against these cyber threats can have both organisational and personal consequences for executives. For example, The Senior Managers and Certification Regime (SMR) is an FCA enforced regulation that assigns responsibility for Information Security to executive level employees, making them liable for correct implementation of cyber protections for IS.

This article will provide you with a 4-stage approach on how to better engage the C-Suite in your organisation on Information Security, to build a fruitful partnership between these executives who direct budget & resource towards Information Security and the Cyber teams who are responsible for the oversight & implementation of security.

Stage 1: Introducing the Execs to Cyber Security

In this first session with the C-Suite, it is imperative that you initiate the conversation by focusing on an introduction to Cyber Security that provides an overarching view of the organisation’s Cyber Security capabilities and operating model, that will encourage future more in-depth discussion.

Outline the responsibilities the organisation and executives have towards Information Security and how these align with the strategic priorities of the organisation & Cyber team. This should include a presentation of the top threats to the organization (both internal & external), the risks that they expose the organisation to and the existing roadmap to mitigating these risks. This will provide a high-level overview of the organisation’s Cyber capability and will set the tone ready for future conversations with the C-Suite.

Provide an overview showing the blueprint for Information Security and how security integrates and adds value to the rest of the business. It is important to include metrics that can be used to compare the organisation’s approach to Cyber Security against peers within the market. A difference in budget or team size compared to a competitor can provide guidance on whether the organisation is assigning adequate resources and budget to the issue. 

Stage 2: 360 Audit

After successfully introducing the C-Suite to Information Security, it is now essential that you lock in that second session where you can provide a more granular breakdown of the organisation’s Cyber Security capability with a clear focus on where resources need to be focussed.

Industry standard frameworks, such as ISO and NIST, should be deployed to measure an organisation’s Cyber Security maturity and provide analysis on potential improvements that can be presented to the C-Suite executives. These frameworks offer controls against which the organisation can be benchmarked, to identify areas that require maturing to mitigate risk from the organisation’s top threats. While these frameworks in their original state offer a good measurement of maturity, it is important to refine the controls so that the framework is tailored towards the organisation, taking into consideration the industry sector and regulatory environment. Wavestone recommends taking the NIST framework as a basis and fitting it to the specific stakes of the organisation to overcome any framework limitation and focus it on the businesses’ needs.

Wavestone have built our own framework, called the Cyber Benchmark, that leverages the best of industry frameworks to provide a comprehensive approach to maturity assessment with organisational & technological perspectives included. We recommend organisations follow a similar approach to accelerate their framework improvements to increasing their Cyber maturity.

Capturing the attention of senior executives to invest time & resources into developing a framework to improve Cyber maturity can be difficult. A good methodology is to provide real life evidence of their security vulnerabilities, for example by presenting evidence of how an internal ‘Red Team’ gained access to the mailboxes of the senior executives present, with an explanation of how few days it took. 

Stage 3: Programme and Framework

Once this more granular breakdown has been presented, a key priority must be to ensure the C-Suite has bought into the Cyber Security strategy & roadmap; developed using the maturity improvement opportunities identified through the framework assessment. Buy in from the C-Suite on the roadmap will guarantee the required funding & resources required to implement these enhancements.

Using the customised framework, develop a roadmap that focuses on maturing controls that will most effectively reduce the risk from the organisation’s top threats. This roadmap will become the building blocks for the security programme. The security programme should be defined so that it provides clear targets to be met to ensure compliance with the customised framework controls, beginning with a remediation approach that will guarantee a standard Cyber maturity across the organisation, and followed by steps to achieve the Cyber maturity goals. Ensuring a standard maturity across the organisation will alleviate the risk from current threats, while building on this to achieve maturity targets will reduce the potential risk from over-the-horizon threats.

Programme support can be leveraged from a specialised Project Management Office (PMO) that will supervise the execution of the programme. It is important that this PMO curates a good relationship between IT who will implement the roadmap to maturity and the business, so that the benefits are understood and extracted across the organisation.

Stage 4: Risk Quantification and Business Accelerators

The final stage of engaging with the C-Suite requires you to demonstrate the return on investment (ROI) that Cyber Security can deliver, both through risk reduction from top threats and as a business enabler that encourages expansion into new territories and engaging new client relationships.

Implementing the appropriate customised framework to the organisation and following the established roadmap to Cyber Security maturity will require an increased budget allocation. However, it is important to emphasise to the board that the return on this investment will far exceed the initial cost due to a dramatic decrease in the scale and severity of risk that the organisation is exposed to. Use calculations to demonstrate this Return on Investment (ROI) quantitively and link this to the efforts and changes delivered by the security programme. It should also be explained that this initial outlay required to deliver the security programme is far less than the potential financial, reputational, and personal (e.g., SMR) repercussions that would result from a failure to adequately protect information systems during a cyber-attack.

As well as preventing the serious repercussions of failing to protect information systems in an attack, Cyber Security can also become an important business enabler. Effective Cyber Security will ensure that your customers are retained in the event of a properly managed security breach, as well as confirming your organisation as a secure manager of customer data & details, increasing your attractiveness to new customers. A secure organisation can move swiftly into new business environments & seize opportunities with confidence that their Cyber Security maturity will be able to resist potential additional threats that may arise from this expansion; opening the door for the organisation to safely engage a wider client base.

Conclusion

Following the 4-stages outlined in this article will allow you to foster a strong relationship with the C-Suite on Information Security, ensuring they are aware of their responsibilities for Cyber Security under the SMR and that they assign budget & resources appropriately to deal with the top threats facing the organisation. The customised framework will allow these executives to understand the current Cyber Security posture of the organisation and buy in to the roadmap for future maturity. Once this vision of mature Cyber Security has been delivered, the business incentives can be leveraged to ensure the C-Suite continues to invest in developing Information Security within your organisation.

Cet article Engaging the C-Suite on Information Security est apparu en premier sur RiskInsight.

Even if the depth and complexity of these exercises vary, the capabilities tested are often the same. They almost always entail knowing how to take on roles, assimilate a strong flow of information (stimuli), and understand a high-stakes, high-intensity situation. These exercises train coordination and impact assessment, but they cannot be considered an end in themselves. Resolving a crisis is not limited to the famous: “isolate, cut, communicate, we’re out of the woods”. We are calling for a paradigm shift in the preparation of cyber crisis management. 

Shift the focus from information management to feasibility 

Most crisis exercises used today test the players’ ability to manage and synthesize the flow of information. However, this is not where the quality of crisis management is concentrated. Some might even say that a decision-making unit should not be in a situation where it is erratically and incessantly solicited by its stakeholders. A decision-making unit must be put in a position to decide. To do so, it must respect a healthy work rhythm in cooperation with other more operational bodies. 

These exercises too often lead players, who are sucked into the time-consuming management of information, to take misleading operational sides. They make assumptions about what they can do and when – the famous “isolate, cut, communicate, we’re out of the woods.” These exercises give decision-making teams the impression that they are ready to cope when in fact they have limited their preparation to the ability to understand and coordinate events. This is a necessary step, but not sufficient.  

The key word for a 2023 preparedness strategy? Feasibility. Notably, though, the feasibility of all the steps of crisis management is based on a wider spectrum than just information management. This feasibility must be measurable, specific, and enabled by documentation, equipment, simulation, and sequencing of these capabilities. 

Preparing across the spectrum: from threat detection to reconstruction 

Training to manage a crisis involves above all taking into account the complete chronology of crisis management. We can summarize this chronology in eight major steps: 

1. Detect relevant threats and have the capacity to investigate them  
2. Mobilize experts and decision-makers to react 
3. Survive during the first peak by guaranteeing business continuity capabilities  
4. Evaluate the impact, its ramifications, and its foreseeable evolutions  
5. Contain the threat and understand the impact of isolation  
6. Coordinate your strengths and those of your ecosystem  
7. Communicate with internal and external stakeholders  
8. Restore and rebuild what can be restored and built when it can be restored and built 

Also, prepare the tools: I design, I use 

A relevant preparedness strategy must encompass each of these eight steps with the keyword of feasibility. It requires answering the question: will we really be able to carry out these actions when we need to? 

The answer to this capability question is based on three aspects:  

1. Ensuring the formalization of brief, up-to-date and known processes (e.g.: have a flow matrix indicating how to isolate, the timeframe, and the operational consequences)  
2. Equipping, training, and empowering the teams in charge of these actions (e.g.: having a discussion on “license to kill” and technically enabling a “red button” on relevant perimeters)  
3. Training the teams concerned specifically through role-playing exercises and specific simulations of the deployment of these capabilities (e.g.: test the decision-making process leading to the use of this “red button”, then technically test the proper functioning of the red button)

Thus, while some may limit themselves exclusively to the latter (simulation), it is essential to design one’s preparation with more hindsight and to begin with a real effort to build capacity. The exercise should be a milestone for verifying, adjusting, and promoting capabilities. In the worst case, it can be a deadline for preparing the capability or even serve as an opportunity to build said capability during the session (e.g.: reconstruction chronology, identification of technical interdependencies, etc.). 

Overcome opportunistic logic and practice the capabilities’ sequencing 

Currently, the main drivers of complexity are the increase in duration, intensity and the number of actors involved. Here again, we call for a paradigm shift. 

First, we call for a culture of preparation based on the eight pillars detailed above. This entails the need to provide tools and formalize the capabilities to do and train these capabilities throughout the year – without necessarily making them an event in a big exercise (e.g.: ComEx workshop on the first 10 actions to launch in case of a cyber crash, testing the isolation of backups or the restoration of workstations).  

In addition, employing vertical training logic (e.g., enable then simulate), it is important to train the ability to sequence the different capabilities quickly and efficiently. Thus, it is advisable to propose larger exercises, common to the business, forensic and decision-making teams, to orchestrate their different simulations in a single exercise. In training, for example, the detection capacity should be tested with a Purple Team, and then the mobilization capacity of the crisis system with a surprise mobilization using the alternative tools provided. A second example: work on the coordination capacity of the numerous crisis cells over a long period of time and then producing a communication message for all its stakeholders (internal and external). 

A long-term commitment 

To be relevant, this approach must be supported by strategic, global, multi-year thinking. Since it is more ambitious and involves more stakeholders (SOC, RPCA, Resilience, Infra, CISO, ComEx, Third Parties, …), it can gain legitimacy through a prior empirical evaluation of the means: 

1. Assess the current state of your readiness by taking a feasibility-centric approach to the eight pillars.  
2. Establish a maturity target and a roadmap that you will be able to report on empirically over time. 
3. Finally, share with your management teams a more robust view of your crisis management maturity.  

This type of approach, more empirical and personalized, will not only allow you to identify capacity gaps but also to truly train for the actions that will be essential at the worst moment. 

Cet article Enabling a paradigm shift in cyber crisis management preparedness est apparu en premier sur RiskInsight.

In a never-ending quest to find innovative ways to raise awareness on cybersecurity topics, the Wavestone team might have very well unearthed the new golden nugget.

Tested and approved by hundreds of our clients’ employees, read on to find out the secret recipe that makes cybersecurity best practices so easy to digest. 

Employees are assembled into teams of four or five participants. 

The mission starts with a 10-minute briefing where they receive a lightning-fast training to become agents, and step into the shoes of hackers to perform their mission – should they accept it. 

They are then given 15 minutes to uncover as many confidential documents as they will find in their fictional target’s office. The game elaborately weaves in clues of varying difficulty level related to key security topics, including passwords, physical security, and social engineering to name a few. 

Finally, participants come out of their adventure eyes bright and laughing, enthusiastic to move on to a 15-minute debriefing, where best cybersecurity practices are explained. 

In the end, the activity mobilizes employees for a mere 40 minutes, which pass by in a flash, and leaves them motivated to implement concrete actions to protect their organization.

Gamification never disappoints  

Quite a few years might have passed since you and the members of your organization ran around your school’s playground, but one thing remains the same: games are still a unanimously popular way to learn. 

Through gamification, people become actors, instead of spectators, of the learning process and embody the principles that you aim to instill in them. Keeping in mind that practice makes up 70% of the learning process, that is an opportunity that is hard to pass by.

When adopting an active posture, participants get immersed in the activity, and they do not even realize that they are acquiring precious skills that will serve them and their organization’s security well for years to come. 

Spice it up with competition 

What do football, chess, and Monopoly have in common? Besides the fact that they are all games, they also include an element of competition. 

In the context of a challenge, competition acts as a strong motivator and a driver to perform. Add a fun and safe environment to the mix, and you have yourself a perfect combination to tremendously boost engagement. 

Our cyber escape game includes a smart scoring system, so teams feel driven to reach the highest score, and you can gather information on overall performance. That’s what we call a win-win. 

The more the merrier 

When faced with a puzzle to solve, who would be against a little bit of help? 

Indeed, completing an exercise on one’s own can be daunting, if not just plain lonely.  

As part of a cyber escape game, people are encouraged to collaborate to solve clues. Teamwork then makes the challenge even more fun as creative ideas to break codes burst and are implemented, rendering their success all the more rewarding. 

Bring the human touch to learning experiences 

To complement online training initiatives, providing staff with a way to engage in-person with cybersecurity experts allows to go the extra mile in accompanying them on their learning journey. 

Indeed, this format promotes live discussions and gives people the opportunity to receive personalized answers to their specific questions related to security.

The result? Employees coming out of the activity with advice that precisely solves their pain points. 

Not only is the format of the cyber escape game particularly appreciated by employees, it also presents multiple advantages for your organization in terms of implementation. 

Take it from the Wavestone team !

Over the course of the month of October 2022, Wavestone Belgium carried out +100 cyber escape games sessions with +400 players across 6 countries.  

As training sessions last 40 minutes each, up to 45 collaborators can be trained in one day, maximizing time-efficiency. 

Further, customization is at the core of our approach, with a debriefing that exposes concrete ways to apply the best security practices that are most crucial to your organization.

Although we could keep on enumerating the benefits that a cyber escape game can bring to an entity’s security, a game is still worth a thousand words.

Curious to understand how the cyber escape game leaves employees asking for another serving of awareness activities? Get in touch with our expert Thomas Vo Dinh to organize a free session.

See you on the other side, agent

Cet article Cracking the recipe: making employees hungry for more cyber awareness activities est apparu en premier sur RiskInsight.

To accomplish this, you must understand your starting point and your market position. Wavestone’s cybersecurity maturity assessment framework, which currently has the support of over 100 international organisations, was developed with this conviction.

Discover how the CyberBenchmark works with Anthony GUIEU, the Cybersecurity Manager at Wavestone.

Hello Anthony. As a start, can you present CyberBenchmark in one sentence?

The CyberBenchmark is a comprehensive tool that allows companies to assess their level of cybersecurity, position themselves in relation to the market, and establish a roadmap- thanks to a questionnaire and a database of nearly 100 customers worldwide.

Why did you create the CyberBenchmark when there are already many frameworks in the market?

We created the CyberBenchmark because many of our clients were concerned about where they stood in relation to the market. Historically, our clients were looking for absolute ratings against known frameworks such as NIST or ISO. But now, they are very much interested in knowing their relative position within their ecosystem. Our CyberBenchmark allows them to deal with both of these approaches simultaneously.

CyberBenchmark also enables to come up with slightly different angles of attack: there are issues that our clients are not mature as per the market and prioritising these actions can make them progress. On the other hand, there are areas where they are not good and the market is also not mature, here the subject’s urgency must be put in context. Companies such as Gartner and Forrester provide general trends on major cyber issues, to which we add a concrete perspective based on our field observations with clients.

As soon as we built the CyberBenchmark, we realized that numerous competitors offer their own augmented versions of cyber security questionnaires. Our real added value is the market comparison: to date, nearly 100 clients have trusted us and been evaluated using this reference framework!

How does the CyberBenchmark work?

To have a coherent framework, we based ourselves on the existing frameworks, i.e., the security standards as per the market: ISO 27001/2, NIST, etc. This was necessary because our clients used these standards for assessing themselves. We added a questionnaire with our own feedback from the field to refine the maturity levels by theme. 

One of the added values of the CyberBenchmark is the granularity of the evaluation. It allows precise perimeter measurement in relation to their level of maturity. In concrete terms, it is possible to distribute the level of maturity for a given question with different levels: for example, 30% level 2, 60% level 3 and 10% level 4, which may be due to heterogeneous perimeters, initiatives in progress, etc. This enables us to quantify the value of projects that take a longer time to complete and are complex to implement over several perimeters: particularly in large groups by materialising their progress.

Subsequently, each evaluation gives rise to a report in two parts-

• One part is for top management with budgetary ratios, human resources, and the level of maturity in relation to international standards.
• Second part is for the operational security staff, who identifies good and bad practices as well as the actions to be launched as a priority. The objective is to develop recommendations and concrete measures to elevate the level of the organisation.

When should the CyberBenchmark be used?

• In my opinion, this tool will be ideal for an organisation that wishes to rapidly identify its cybersecurity priorities
• The first results are quick: within a month itself, we were able to produce a deliverable for the Executive Committee that included specific action proposals
• It is one of the few tools in the market that offers a comparison with competitors
• Unlike the traditional frameworks, our questionnaire addresses both governance and operational concerns

The CyberBenchmark is also adaptable to all requirements and budgets

• The “quick” approach requires only a few interviews. It is based on a declarative evaluation to quickly determine the company’s level of maturity and the projects to be launched
• The “complete” approach is based on an in-depth audit, dozens of interviews, a review of the evidence, and even additional technical tests (intrusion tests, Red Team, etc.)

Can you provide an example of a specific application of the CyberBenchmark?

To illustrate the “rapid” approach, we recently used it to support a large industrial group in initiating a security process and challenging its executive committee. After 2 months of work and 5 workshops, we were able to provide a clear vision of the structure’s cybersecurity level and project a target level for 3 years, which got accepted by the Executive Committee.

In terms of a comprehensive approach, over the last few months, we have been working with a British bank for assessing its general cybersecurity posture and level of compliance with the reference frameworks. We mobilised a team of 10 consultants in 3 different countries for conducting more than 50 workshops and collecting evidence. With this we were able to provide concrete and reliable feedback on the level of security as well as for identifying market-related investment priorities. Likewise, these elements are utilised in exchanges with their main regulators.

A final word?

Wavestone’s CyberBenchmark provides a broad view of the market’s level of maturity while delving deep into its specific technical subjects. This is what makes it a differentiating asset for our clients, as they could position themselves against competitors within their sector on each of their topics. The priorities in terms of cybersecurity would then emerge clearly for the client, allowing them for an effective cyber budget. It is a real cyber strategy accelerator, that has been tried and tested by numerous clients!

We can easily generate statistics and trends using CyberBenchmark’s exclusive data: how many companies have deployed a security tool (EDR, bastion, probes, etc.), where they stand in terms of deployment, who is leading the market, and so on. According to the latest study on the maturity of French companies, the general level of maturity on our benchmark based on international standards (NIST CSF Framework and ISO 27001/2) is… 46%. Each year, we formalise our market knowledge and forecast strong sector and technical subject trends.

Finally, as you would have understood, the CyberBenchmark evolves and develops as it is used by new companies. We now have a database of over 100 companies, which will enable us to open a new category in January: “Luxury goods & Retail”, with more than ten companies with which we can refine the sector-specific analysis.

If you are interested in positioning your organisation within the market, please do not hesitate to contact me or one of our experts. We will be able to guide you through this process.

Cet article One month to assess your cybersecurity posture! est apparu en premier sur RiskInsight.

Furthermore, it would be riskier to entrust on one’s dashboards without having the reassurance offered by the indicators’ relevance and reliability. This can lead to serious loss, or even to some major incidents. The crash of the Eastern Airlines 401 in 1972 is a striking example: a simple burnt-out light bulb, that was used to indicate the correct deployment of the landing gear, mobilized the entire crew, who were unable to notice in time the alarm that indicated the plane’s drastic decrease in altitude. The plane crashed a few minutes later.

How to reconsider your indicator’s base to make your dashboards more efficient and reliable?

What are dashboards, KRI, KCI?

The dashboard is a synthetic presentation tool. Highlights the key trends used to facilitate decision making. It is a federating tool used to improve governance efficiency and is designed for everyone (not only for the CISO). Therefore, we refer to dashboards in plural. Each instance is defined by a unique perimeter, where there are specified: the recipients and their stakes, the review frequency, the associated governance, the indicators, the calculating methods used and the source, etc.

Constructing a well-defined dashboard will correctly address the business stakes of the dashboards’ users. A three-level segmentation summarizes all the requirements in an organization:

Figure 1: Typologies of cyber dashboards: uses and objectives

An indicator is a measurement that is collected, contextualized, and used to facilitate decision-making. It is implemented to answer a well-identified need by one or more departments. Depending on the purpose of the measurement, three types of indicators can be defined:

1. KPI (Key Performance Indicator): measures the performance of a department, a team, or a strategic plan. They are linked to strategic objectives to measure the effectiveness (e.g., retention of cyber talent over the year).
2. KRI (Key Risk Indicator): assesses an identified risk, quantifying its likelihood and/or impact at a given time. They are essential for accepting or rejecting a risk, and for controlling it over time (e.g., number of compromised business identifiers – account takeover).
3. KCI (Key Compliance Indicator): measures a compliance rate in relation to a standard (PSSI, NIST, etc.). It evaluates an organization’s maturity regarding to the given standard at a specific time (e.g., % of policies updated within the last year).

How to make a dashboard efficient?

An efficient dashboard will convey self-supporting messages to the recipients. To build it, one must meticulously construct reliable and high-performance indicators, as well as minimising their number. These are defined by making a compromise between:

• their relevance (processing purpose, i.e., the ability to trigger a discussion);
• their computational cost (collection time, interpretation time);
• their maintainability over time (sustainability of data sources).

Let us take an example to evaluate the effectiveness of the “security-by-design” measures, where, in this case, a relevant indicator could be: “rate of validation of the security report at the first iteration by project scope and criticality”. First, it is operationally viable (approval process provides simple data for interpretation (binary values)). It is relevant (responding to a clearly identified issue), can be easily calculated if the processes are well set up (characteristic depending on the quality of the feedback information) and it is sustainable (the approval process guarantees reliable data over time).

A deficient indicator base can neglect one of the three criteria. This can be seen in the following field: one can often observe clusters of indicators, that are inherited by tradition without any real purpose or without responding to an outdated need; or indicators that require time-consuming gathering that creates frustration among teams. These discrepancies can be explained by a lack of long-term strategy and a lack of importance given to these indicators.

To rectify this, the existing system must be cleaned up and supplemented with performant indicators on a regular basis (methodology detailed in section 3.1) where the management of indicators itself is just as important as the other issues. Therefore, it must be monitored by a dedicated sponsor within the CISO’s governance team and by dedicated monitoring indicators (% of indicators defined with an approved calculation method, % of indicators that are fully automated, etc.). This central governance helps in finding compromises and minimising the number of indicators: about ten per perimeter/program is an order of magnitude that works well.

Increase team engagement to get more useable data?

It is not new: getting people to accept change and integrate new tools is always a tricky subject, especially for CISOs. The complexity of the environment, lack of dialogue between cyber teams and business lines, unsuitable tools, useless or unanalysed collected data, etc., represents numerous reasons that can explain a team’s lack of commitment. To address this, there are two principal areas to focus on:

1. Engage your employees in the indicator’s life cycle;
2. Facilitating the report of indicators with automation to minimize the workload.

Engage employees throughout the indicator’s life cycle

Team’s organizational complexity and local engagement are the first challenges that need to be addressed before deploying a dashboard: information gathering requires a dialogue between lines of business that are not used to work together (such as finance, IT risk management, strategy, program management, etc.). Involving your operational teams on a long-term basis is vital for a more reliable gathering and reporting process of indicators. More specifically, it allows you to:

• Define more realistic indicators, unlocking operational sticking points (unavailable data, communication problems, etc.);
• Define and develop operational needs more precisely: it is necessary to arise teams’ interest in the results of the project (i.e., ensure that their work has a tangible impact for them);
• Facilitate change management to get more reliable results overall, by understanding the purpose of the gathered indicators.

It is necessary to involve the employees from the beginning of the process, as well as maintaining the dynamic throughout the indicator’s operational maintenance. Transversal workshops should be organized throughout the process below, which will help in defining the indicators or generating questions.

Figure 2: Indicator life cycle and maintenance

Facilitate data gathering and reporting with automation and appropriate tools

While manual collection provides flexibility to experiment and test new indicators, (semi-)automated collection increases the team productivity and provides more reliable data.

It is not always profitable to automate everything, as it depends on the data nature, data volatility or data maintenance. One of the highlighted reasons can be because of the cost of automation (it takes a full year on average to automate gathering and reporting process). Therefore, scope of automation should be carefully determined.

To scale up and automate more indicators, the corporate data culture needs to be improved. To reduce the cost of automation, it is necessary to have organized, referenced, and standardised data. Four measures to achieve that are:

1. Define a corporate vision and objectives to control, reference and manage the data;
2. Define policies and rules supported by top management to regulate the use and standardisation of data;
3. Promote a data culture among business teams to reflect the way data is valued and used;
4. Equip ISS with tools to support the organization’s data policies and strategy (Master Data Management, Data catalogue, Data lineage, etc.).

To become data-driven, the blocking points does not require to be technological, but organizational, particularly in terms of skills and ability to accept changes.

As a result, automation makes data collection “more liveable” for employees and makes the indicator’s feedback more reliable over time.

Talking to your executives: the value of limiting the number of indicators

A well-constructed dashboard is an excellent way to address and involve the Executive Committee (COMEX), even though dashboards are under-exploited for their “marketing” side. In 2022, 25% of companies have never solicited their Executive Committee, and only 30% of the market involves them regularly.

The dashboard must be self-sufficient (i.e., must be understandable at first sight), able to carry impactful messages, since it is intended to be shared with as many people as possible. The Executive Committee solves problems, accepts, or rejects risks daily, monitors budgetary performance and operational efficiency, supervises of customer satisfaction and the company’s public image. To talk to the executive committee, the dashboard must bring out the necessary essentials required to respond specifically to the targeted issues. To do so, it is more useful to highlight specific methods and solutions rather than explaining in-depth, the causes of the technical problem (unless the need is clearly expressed).

The purpose of presenting to management the “ratio of cyber FTEs over IT FTEs per entity” or the “ratio of cyber budget over IT budget” (that can be two viable approaches) is to inform and make decisions on cybersecurity resources.

In short, the choice of indicators and their format must be adapted to the COMEX. To do so, they must:

• Be focused on potential business impacts;
• Be consistent over time to have a stable indicator base and facilitate appropriation and understanding;
• Have a self-supporting form to visualize the evolution of a trend and its deviation from the set target.

Conclusion

A dashboard is only a tool that should not be considered as an end itself. However, when properly configured and defined, it is certainly the best weapon for a CISO to make cyber governance more efficient.

To set up or update a dashboard, there are 4 success factors to remember:

1. Incremental: identifying sustainable indicators is difficult. Except for EXCOM dashboards, where an agile approach is necessary to integrate time for asking questions.
2. Inclusive: all teams must be involved to understand the purpose of gathered indicators (and the impact on their work). This will lead to increased reliability.
3. Scalable: the cyber ecosystem and its threats are growing exponentially. The designed dashboard needs to be flexible to consider the new risks that will arise (new KRI that needs to be implemented to the standard security base).
4. Simple: the purpose of a dashboard is to be shared. Therefore, it must be understandable at first sight. “Keep it simple” is necessary to simplify reading and accelerate appropriation.

Cet article Turn your dashboard into a real management asset against global cyber threats est apparu en premier sur RiskInsight.

Cyber Supply Chain attacks are a growing trend amongst cybercriminals where one attack can leave countless organizations vulnerable and potentially damaged.  You’ve seen the headlines following a number of high-profile incidents in recent months.  The European Union Agency for Cybersecurity (ENISA) warns that these types of attacks are now growing 400% year-over-year as cybercriminals are shifting to larger, cross-border targets.

Attackers’ main motivations remain to gain access to source code and customer data, and now they can do so across multiple target organizations by first compromising vendor software being deployed to those companies and government agencies.  This is an ingenious (and nefarious!) approach on a few fronts:

1. This type of attack can generally get around any target company’s strong cybersecurity posture, particularly related to its perimeter security; the attack is brought into the target environment via a trusted vendor’s product.
2. Such an unsuspected attack vector (a form of “friendly fire”) means that the attacker’s “dwell time” within the target can be quite long before discovered (or revealed in the form of ransomware!). Quite a lot of damage can be done during this time.   
3. The shear breadth in number of targets that can be addressed via a single attack is immense; the economies for a cybercriminal vastly multiply their criminal profitability.

About 50% of these attacks can be attributed to known advanced persistent threat (APT) organizations (e.g., the Russian state-sponsored threat group APT29, a.k.a. “Cozy Bear”, responsible for the 2020 SolarWinds attack).  These APT groups have access to many resources and much funding enabling their creativity for damage and not getting caught.  Hence, these attacks are growing rapidly and more complex with such backing; and this trend will continue, enlarging the gap between such risks and an organization’s ability to detect and remediate them in a timely fashion.     

Some most notable recent cyber supply chain attacks include:

• SolarWinds – Where attackers in 2020 exploited known vulnerabilities in its IT software Orion (used to manage servers in many organizations, including large businesses, several arms of the U.S. government, threat response firm FireEye, and Microsoft.
• Kayesa – More recently in 2021, the notorious REvil ransomware gang (another APT organization) exploited known vulnerabilities in IT management platform Kayesa VSA, which ultimately compromised an estimated 1,000 organizations that use the platform.

C-SCRM Survival Tip #1: In terms of your organization’s vendors for software or hardware, etc., it turns out that their risk model is now your risk model!  Frankly, it always has been, and attackers have evolved to take advantage of this existing threat vector.

Graphic #1: Unavoidably Intertwined Operational Models in Managing Cyber Supply Chain Risk

Hence, the complete Cyber Supply Chain lifecycle for all your business applications and IT tools must be considered within your Cybersecurity strategy and practices.  This means that before you choose a vendor, you should assess their security posture and security & incident management processes BEFORE you allow them to contribute software, tools, or equipment to your otherwise secure enterprise.

More so, beyond an initial assessment and acceptance of a vendor’s software, etc., the acceptability of a vendor’s continual access to your environments via releases and patches of their products needs to be continually monitored and assessed.     

C-SCRM Survival Tip #2: Shift Security Left. The only way to fully secure your enterprise continually is to ensure the sanctity of anything that comes into it.  That includes all vendor products that would integrate into your IT environments, etc., and the vendor’s lifecycle for development and deployment of their products.  You can only be as secure as they are!   

C-Supply Chain Risk Management – Definition and Scope

Attacks on Cyber Supply Chains continue to take advantage of ongoing disconnects in an organization’s understanding of the related supply chain risks and how to deal with them:

• Most organizations have a false sense of security (“blind spots“) based on assumptions that their vendors are already secure, and their products can be trusted in the organization‘s environment. They believe their recognizable “brand name“ vendors are at least as diligent and proactive about cybersecurity as their organization.
• Many organizations also lack continual robust monitoring and reporting, particularly around their vendors‘ software product interactions within their environments; they’re simply not looking here with sufficient focus based on current events.
• 82% of organizations believe their executive teams and boards are confident in their approach to measuring and managing Supply Chain Risk.
  • Yet only 44% regularly report on their supply chain risks and related industry events to senior leadership. This is clearly a blind spot for leadership.
• Looking at financial services firms, for example, 79% say they would decline a business relationship due to a vendor’s cybersecurity performance.
  • But lack the data to make such decisions.

Graphic #2: Today’s Growing C-SCRM Threat Definition and Scope  

This false sense of security that most organizations have about their vendors’ software, etc. is based upon a (unverified) trust of a vendor’s own security diligence.  But we cannot assume this anymore, and perhaps never should have. 

This is one big reason driving a growing need for:

1. More continual and robust assessment of software (and hardware, firmware, etc.) providers’ cybersecurity performance.
2. Improved monitoring and reporting from both: a) upstream software vendors’ environments; as well as b) the downstream software buyers’ environments.

These may seem to be separate issues at first, but they ultimately compound to corrupt downstream customer environments prolifically.  Hence, we must “Shift Left” and go upstream into the vendor’s cybersecurity practices in order to manage our own Supply Chain risks.

C-SCRM Survival Tip #3:  Both initial and continual assessments of a vendor’s cybersecurity practices and incidents should be analyzed to ensure the security of an organization’s global supply chain before the vendor’s products or services touch their enterprise, and then continually throughout the relationship (and related product updates, patches, etc.).  

Another growing need is for the establishment of cybersecurity consortiums of industries and organizations (”IT ecosystems”) to share vendor and product risk data, and to quickly and continually inform partner organizations of new risks and mitigations to ensure fewer downstream surprises.  Whether performed per organization or through a consortium information sharing, there is (for the first time) a recognized need for continual assessments of many vendors’ cybersecurity practices before and throughout an organization’s relationship with these providers of solutions within their enterprise.  This is an emerging best practice for maintaining your environments’ security.  

Because these types of attacks have proven very successful (and profitable) to cybercriminals over the past few years, organizations should expect more and larger cyber supply chain attacks in 2022 and beyond.  Hence, the cost of the supply chain status quo is going up and this trend cannot be allowed to persist.  This is causing organizations to embrace stronger operational resilience strategies and emerging approaches like never before.

Noted that it is not only financial damage that companies must avoid (or remediate!) in the case of these attacks that often end in data exfiltration and/or ransomware.  83% of compromised organizations have also experienced reputational damage to their brand and public perception of their company.  This “ups the ante” for proactive avoidance of such attacks and more work to do if you are attacked.  

C-SCRM Survival Tip #4: Supply Chain attacks do more than financial harm to a company; in many cases these may also cause long-term reputational damage!  Hence, managing to reduce such attacks but also in robustly handling such attacks is vital to an organization’s survival.   

In response to the increasing waves of Cyber Supply Chain attacks, it is no surprise that a global approach to securing their supply chains as well as increasing their operational resilience will be the top priorities for 50% of organizations by 2023.  This is survival of the cyber-fittest.

To accomplish this, 88% of companies state that visibility into their global supply chain is more important now than it was 2 years ago.  But unfortunately, 74% of organizations are still using inefficient and less adaptable manual methods to ascertain and manage their supply chain risks.  Such approaches cannot persist while such risks are increasing at an exponential rate.

For an example of where improved C-SCRM approaches and processes are heading, consider the emerging security ratings services that customer organizations can utilize to initially (and continually) assess the cybersecurity practices and incident management of their vendors.  This is another emerging best practice, yet only 22% of organizations are using these resources to continually monitor their vendors’ cybersecurity performance.  Expect this utilization to grow and for such services to become more robust with available security tracking data for vendors.  

C-SCRM – Current Challenges and Opportunities

The vast number of Cyber Supply Chain attacks are being enabled by many challenges affecting organizations that utilize vendor software.  Yes, you are right; this means almost all organizations.  Try imagining an organization that does not use vendor software; then pause to think about the many(!) types of vendor software your organization relies on.

C-SCRM Survival Tip #5: Everyone has a cyber supply chain that can be corrupted!  There are very few exceptions.  In sort, every organization has a cyber supply chain whether the know it or not, complete with risks that can be exploited, and threats brought into their environment unexpectedly … EVEN IF the organization is highly secure in its perimeter defenses.Hence,cyber supply chain risks must be proactively managed by your organization.

It’s quite clear what the breadth of target organizations can be for cybercriminals when they devise such supply chain attacks.  They only need to breach a small number of the right vendors to indirectly gain access to their preferred (many!) target organizations amongst a vendors’ customer list. 

Some of the current challenges that organizations face in trying to regularly assess their vendor and supply chain cyber risks include:

1. Lack of data that is readily available related to such risks, including its timeliness, accuracy, and actionability. Organizations have had to develop their own data for such analysis and decision-making to select or continue with a particular vendor or product.
   1. This can be (too) time-consuming and resource-intensive for organizations.
   2. Such data, when possible, is intended to help organizations to identify as early as possible any potential risk exposure when using a particular vendor’s product
2. Even when such data is sufficiently available (rarely), most customer organizations have had little sway to force vendors to remediate their internal and supply chain processes to a point that they can regularly be confident in consuming their products as cyber-safe.
3. Such data would need to be refreshed frequently to be effective; but even where there are useful data points, these are generally not monitored continuously as would be needed based on today’s changing and escalating threats.
4. All this lack of actionable data from the above challenges means that the speed of any assessment is simply too long a cycle.
   1. Especially true for continual monitoring where the threat is potentially already in your enterprise (vs. an initial assessment before bringing in a product).
   2. But the only way an organization could previously speed up such assessments was to invest more of its resources into such focused efforts; but it generally didn’t have the capacity to do so.
5. Lastly, how an organization would address its 3^rd Party risk management is strongly determined by its structure, and defined roles and responsibilities for managing this. Most organizations have not made it clear who (what person or team) would own the responsibility for Cyber Supply Chain Risk Management.  This will have to change before many of the challenges above can be addressed considerably.    

Graphic #3: Current C-SCRM Challenges and Potential Solutions

There are emerging opportunities and options in addressing the challenges listed above and related ongoing Supply Chain concerns. For example:

• New technologies are becoming available to organizations that wish to be more proactive and quickly adaptive to their supply chain risks.
  • 3^rd Party Security Ratings – Services are becoming available where an organization can purchase one-time or recurring ratings for a particular vendor or set of products it wants to purchase (or already has).
  • Advanced Monitoring and Detection Tools and Services – Continued advancement and maturity of monitoring, detection, and action-oriented tools and services is enabling earlier detection and appropriate actions than ever before.
  • AI and its behavior analysis capabilities – This is one important advancement amongst monitoring and detection tool improvements; but this technology is also becoming engrained within many other aspects of cybersecurity
    • Wherever unusual patterns can be recognized by AI and enacted on appropriately far more quickly than a human could.
    • Expect AI to become a primary underpinning to many cybersecurity automation tools, not just C-SCRM.
  • For supply chains, Blockchain is an emerging technology that will enable better security management in terms of a product manifest’s chain of custody and that it has not been tampered with during the supply chain deployment.
    • Note, however, that this doesn’t solve the issue of a vendor’s software development process being breached to inject a threat for downstream users; this risk would need to be assessed as part of the vendor’s security practices (see the 3^rd Party Security Ratings services above).
  • Perhaps most importantly, new organizational roles (and responsibilities) are being created to enable greater focus and proactivity in assessing and managing supply chain and other 3^rd Party risks. This is long overdue, and a promising development in appropriately applying all the risk mitigation options listed above as needed for a particular organization’s target security posture.     

If Every Organization has a Cyber Supply Chain that Can Be Corrupted to Create Extensive Damage à What are you going to do about it?

Every organization has a supply chain with risks that can absolutely be exploited; there are no meaningful exceptions to this rule.  Hence, there is no room for a false sense of security, and no excuse to not address this immediately (and ongoing).  After all, you do not want to be the next cautionary tale about an organization in industry news!

To get started with your organization’s C-SCRM strategy, first consider these Success Factors in developing your overall approach.  Remember these factors as the “B-O-O-M“ strategy to pursue when ensuring C-SCRM success:

1. Both internal and external supply chain processes and security checks require focus.
   1. There are clearly a number of processes and capabilities that an organization has direct influence on immediately; start there, but do not end there.
   2. Be sure to also include external forces, such as suppliers, where the organization has only indirect influence; but where failure to implement such influence creates greater risk.
   3. Manage all threat vectors associated with your cyber supply chain risks; hence manage your supply chain vendors as well as your own organization.
2. Optimize Your Organization and related processes to stay aware of current cyber events, industry trends, issues, and best practices.
   1. Ensure sufficient focus by your organization on these items, including assigned roles and responsibilities for coverage.
   2. Partner with industry organizations and vendor partner organizations to stay informed and influential for managing supply chain risks.
3. Optimize Your Data for cyber supply chain and vendor risks, and extensively analyze these to be data-driven in your C-SCRM capabilities prioritization as well as your vendor selections and ongoing risk management.
4. Mature your organization, data, and tailored best practices to keep pace with (or preferably ahead of!) the continually growing and evolving cyber supply chain threats you must manage. This is far from a static set of threat vectors in this cybersecurity space and may just be in its infancy in terms of the future number of threats and types of complexity to be managed!  

Graphic 4: Success Factors for Managing Cyber Supply Chain Risk

C-SCRM Survival Tip #6: Drop the “BOOM” to be successful in your C-SCRM strategy and approach:  Both internal and external forces need to be managed; Optimize your organization for C-SCRM coverage; Optimize your C-SCRM data for analysis, selection, and monitoring risks; and Mature the above as organizational-specific best practices to stay ahead of the curve!       

Defining & Implementing C-SCRM Best Practices for Your Organization

The previously listed success factors for C-SCRM lead directly to the following best practices and capabilities for an organization to implement (shown here in a step-wise approach): 

1. Identify / Inventory all your types of vendor suppliers and service providers.
2. Define risk tolerance criteria for each type of relevant vendor and service for critical business processes.
   • Including important vendor dependencies, their critical software dependencies and single points of failure, etc.)
3. Assess each supply chain risk (e.g., a vendor or product) according to their specific business continuity impact assessment and requirements.
4. Define initiatives and best practice procedures based on industry best practices tailored for your organization and assessed risks.
5. Establish your organizational teams and roles for ownership and maturing these critical C-SCRM responsibilities, including –
   • C-SCRM Leadership and Communications – Report to Executive Team & Board regularly about risks and threats to the organization and identified in the industry (that may become threats which can be proactively avoided).
   • Risk Identification and Monitoring – Continually assess prospective and current vendors via software and service types with their risk profiles and requirements.
   • Cyber Supply Chain Requirements – Actively manage each vendor’s adherence to the organization’s C-SCRM established requirements; and hence, their incorporation into vendor contracts.
   • Cybersecurity Knowledgebase / Data Repository – This resource should be maintained to be more broadly used than just for C-SCRM scenarios; but this is where business line managers as well as technical integrators can access requirements lists, contractual provisions, and ratings data associated with vendors and their products.
   • Supply Chain Risk Liaison to the rest of the organization – In the case of insufficient data available for a vendor-related cybersecurity decision, or the needed investigation into a new vendor, product, or incident.  
6. Continually monitor supply chain risks and threats, based on internal and external sources of data.
   • Including findings from suppliers’ performance monitoring and reviews.
   • Maintain historical and trend data as long as relevant.
7. Make vendors aware of perceived or discovered risks or weaknesses associated with their products and processes.
   • g., managing such vendors throughput their entire product lifecycle, including procedures to manage releases, patches, and end-of-life considerations.
   • In some cases, you can help them improve their cybersecurity capabilities to advance your own security posture.
   • But if they fail to adhere to your supply chain security requirements or attempt to remediate based on findings you share, all bets are off.  
8. Continually use and enhance data to optimize your C-SCRM strategy and approach.
   • Strive for C-SCRM process and data maturity in both selecting vendors as well as strengthening these relationships (and your trust in them) over time.
   • Also use data to build an appropriate operational resilience strategy that will take over in the case of a vendor’s failure – via an attack needing remediation and/or the subsequent removal of such a unacceptable vendor or product.
9. Grow your C-SCRM Optimization maturity.

• This will never be a static set of vulnerabilities or threat vectors; stay diligent at continual improvement and maturity in your organization’s capabilities to actively avoid supply chain risk and to remediate it quickly if encountered.

The listing above of C-SCRM best practices was laid out in a suggested chronological order (do this first, second, and so on).  However, for further elaboration on implementing your best practices, the list below in Graphic #5 shows these same best practices in relation to achieving organizational C-SCRM strategic objectives.

Graphic 5: C-SCRM Best Practices to Implement Now and Ongoing

C-SCRM Survival Tip #7: Implement your C-SCRM Best Practices in the order that makes most sense for your organization’s transformation into C-SCRM maturity; but ensure these accomplish the strategic objectives above as you mature.

Conclusion & Next Steps

So, to what extent do you need a C-SCRM strategy?  By now you should understand the value for any organization to have such a strategy and accompanying best practices.  But the extent to which SCRM should be aligned with and support your business and IT strategies will depend on your business model, vendors profile, cybersecurity capabilities, and risk tolerance.

How important are your vendors’ products (e.g., software, tools, hardware, or firmware) to your critical business operations?  Or to your potential growth?  How fragile are your business operations if a vendor in your supply chain was no longer a secure option?   What is your feasible risk tolerance for such external disruptions to operations?  Think about these questions regarding your supply chain, vendor and product choices, and ongoing operational resilience requirements to determine how to develop your specific C-SCRM strategy for current and future needs.

Once you’ve determined the next steps that are appropriate for your organization, here are a few ways that Wavestone can assist you when you’re ready to build out your Cyber Supply Chain Risk Management optimization approach to enhance, baseline, or continually improve your C-SCRM capabilities:

1. Develop a customized C-SCRM strategy for your organization.
2. Establish a Cyber Supply Chain Center of Excellence (CSC-CoE) with robust C-SCRM capabilities for vendor-related decision-making as well ongoing monitoring and reporting at all organizational levels.
3. Execute a C-SCRM (Vendor & Product) Capabilities Maturity & Risk Management Assessment to identify any vulnerabilities, risks, or threats; as well as to enable targeted decision-making about selected vendors or products of interest.

Feel free to reach out to us if you’d like to discuss your Cybersecurity journey and capabilities, and how to get started towards supply chain risk management success.

About Wavestone US

Wavestone US is the North American arm of global management and IT consulting firm Wavestone. We have supported the transformations of more than 200 Fortune 1000 companies across a wide range of industries, leveraging a strong peer-to-peer culture, offering a practitioner’s perspective on IT strategy, cost optimization, operational improvements, cybersecurity, and business management. It is our mission to help business and IT leaders successfully deliver their most critical transformations and achieve positive outcomes. We drive change for growth, lower cost, and risk, and create the trust that gives people the desire to act.

Cet article Cyber Supply Chain Risk Management Best Practices : Operationalizing Your proactive C-SCRM Defenses est apparu en premier sur RiskInsight.

For the past few years, companies have seen their cybersecurity budgets significantly increasing; according to the latest Gartner reports, they have increased by 51% since 2018. Chief Information Security Officers (CISOs) are now being asked to control cybersecurity costs and report to management as well as the regulator.  

However, this increase in corporate IT security budgets has not always been followed by prudent budgetary management in the past. Learning from that, companies are now launching initiatives to monitor and collect cybersecurity cost data to better understand their evolution and make better informed strategic decisions, improving security while optimizing resource allocation. However, setting up budget management is a complex process that must meet specific objectives.  

To what extent is the installation of a cybersecurity budget management system a key issue for the CISOs of large companies? – Our experience with our clients has proved that collecting cybersecurity budgets and implementing their management is often a valuable process and that reports resulting from such exercises are valuable governance tools. In this first section, we will examine the benefits of regular and industrialized cost collection and its true purposes.  

Effectively driving cybersecurity budgeting 

The final budget report is a strategically important governance tool key to achieving operational excellence and helps establish whether the company’s cybersecurity budget is being used effectively.  

Budgetary steering is also an integral component of budget management and allows us to verify that the investments are aligned with the main risks the company is facing. For example, a company might find that its investments in a NIST benchmark topic are particularly low. In addition, if audits show that the level of security is insufficient in this area, then the conclusion is clear: it is necessary to devote more resources to this area. Therefore, budget reports are one of the elements that better facilitate quantitative investment decision making. 

Example of a data visualization element from a budget report showing budgets by NIST activities. In this example, the chart highlights low investments in the “Identity and Access Management” area. If operational indicators show that the company’s maturity level is low, then it will be clear that the company has an incentive in making greater investments in this area.  

In addition, the Group level data is very useful to the group members when they are shared across the peer set. It offers them an internal benchmark that enables them to view their position relative to their peers. CISOs of the various corporate entities will therefore be able to exchange information directly with each other, share best cybersecurity practices and identify the best operational models implemented by their peers. 

Taking optimized decisions to achieve operation excellence 

Budget management helps identify opportunities for optimization at entity or group level in order improve cybersecurity effectiveness. 

The budget report is an asset for bettering the management of human resources dedicated to cybersecurity. For example, it makes it possible to estimate the ratio of internal labour resources to external resources and to make the necessary adjustments i.e., after reading the budget report, management could launch a labour internalization initiative if it realizes that the proportion of external staff is too high. It can also modify the geographical distribution of human resources in order to better meet the security requirements of corporate entities in different countries and to gauge the onshore/offshore distribution. 

Example of a data visualization element from a budget report showing the number of cybersecurity employees. In this example, the graph reveals a risk that the share of interns is too low to keep the expertise in-house. It might therefore be worthwhile to launch an insourcing plan.  

Consolidating the cybersecurity budget provides an opportunity to make savings, automate or mutualize activities. Budget management can then result in decisions to consolidate contracts as well as rationalize and/or automate processes in order to keep control of cybersecurity costs. 

Due diligence and externally conducted audit compliance 

When a company’s cyber budget is under scrutiny by regulatory authorities, it will be necessary to have a dedicated collection process to be able to provide a reliable breakdown of IT security costs.   Properly conducted budget collection will allow the creation of analytical data and deliverables that will serve as the basis for accurate and informed responses. For example, the European Central Bank has asked some banking organizations to present details of the human resources dedicated to IT security to monitor the preparedness of European banks for cybersecurity risks. 

Furthermore, a synthetic view facilitates communication with certainty on the state of budgets and expenses dedicated to security to any interested third party. For example, the American bank JP Morgan Chase explained in its April 2019 letter to shareholders that cybersecurity was one of its major concerns. The bank announced spending more than $600 million a year on IT security and employs 3,000 people in the area.  

Finally, knowing one’s budget is also important when purchasing cyber insurance, to prove the resources invested into cybersecurity. Furthermore, during a merger and acquisition, the resources invested in cybersecurity are often considered in the valuation of a corporate entity. 

Therefore, it seems particularly useful for large companies to have a process for collecting cybersecurity costs as it allows decision-makers to be aware of the amounts spent by the group on information systems security and to steer the strategy. However, the construction of a relevant budgetary report depends on the prior implementation of an extensive, methodical, and standardized data collection process.  The next part of this series will detail the framing and implementation of a budget steering process. 

Sources

[1] « Gartner Forecasts Worldwide Information Security Spending to Exceed $124 Billion in 2019 », august 2018, https://www.gartner.com/en/newsroom/press-releases/2018-08-15-gartner-forecasts-worldwide-information-security-spending-to-exceed-124-billion-in-2019

[1] « Cybersecurity spending trends for 2022: Investing in the future », december 2021, https://www.csoonline.com/article/3645091/cybersecurity-spending-trends-for-2022-investing-in-the-future.html

[2] « Cybersecurity for the financial sector », https://www.ecb.europa.eu/paym/pol/shared/pdf/qa_cybersecurity.pdf

[2] « Face au risque de cyberattaque, la BCE demande aux banques d’être prêtes», february 2022, https://www.latribune.fr/entreprises-finance/banques-finance/banque/face-au-risque-de-cyberattaque-la-bce-demande-aux-banques-d-etre-pretes-903841.html

[3] « CEO Letter to shareholders », august 2019, https://www.jpmorganchase.com/content/dam/jpmc/jpmorgan-chase-and-co/investor-relations/documents/ceo-letter-to-shareholders-2018.pdf

Cet article THE CHALLENGE OF ORGANIZING THE BUDGETARY MANAGEMENT OF CYBERSECURITY IN YOUR COMPANY est apparu en premier sur RiskInsight.

Yes, experts are not exempt from awareness initiatives… let me tell you a story, I’m hoping that it will help you to get the message across to your organization.

It all started on a Tuesday at 3:34 pm. I received a WhatsApp from my CEO (or that’s what I think at the time!). The message read:

“Hi Noémie, are you available? I need to talk with you about a confidential acquisition in Belgium. Pascal”.

I picked up the message 10 minutes later and replied that I could free up my time and have that call. In my head, I asked myself a few questions: an acquisition, but who could it be? at what stage of the discussions are they? our priority areas are the US and UK, so it would be a bigger firm?… In short, the stress level was rising but I wanted to know more. At this stage, nothing indicated the slightest hint of a fraud or scam and I didn’t see any particular risk. I was more intrigued by the opportunity…

 2 minutes after my message, the following answer appeared:

“No need, but I will need you to prepare a transfer quickly, I will send you the bank information in a few minutes. Thanks”

At that moment, it all clicked into place. One thing was clear: it was a trap! It was urgent that I did nothing

I then decided to investigate because something wasn’t right in this situation:

• The phone number of the WhatsApp contact was not the one I have in my phonebook
• The photo is indeed Pascal’s but it’s a common photo, so easy to get

I then sent 2 messages in parallel:

• The first one to my CEO, to the number registered in my directory. I took a screenshot of the WhatsApp discussion and asked him “Hello Pascal, obviously it’s not you! Can you confirm?”
• The second was to the mystery sender on WhatsApp: “Are you testing me?”

The response on WhatsApp soon arrived, “Well done!”, and a more comprehensive message then followed which clarified:

• This was a campaign to raise awareness about Fake President Fraud.
• That the cases are unfortunately frequent and that several attackers have tried to impersonate a member of the executive management, by SMS, social networks or email by simply changing a photo or name
• What Fake President Fraud is and the objective of the attackers: to make you believe that they have a priority and confidential matter for you to deal with, such as an acquisition, which requires an urgent payment out of the normal processes.
• Rules to follow in case of an attack, clues to thwart attacks, and the security contact to alert.

As you can see, this story has a happy ending. In the cold light of day, you might think that it is quite simple to thwart the attack, but unfortunately that is not always the case.   

Beyond the example, it is the management of emotions that I want to emphasise. This exercise was well done and very credible; it first gave me confidence with an important request but without asking me to take any risky or suspicious actions. The importance of the request generated questions and a little stress – emotions I needed to master in order to keep my decisions and actions logical and reasonable. I am personally familiar with this subject; I know the theory, but I assure you that the real-life situation was very different! I now know that a flood of emotions appears (although they won’t be so new next time!), but I am reassured that my common sense allowed me to keep a level head and investigate without rushing. I thanked my CISO after the exercise – I understand the benefits of practice and this experience was a good test, especially for those experts who may feel safe as they know what to do (to be clear: I don’t put myself in that category!). It tested in a very realistic way whether they would know how to put the theory into practice and recognise the messages for what they were: a scam.

Training your people, even the experts, allows them to be better, to be ready (although not necessarily to be perfect!), because the situation will no longer be new, and the emotions will not be unknown… To shine on the big day, preparation is an essential ingredient, and this is true for everyone!

Summary

Some key elements of Fake President Fraud:

• Confidence building (photo, tone of voice, choice of words, etc.) by the attacker or climate of authority
• Urgency, stress: emotions that create pressure and disturb lucidity
• Demand for unusual, abnormal actions to be carried out within a short period of time

Cet article Fake President Fraud: almost caught me out! est apparu en premier sur RiskInsight.

Attackers have understood this issue and we are seeing more and more cyber-attacks affecting backups. As highlighted in the 2021 benchmark of cyber-attacks in France, in 21% of ransomware attacks, backup systems were targeted until they were rendered unusable.

What is the attackers’ modus operandi for reaching backups?

First, backups can be affected as collateral damage. This was the case a few years ago during a cyber-attack at one of CERT-Wavestone’s clients. In this, the backup management infrastructure was itself encrypted by the ransomware and had to be rebuilt before backups could be restored.

In ransomware attacks, attackers can also directly target backups to force their target to pay the ransom. For example, less than a year ago during a CERT-Wavestone incident response, the attacker took care to destroy all backups before encrypting the customer’s information system. The attacker was able to do this because the backup management infrastructure was administered through an account in the Active Directory. The attacker was able to elevate its privileges to the highest level and was able to easily connect to the backup infrastructure and delete all the backed up data.

Some initial protective measures can significantly reduce the risk

In 100% of the ransomware crises managed by CERT-Wavestone, the attacker had Active Directory domain administration accounts. To prevent the attacker from reaching the backups by this mean, it is therefore necessary to separate the backup infrastructure from the Active Directory. To do this,  make sure that the backup administration accounts as well as the backup servers are outside the Active Directory (NB: this will not prevent this infrastructure from backing up the resources managed in the Active Directory).

To further reduce the risk of an administration account being compromised, backup administration access should also be strengthened, for example with multi-factor authentication (MFA).

Furthermore, since ransomware attacks often propagate on the same operating system, it may be worthwhile to adopt a different operating system for the backup infrastructure. Alternatively, at the very least, make a copy of the backup catalogue (database containing pointers to backups) on a different operating system. This enables rapid restoration of the backup infrastructure in the event of a compromise.

In addition, it is sometimes possible to apply retention measures to the backup storage technology, such as applying a delay before the actual deletion of the data or keeping a copy (or snapshot) on the storage array. This allows for a delay of one or more days before the data is completely lost in the event of a deletion.

To go further…

Various initiatives are emerging to standardize data protection measures to face the growing threat (e.g. Secure Tertiary Data Backup Guideline by the HKAB – Hong Kong Association of Banks, Sheltered Harbor in the United States…).

In addition, backup vendors are building their solutions with the cyber threat in mind, with ransomware detection features, immutability features (to make backed up data completely unalterable, even for an administrator) or even “offline” backup isolation capabilities.

These solutions can be adopted to replace or complement existing backup solutions. Nevertheless, they often require significant investments. As we have seen, a certain number of initial protection measures can already greatly reduce the risk. It is therefore important to identify the feared threat scenarios and your level of exposure. It is also important to identify any compliance requirements (regulations, standards, etc.), in order to define an appropriate roadmap of maturity improvement.

This article is intended as an introduction to protecting backups against cyber-attacks. We will have the opportunity to go into more detail on this subject in future publications.

Cet article Cyber-attacks: what are the risks for backups and how to protect yourself? est apparu en premier sur RiskInsight.

After having successfully mobilized its executive committee on cybersecurity, having made a realistic and concrete assessment of the situation, you had an agreement in principle to start a remediation program!

A great victory, and the beginning of a multi-year adventure!

Defining ambitions and framing governance

The cybersecurity assessment and its benchmark have enabled us to position the organization’s current level of security. What remains now is to define the target to be reached and the means necessary to achieve it. This involves working with the cybersecurity teams, the IT department and of course the executive committee sponsor! The target can take many forms, but it must in any case respond to clear and concrete business challenges:

“To have an above-average level of security overall to avoid the most frequent attacks”, “To protect the data of large public customers”, “To ensure the resumption of factory production in less than 4 days in the event of a cyber attack”, or for more mature structures “To rationalize cyber investments by saving 20% for the same level of risk”, these are just a few examples of ambitions encountered in the field.

It is at the time of this target definition that we can adopt a risk-based approach, for example with different targets between businesses or entities; a regulatory approach with different levels depending on business constraints or a global approach.

Each target will be the subject of performance or risk indicators (KPI/KRI) to specify how progress will be measured. These ambitions are then translated into a concrete positioning on a cybersecurity benchmark, by theme and by scope. The easiest way to do this is to use the results of the previous benchmark, but it is possible to use another benchmark. Be careful, however, it will be used throughout the program to monitor progress and guide the various teams and entities, so plan on a lifespan of at least 2 years! The definition of the repository and the indicators is a key step in the success of the program, so plan to devote time to it. It is best not to immediately launch a whole series of technical projects without the necessary consistency.

To manage this program, the CISO must know how to surround themselves with people. The IS (Information Security) departments rarely have the experience to carry out such a transformation and budgetary requirements at this level. A good practice is to identify an experienced program director within the organization, who is used to the workings of the organization, and who can work closely with the CISO. The skills of the two profiles will naturally complement each other, on the one hand with security expertise, and on the other with large-scale management expertise. The choice of the binomial is also an important key factor of success, do not hesitate to spend time on it!

Build budgets on clear axes and know how to commit expenses

Once the agreement in principle has been received, the next step is to clearly structure the budgetary commitment. Once again, the major challenge in the relationship with the executive committee will be to make a clear and precise proposal: Acronyms, project codes and other abstruse terms should be avoided. The structure of a simple strategy; “Protecting the digital work environment”, “Encrypting and avoiding critical data leaks”, “Detecting attacks on our key assets” are some examples of terms used successfully.

The structuring of a program should be kept to around 4 or 5 axes and to group about 30 projects  maximum is something to keep in mind. Beyond that, reporting and monitoring will become too complex.

It should be noted that it will be necessary to break with the budgetary exercise obviously on the construction actions (“build”) but also on the additional operating costs (“run”) without that, the beautiful remediation will not last long… The identification also of the HR elements (number of recruitments/mobilities, trainings to be envisaged, salary evolution, evolution of the hierarchical relations in the entities or the subsidiaries…) are key elements to be created in the program to ensure its durability in time. This is clearly the right time to create a real cyber department within the organization and have it managed by a “Chief Operating Officer” like any other major department.

The preparation of these different budgetary elements will also have to consider the difficulty observed for several years now to commit the budgets obtained. The market is in dire need of cyber expertise and many projects have to be postponed. It is a good idea to take some leeway in the planning process to consider this situation, which will continue. The classic program timeline of, year 1 scoping, year 2 implementation, year 3 control, should be reviewed and instead be based on waves of smaller projects that are initiated as they come along. In short, it is better to have 5 waves of 5 projects that come to fruition than to launch 25 scopes simultaneously!

It should also be noted that these budgets and priorities will have to be reviewed annually, as the cyber threat is very dynamic, it is important to keep flexible budget lines to adapt to an unprecedented evolution of threats – as we have experienced in recent years.

Show progress to the executive committee!

Once the program has been launched, the challenge will be to show the executive committee the progress and the effects on risk levels. On a quarterly or even a semi-annual basis there are key points that need to be established: clear reporting, using simple terms that are linked to the reference system used, adding a vision on the progress of the projects and the progression of the risk level.To directly demonstrate the transition to regular reporting mode, it may be useful to add operational indicators linked to the level of security. In the long term, the challenge is to maintain an exchange with the executive committee at least every six months in order to maintain the level of attention on the cyber subject. These long-term exchanges can be structured around two annual meetings, one on risks (evolution of the threat and risks weighing on the organization), the other on investments (effects of projects, budgetary and HR issues for the following year).

Finally, the most advanced structures and those whose core business is based on digital technology can consider using their cybersecurity investments as business differentiators! Today, the cybersecurity requirements of customers, both large public and professional, are increasing rapidly. It is possible, and even desirable, to enhance the value of investments made to show that the subject of cybersecurity is a priority for the organization! For some organizations, cybersecurity may even become a profit centre, which will clearly change the discussions with the executive committee.

Cet article Creating a relationship of trust with your executive committee: step 3, make the transformation a reality! est apparu en premier sur RiskInsight.

Discover below the presentation presented during the Assises 2021

Cet article Assises 2021: fighting back against ransomware: how the CAC40 is reacting? est apparu en premier sur RiskInsight.

ORGANISING A CYBER CRISIS EXERCISE IN A LARGE COMPANY 

There are many reasons to organise a Cyber crisis exercise: evaluating the integration of Cyber security in the crisis management system, improving interactions between the different teams, and testing the capacity of the security division to make itself understood by top management. 

From a simple table-top process test to SOC/CERT training to a large-scale exercise involving dozens of crisis teams and months of preparation, the resources allocated to a crisis simulation vary greatly. This article focuses on the last category. 

WHAT’S A TYPICAL CRISIS EXERCISE? 

Looking at the figures, some of the largest crisis exercises in France have consisted of one day of activity, 150 people mobilised, 10-12 crisis teams in several countries, 30 facilitators, 20 observers and more than 300 stimuli. Being able to make a success of such an event requires both a high level of preparation and a very solid facilitation team on the D-day. 

One of the key issues found in these types of exercises is that there is only one take. It is therefore essential that ALL the actors take part in the game, and that the scenario involves all the participants. Preparation and facilitation are key in such exercises to make sure the time spent on the simulation is worthwhile.  

SIX MONTHS TO PREPARE 

1/ Selecting the attack scenario 

The first months of work are always devoted to the attack scenario. Ransomware, targeted fraud, attacking suppliers… the choice of weapons is large. In ambitious exercises, it is not rare to combine several attacks in one crisis: smoke screen launched by the attackers, identification of a second group during the investigation, etc. Whatever the scenario chosen, the key is to be as precise as possible: 

• What are the attackers’ motives? 
• What path of attack did they take? 
• When was the first intrusion? 

The exercise is long and preparation beforehand is needed, especially when 150 players investigate an attack for several hours. Spear-phishing, water holing, code compromise, privilege escalation: the vulnerabilities used by the fictitious attacker are not real, but they must be plausible and “validated” by technical accomplices throughout the preparation. Similarly, for business impacts, they should be reviewed with business specialists: the level of fraud at which the situation becomes critical, critical activities to be targeted as a priority, most sensitive customers, etc. The choice and involvement of accomplices are essential and they should be integrated into the coordination team on D-day.  

2/ Building the script of the exercise 

The script consists in defining minute by minute the information that will be communicated to the players. The calibration of the exercise rhythm is a complex point. The temptation to impose a strict rhythm is great to “master” the scenario but attention needs to be given to leave enough space for reflection.  

The start of the exercise is another complex point: should the scenario start directly in a crisis situation or on an alert that will test the general mobilization process? Most often than not, the second option is chosen. That way, the technical teams (CERT, SOC, IT…)  can be mobilised for the entire duration of the exercise. ExCom members should have their diary freed up during that day as well.  

3/ Preparation of the stimuli 

Technical reports, fake tweets, messages from worried customers, these are all useful stimuli for the players.  

Videos are often used to captivate. Indeed, nothing is more striking than a fake BBC report relaying the current attack (logo, board, etc. the more realistic the better). For more realism, videos of people “known” in the company (message from the CEO, interview of a factory boss, etc) can be used.  

The same goes for the technical side: the duration of the exercises often does not allow the players to carry out the technical investigations themselves, but they will ask a lot of the facilitators. Everything must be ready to avoid panic: Malware analysis reports, application log extracts, IP address lists, etc. 

As mentioned in the introduction, the most ambitious exercises may require the creation of 300 stimuli to get through the day and remain credible – is represents a lot of work.

D-DAY 

On D-Day, early morning, a meeting is organised with all the animation team and observers for the final adjustments. A few hours later, the observers will go to their crisis cells and start the players’ briefing. 

1/ Starting on a good basis 

For many players, this may be their first exercise. The briefing is therefore essential to avoid confusion between fictional and real-life events:  

• Players call the police in the middle of the exercise

• The players contact a mailing list of 400 people without specifying that it is an exercise

• Real customers be called to be reassured

• A production site is neutralized “by prevention”

To avoid such situations, it is essential to iron out the rules of the game during the briefing: the players must communicate with each other, but they must go through the facilitation unit to contact external stakeholders. Throughout the day, the facilitators and accomplices in each team find themselves in the shoes of a client, a technical expert, a CEO, or a regulator, according to the players’ requests.  

2/ Rely on an efficient facilitation team 

The sequence of events depends on the efficiency of the animation cell. A successful exercise includes a lot of improvisation on the day. Stimuli may have to be readjusted according to the reactions of the players, the score is never fixed and the facilitation cell will be put to the test on the day of the exercise. The largest crisis exercises have particularly professional crisis management teams, including the head of the facilitators, PMO, technical manager, business manager, call management centre, etc.  

We suggest not to take any risks on D-Day and to recreate teams that are used to working together and know each other. Doing so is the best way to gain time that will prevent the organisation team from going into crisis itself. 

Cet article Organise a cyber crisis exercise in a large company est apparu en premier sur RiskInsight.

Creating a relationship of trust with the executive committee is a long-term action. After a first step that often involves raising awareness and putting the cyber risk into perspective for the organization (see BILLET 1), it is now a case of getting to the heart of the matter and starting the path of transformation! 

TO TRANSFORM, YOU HAVE TO KNOW FROM WHERE YOU ARE STARTING…. 

Before any transformation, it is important to define the starting point and share the findings with the executive committee. The use of international standards obviously forms the basis for evaluation, ISO 27001/2 and NIST CSF are the two international references: one rather European, the other more anglo-american.  

But what will matter most to executives is a benchmark based on the posture of their competitors and the market in which they are located. As such, we have developed a specific tooling at Wavestone and built a comparison base that currently includes more than 50 large organizations, mostly international and based in Europe. The quality of this base is essential to convince the leaders, who during the debriefings will ask, precisely and often with a lot of hindsight, what is done elsewhere. 

The first key element of an evaluation is to ask the right questions and get useful answers!  In a large organization, it is complex to carry out a detailed assessment of the level of compliance with security rules. The use of a simple notation, on a classic scale of maturity – from 1 to 4 for example – quickly reaches its limit. What we have chosen to do, and which has proven its worth on the ground, is to answer questions by expressing a percentage of the perimeter covered. For example, it is possible to have 80% of workstations with a simple anti-virus and 20% with a modern tooling type EDR. The same approach is replicable on more organizational issues, 50% of users aware by sending emails, 30% by tracking a webinar and 20% by face-to-face sessions.  

In the collective unconscious, this phase of questioning often seems long and very energy intensive. If you want a high level of detail, evidence gathering or technical checks: this can be useful when the organization already has a high level of maturity. But at the beginning, a simpler and more effective approach, typically over a short period of one month with a load of twenty days, may be enough to provide a  concrete picture of the situation and enough concrete arguments to get decisions and initiate change. 

During the preparation phase, it will also be important to identify the expectations of the executive committee beforehand. Discussing with the most concerned members about their expectations, getting their opinions on the right way to approach the subject and the priorities of the organization will be essential to ensure the relevance of the questioning and restitution phases. There is nothing worse than making an off topic on the day of restitution! 

… AND SHARE THE REALITY OF THE SITUATION  

After the collection phase, the time will come for the analysis of the results. Our feedback shows that combining multiple views makes the most sense and is effective in gaining commitment. The classic rosettes of ISO or NIST compliance are obviously essential but often prove ineffective: too many axes, too many mixed elements that ultimately always give average notes.  

As mentioned in the previous post, two indicators will be successful at the beginning of the exchange: the budget dedicated to cybersecurity and the number of people mobilized on cybersecurity. The budget indicator is always tricky to handle (high annual variation and non-homogeneous accounting method), we often prefer to use that of more stable and reliable staff). Secondly, in our opinion, it is effective to run the analysis on three axes:  

• The 1st is the resistance of the organization to the last known attacks. Clearly the most effective element in debriefing with the executive committee, it also helps to attract attention at the beginning of the restitution. To achieve this view, we use CERT-W operational feedback to find out about the latest methods of cybercriminal attacks and we conduct an analysis of the associated measures.  
• The 2nd is a market posture, crossing the level of compliance with international benchmarks (type: “I aim for 75% ISO compliance”) with the gap to the market average for the organization concerned (“on the safety of the workstation, I am 3 points below the market. On physical security, I’m 2 points above”). Crossing these two axes helps to identify priority areas (those where you are below international standards but also above the market) and those where you should not be aggressive (the whole market is below international benchmarks, but you are above the market average). 
• The 3rd is an “actors” oriented view of the transformation, organized by the large entities that will be in charge of the transformation (for example: within the CIO the network, the workstations, the servers, within the risk directorate …). This view is very useful to conclude the exchange because it creates action and shows who will have to invest the most. 

Of course, these different views can be segmented by country or large organizational units to reflect possible disparities or expectations of management.  

In this phase of restitution, our feedback shows that executive committees are increasingly sensitive to cybersecurity issues and will ask very specific and concrete questions. Therefore, evidence and factual evidence about the organization must be well-informed. Having the results of recent audits, concrete figures on the length of time it takes to successfully break in, and even videos of an attack demonstration can facilitate an executive committee to become aware of the risk.  

STARTING NOW STEP 3: TRANSFORMING THE ORGANIZATION  

Describing the situation, the difficulties and the axes of progress should not be an end. The first arguments must be prepared on the conduct of change. Who should carry the transformation? What financial volumes should be expected? What schedule to consider? What reporting should be done? And above all what sponsor in the executive committee should follow this topic! Without being a formal part of the meeting, incorporating these elements into the end of the exchange allows us to prepare the next step and collect the first opinions.  

These issues are obviously very dependent on the organization, but we are seeing trends emerging. Today, it is mainly the CISO within the CIO that carries the transformation often supported by an experienced programme director familiar with the structure. Regarding budgets, for major remediation programmes, the sums in the financial sector range between 200 and 800 million euros, in the industrial sector between 50 and 100 million. These sums are usually committed on 2- or 3-year programs and are followed by the quarterly executive committee at the launch and then a semi-annual pace can be sustained from then onwards. 

To conclude the session, the most important thing is to define the next steps!  Even if all these savings do not immediately lead to the launch of an investment programme, the risk review should take these results into account or propose the realization of a benchmark again the following year. 

Cet article Episode 2 Create a relationship of trust with the executive committee est apparu en premier sur RiskInsight.

Repeated sick leave, insomnia, withdrawal, security systems companies have been under great pressure for several years. Although threats are intensifying, it is not enough to explain this phenomenon. It is clear that the level of stress is more related to the functioning of the sector and management practices, rather than to the very nature of the activities carried out. Last year, a study by Nominet showed that 23% of ISSMs in 2020 admit to using medication and/or alcohol and drugs to cope. And very clearly, the phenomenon is not limited to ISSMs alone, but to the entire ISS community (SOC analysts, project managers, experts…). But how have we been able to move from passionate, close-knit teams in less than 10 years to such an HR situation?

Cybersector HR approach

Requests for intervention are very rare concerning HR policies, training courses, managerial practices even though the smooth running of the sector and the well-being of the employees have a definite impact on the medium-term level of safety. Sportsmen and women know it very well, the state of mind in the changing room has a major influence on the final result.

Faced with this observation, some major accounts have taken an interesting step: they have integrated these HR operating topics directly into their maturity framework (NIST, ISO, etc.). This is indeed an excellent idea that enables them to deal with essential subjects in a few weeks via an already established organisation and processes (insurance, evidence review, cyber programme, etc.). Another advantage, the framework is often an essential input to the construction of the strategy, and this HR dimension is thus directly integrated into the multi-year plan of certain companies. Concrete and measurable objectives are defined for staff turnover, employee motivation or even the work/life balance. Finally, these elements are regularly presented to top management alongside the patching rate, zero-trust convergence and resilience capacities!

When the physiological well-being of the employees is integrated into the objectives of the sector, and therefore at the same time into those of the CISOs, companies have a much smoother run; but it is still necessary to address the right subjects!

Priorities: Valuing expertise, encouraging mobility and aligning salaries

Pentesters, CERT analysts, DevSecOps specialists… the security sector is made up of a multitude of experts, who are not always recognised, valued and motivated with relevance. Unfortunately, too many companies still have a natural tendency to overvalue management to the detriment of expertise. It is therefore indispensable to create an ecosystem favourable to experts in the ISS fields. The field of possibilities is vast: the implementation of specific career paths, encouraged access to certification, involvement of communities of expertise in major decisions, external valorisation (conferences, media).

The subject of mobility is also essential. There is indeed a feeling of suffocation within the sector: the tension on cybersecurity resources is so great that many employees feel they are stuck on their posts, without the slightest possibility of evolution. As a result, morale is low, people are going around in circles, asking questions, criticising creating an unhealthy climate. A obvious solution exists: encouraging or even imposing mobility. For example, some major accounts have recently set up incentive governance that allows ISSMs to spontaneously propose mobilities and exchange resources, the subject of cybersecurity is vast enough to create rich and exciting careers. A healthy sector is one with a mobility rate of at least 10%.

Finally, there is a need to discuss wages. There are major differences between CISOs remunerations from one entity to another, and the salary structure itself may differ. It is therefore impossible to create team spirit and solidarity in such conditions. The project is not simple, but it deserves to be discussed with the HR, all the more so in a context of strong mobilities which will necessarily lead to complicated situations.

Employees no longer understand their organisation and suffer as a result.

In recent years, safety has taken on a whole new dimension: in France, there is an average of 1 safety FTE per 500 to 3,000 employees, with an average of around 1 per 1,000. The era of the small team of 15 passionate people within the IT department’s operations is over. With large teams, a simple decision can take weeks.

There is an urgent need to rebuild a more readable operational model with a trend in pooling and eliminating redundancies.

1. Regrouping centres of expertise (Audit, Cloud…)
2. Creation of a single cyber defence centre (SOC, CERT…)
3. Structuring of a single Cybersecurity Programme within the Group’s reach
4. Pooling of the PMO in a Reporting Factory.

This type of grouping will make it possible to create an emulation, to embark and to give collective meaning. Of the recent reorganisations, it is estimated that around 40% of the sector’s employees work on activities with a transversal scope.

Salary alignment, re/up-skilling, training/certification plans, mobility processes, reorganisation of the sector, there are many subjects to be dealt with to boost well-being and enable employees to build a full and rewarding career within the sector. However, this work cannot be carried out by the HR functions alone. It is essential that the CISO and team managers are strongly involved to establish the efforts over the long term.

Cet article Security channels on the verge of burn-out – an attempt to explain this phenomenon est apparu en premier sur RiskInsight.

“Security accreditation is a formal act by which the authority responsible for a system commits its responsibility to risk management.” [1]. It is of course mandatory in some cases[2], but beyond that, it is also a way of sending a strong message to users and top management: security is indeed a major topic for the organization. Agile methodology was at first designed for projects, but it can be a real opportunity for security teams to reduce security risks.

This method disrupted working habits of product teams and ISS teams (Information System Security). The latter have to find a way to go beyond adapting old accreditation method and propose a new relevant solution to still comply with the original goal of the accreditation: “Find a balance between acceptable risk and security costs, then have it formally accepted by a manager/an authority who has the power to do so[3]”.

One solution: provisional accreditation and long-term accreditation

As a famous Agile Security expert from Wavestone once said: “Agile and accreditation, it’s not rocket science”. Without denying the difficulties, explaining it is quite simple. Faced with teams that must deliver faster and provide continuous releases, the risk levels and therefore the security accreditation must be dealt with at the same pace.

What should the accreditation consider?

As always, security accreditation is all about giving thorough information on a project’s security risk level to the Accreditation Authority, for them to decide if it’s acceptable with regard to the organization ISS criteria (e.g. number of EUS still on the backlog, percentage of security baseline rules implemented on a given scope, etc.). Then, they take responsibility for the possible residual risks.

For example, only a few features are available to a few users at the beginning of a project. This small scope will display a lower level of risk (because of a low level of exposure) despite not being fully secured yet. Provisional accreditation (for a few months for example) may be issued to allow experimentation. It will have to be renewed when renewal criteria (defined in advance) are met.

Figure 1 – Product exposure to residual risk
From the ANSSI guide (in French): Digital Agility and Security, October 2018 (link to the guide)

For a project at cruising speed, accessible to its target audience with all the expected features, a firm accreditation (3 years for example) is pronounced. The criteria for renewal, leading to the issuance of a new accreditation, are also defined in advance.

When to renew the accreditation?

The criteria used to know when to renew the accreditation are closely linked to the project, the context, or the scope, but here are some examples to build these criteria. The provisional accreditation is valid until:

• New critical features are added (“critical” depending on the project),
• A new threshold for the number of users has been reached (defined in advance, depending on the associated risks),
• New personal data must be integrated and processed by the project,
• New features related to payments must be implemented,
• A new level of transaction volume is reached,
• And of course when the accreditation deadline is reached.

Long-term accreditation is valid for a longer time because less changes are expected at this stage of the project. That being said, the accreditation will have to be renewed regularly (at least every 3 years) to check on security levels and in a will of continuous improvement.

What evidence should squads bring?

Squads/feature teams should be able to bring different types of evidence/proofs (of the security level) to the Accreditation authority/responsible for the accreditation. The Evil User Stories (EUS) serve as what we used to call risks, where prioritization gives information about their criticality (see our article on how to lead a workshop on risk analysis in Agile). An extract from the backlog can be used as proof that the main EUS have been processed and that residual EUS are known (and accepted by the Accreditation Authority).

The Security Form (or Passport, detailed in this article on Agile transformation – in French -) is also a relevant way to follow-up on security levels of projects.

Code review and vulnerability scan reports can also be used (for squads that have integrated DevSecOps and have the appropriate tools).

If the X-team exists (see our article on the new ISS roles in Agile and the corresponding organization) or if an external audit team was able to perform them, the penetration test reports are also presented.

Any other existing documents can be used to give all necessary information (architecture documents, applicable regulations, etc.).

For provisional accreditation, these documents don’t have to be gathered in a proper “accreditation folder”, which would imply losing time for squads. What is necessary is to ensure they exist and are available to anyone involved in the accreditation process (accreditation authority or their delegate, ISS team, etc.).

Who are the actors in this process?

During product development, the Security Champion (see this article for definition) is in charge of organizing the risk analysis workshops (identification of EUS and associated Security Stories). The ISS team is of course involved in the process, bringing their knowledge to the squads during workshops.

The Product Owner is responsible for the creation and updates of the necessary documentation. They also make sure the ISS team is informed and asked for help when needed.

The accreditation Authority should be a business manager (e.g. the Business Owner) as usual. They must have the capacity to accept residual risks and validate the product security levels. As security should not slow down any Agile processes, the signing of a provisional accreditation may be delegated to the Product Owner, as they are representative of the Business Owner in the squad. The temporary accreditation can thus be signed faster if criteria for validity are met. In some cases, where projects would pose a risk to other businesses or systems, a transversal officer/business owner must be found, to sign for both businesses or systems. If no one is found, or no compromise is achieved, the Chief Information Officer (CIO) will assume responsibility, as it is their role to ensure the operational conditions of the Information System.

As a conclusion, security accreditation remains key when speaking about integration of security into projects, in particular within the Agile framework which changes the product teams’ way of working. The ISS teams must take advantage and (re)join these product teams (through the Security Champion and the security training of the product teams) and thus work together towards the incremental reduction of risk.

More articles to come on Agile Security, stay tuned!

[1] ANSSI guide (in French): Digital Agility and Security, October 2018 (link to the guide)

[2] (French regulations only) For administrations: decree n ° 2010-112 of February 2, 2010, terms of the General Safety Reference System (RGS). For any product dealing with information coming under National Defense secrecy: Interministerial General Instruction 1300. For operators of vital importance: cyber section of the LPM (law n ° 2013-1168 of 18 December 2013 – article 22), to strengthen the security of the critical information systems they operate, carried out as part of an accreditation process.

[3] ANSSI guide (in French): The nine steps of the security accreditation, August 2014 (link to the guide)

Cet article Security accreditation for Agile projects: how to successfully do it ! est apparu en premier sur RiskInsight.

One fundamental theme won’t change: the threat – the starting point for all thinking about cybersecurity. In our view, unsurprisingly, ransomware will remain the major threat facing businesses. Since the end of 2019, and the exploits of Maze, Sodinokibi, and, more recently Egregor, these destructive attacks have been paired with massive data exfiltration – adding a new dimension to criminal blackmail operations. All types of organizations are affected: from local authorities, through SMEs, to large international groups – wherever they are in the world.

In addition, as we recently discussed in Le Monde, cybercriminal operations have become highly professionalized, ensuring the perpetrators reap a return on their considerable investments. These investments will enable them to mount increasingly deep, and technically sophisticated, attacks in the future – attacks that will have no qualms about targeting activities that are core to business functions (such as industrial networks, payment systems, etc.). In 2021, the stakes in the tug of war over the payment of ransoms are likely to be raised – with a determined effort by criminal groups to achieve higher profile attacks. We saw some early signs this year with the use of sophisticated procedures: from an attack being announced via Facebook advertisements, through direct negotiation with patients in healthcare-sector attacks, to the printing of ransom demands via in-store cash registers… There will be a need to anticipate such situations to the maximum extent possible, either by simulating them in crisis exercises or by tailoring specific, well-thought-out responses in advance.

In addition to the many-headed beast of ransomware, our teams out in the field anticipate strong growth in two other threat areas in 2021. First, indirect attacks, using third-party services: cybercriminals are heavily focused on circumventing the security arrangements of major players by exploiting vulnerabilities in their less-protected partners or targeting their IT service providers. In addition, attacks that target cloud-based systems are expected to accelerate and manifest new types of compromise. Exploiting vulnerabilities in identity and access management (IAM), in particular via supplier APIs to compromise ever more critical areas of business, will be one of the hallmarks of incidents in 2021. Today, this area represents a real challenge for IT teams, who are still much too unfamiliar with the fast-developing particularities of these platforms.

Faced with such a range of threats, CISOs will need to be both agile and robust, especially in their mastery of security fundamentals (in particular, the Active Directory, the application of patches, and multi-factor authentication) and in solidly demonstrating their cyber-resilience capabilities (with ever-more demanding commitments in terms of reconstruction times and the ability of business functions to be resilient without IT capacity).

In parallel, there are several areas that will be central to developments in IT departments, and CISOs can turn them into opportunities to improve cybersecurity within their organizations. In particular, we have in mind “Digital Workplace” projects – and the work to optimize available security measures, which will have to be done against the current backdrop of constrained budgets. Previous years’ investments in cybersecurity have often added new functionalities that are little known or used, especially when it comes to the cloud. Looking to these may offer a way to improve cybersecurity at lower cost.

From a regulatory perspective, 2021 will see another increase in issues linked to cyber borders or even cyber-protectionism. It will mean considering demanding isolation and protection requirements, and also the issue of the interconnection of new and little-known systems (for example, Alibaba in China, Yandex in Russia, etc.) with organizational networks.

In terms of technological developments to keep in mind, we have identified three trends: Zero-trust, Confidential Computing, and Quantum Computing. We discuss these in more detail below and set out the minimum level of monitoring that you should plan for.

Threats are becoming more complex and resources increasingly limited… CISOs will need to demonstrate their agility in 2021, by addressing a range of issues while still maintaining a clear strategic direction: they’ll need to be able to protect their organizations against cyber criminals while supporting, or even developing, new digital uses.

Cet article CISO, between post-COVID world and persistent threats, what are the priorities for 2021? est apparu en premier sur RiskInsight.

However, how to model these different FAIR input data?  How to compute with these data? Are there tools to simplify their collection or estimate their quality, and what efforts do they require to be implemented?

Having seen previously how trustworthy the risk quantification method was in its processes, let’s now see how the inevitable part of subjectivity can be isolated, and which facilitators can help to obtain reliable results.

The FAIR fuel: data

The risk analysis proposed by FAIR (according to the standardization document published by openGroup)[3]  is carried out in four stages:

• At first, in a fairly conventional way, it is a question of specifying the scope of the examined risk : what is the asset (subject to risk), what is the threat context (agent and scenario), and what is the loss event (the dreaded event in terms of losses);
• The second step (called Evaluate Loss Event Frequency) aims at collecting all the frequency data related to the loss event (and thus intimately linked to the threat agent). This consists of collecting the values for the left branch of the arborescence below.
• The third one (called Evaluate Loss Magnitude), because it assesses the loss, is focused on the asset. It is then a question of estimating the various primary losses (i.e. the inevitable loss in case of risk occurrence) and secondary (or possible loss, i.e. not occurring systematically when the risk advent). Its goal is to collect the values of the right branch in the tree below.
• Finally, the last step (called Derive and Articulate Risk) consists in merging the collected data as defined in the FAIR tree by the various calculations, to obtain the result in the form of usable outputs.

Link between FAIR analysis and taxonomy

Without detailing more the taxonomy, already discussed in the article presented before2, one can note that the standard analysis of a single risk requires seven data  (corresponding to the elements at the base of the tree):

1. Contact frequency;
2. Possibility of action;
3. Threat capability;
4. Resistance strength;
5. Primary loss magnitude;
6. Secondary loss magnitude;
7. Secondary loss event frequency.

It should be added that FAIR invites to decline losses (primary and secondary) into six categories (in order to ease and accurate estimate of the loss):

• The production losses: related to the interruption of the service produced by the asset;
• The response cost: related to the incident response;
• The replacement costs: related to the replacement of damaged constituents of the asset;
• The fine/judgement costs: related to fines, court fees and legal proceedings;
• The financial impact on competitive advantage: related to the impact on the organization in its sector;
• The reputation costs: related to the impact on the public image of the organization.

How do we correctly model risk uncertainty?

Furthermore, it is good to ask the question of what a FAIR data is actually.

Indeed, it is too reductive to define a data by a single numerical value. For example, lets consider a ransomware attack: it would be incorrect to say that an occurrence of this risk would cost exactly 475k €[4] (illustrated by the blue curve on graph 1).

Graph 1: A distribution, a more realistic model than a single value

However, adding uncertainty to this data by accompanying it with a minimum value (which could be  1€ in our example) and a maximum one (of  300 M€ in the same example), while keeping the most likely value stated above, would allow to model much more accurately the reality (purple curve of graph 1).

A data is then defined by a minimum, a maximum and a most likely value (corresponding to the peak of the distribution). We can also, note that such a probability distribution is independent of the kind of values considered: it may as well be a loss in any currency  (cf. the previous example), than an occurrence (for example, between once a year and once every 10 years, and a value more likely around once every two years), or even a ratio (between  30% and 70%, more likely 45%). Hence, we can use these distributions to model all the  data of the FAIR taxonomy.

Another advantage of predicting uncertainty through distribution is that it is possible to fine-tune the degree of confidence in the most likely value, via the kurtosis coefficient of the curve. The higher it would be, the greater the data will be trusted (corresponding to a very marked peak, see the green curve on graph 2). On the other hand, an unreliable data will be modelled by a much more homogeneous distribution (see the red curve on graph 2).

Graph 2: Reflecting the level of trust through distributions

However, using distributions rather than fixed values is a problem when it comes to combine them, which will necessarily be the case when we will make the computations of the FAIR tree. As we can indeed see on graph 3 (the addition of the green distribution and the red one giving the violet), the addition of two distribution does not allow to obtain a distribution as ‘simple’ as the previous ones (it no longer follows a log-normal distribution). This is also the case in the context of a multiplication (the result of which is also complex).

Graph 3: addition of two distributions.

To obtain a mathematically consistent result, game theory gives us a simple way: The Monte Carlo simulations. It is in fact a matter of dissecting the distributions (the green and the red of the graph 3), in a predefined number of random values (called number of simulations), distributed in such a way as to correspond to the given distribution. We can then combine the distributions thus dissected by performing the calculations on pairs of values of each distribution. The new distribution can then be approximated, and will be all the more precise as the number of simulations will be large.

Hands on toolboxes to automate FAIR…

To make these calculations and obtain a numerical value of risk, solutions have emerged (mainly from the FAIR method). We will therefore address here the pros and cons of these tools, which are also cited in the previous article1.

The OpenFAIR Analysis Tool

The first we can cite hire is the OpenFAIR Analysis Tool[5]. While this tool has a pedagogical purpose, it nevertheless helps to understand how FAIR works. It is thus possible to have a first concrete application of the method, and to obtain simply results (only for the analysis of a single risk). Developed by the University of San José (California) in collaboration with the OpenGroup, this tool relies on an Excel sheet to obtain a risk assessment from a predetermined number of  simulations, scrupulously respecting the FAIR taxonomy.

OpenFAIR Risk Analysis Tool: a tool that is first and foremost educational

Very useful to have a first contact with quantification, this tool remains however very limited in terms of use. Finally, one should note that Excel is needed, and it is only accessible with an evaluation license limited to 90 day.

Riskquant

For a larger scale use, Netflix’s R&D department has developed Riskquant[6] solution. It is a Python programming library, relying more particularly on tensorflow (a specialized python module for massive statistical calculation). Riskquant’s particularity is to propose a quantification of risk inspired by the FAIR taxonomy, but with a great freedom in its approach and its implementation. Developed to facilitate the use on containers, it would allow by its design very fast evaluations from csv files.

Riskquant: an original approach but lacking maturity

However, keeping of FAIR taxonomy only a single loss value and a single frequency makes it not very usable, especially in the context of an organization that would seek to precisely scope its risks. In addition, it provides so far only a few exploitable results and clearly lacks maturity. Finally, it seems to have been dormant since May 1^st, 2020 (the date of the last commit on the GitHub page of the solution).

PyFAIR

To conclude on this paragraph on solutions that can be used for a basic implementation of FAIR, the PyFAIR library is available on the official python repository (downloadable via the pip tool). Now mature, the tool allows a decomposition of risk according to the FAIR taxonomy. It also allows the feed of the FAIR tree with intermediates values, or the aggregation of data that can be used for several risks (e.g. allowing groupings by asset or threats). It is capable of calculating overall and global risks, and provides easily usable distributions (exploitable with other simple python modules), but also gives access to advanced charts and HTML pre-formatted reports.

PyFAIR, a complete and efficient library in Python

Although it remains a programming toolbox, hence requiring an appetence and time to develop and maintain a Python solution, PyFAIR is well-designed. It facilitates the implementation of FAIR by staying very close to the taxonomy, and provides functions facilitating implementation and the exploitation of the results. Suitable to be operated on multiple levels (i.e. using it only to calculate results by influencing the fine settings of FAIR and Monte Carlo, or by exploiting its high-level reporting functions), it makes it possible to envisage a use of quantification technically facilitated and on a large scale.

‘Turnkey’ platforms to make data acquisition easier:

Nevertheless, the main difficulty of FAIR remains, as we have seen before, obtaining the data and their trust level. To deal effectively, the most efficient solution is to rely on a platform that integrates a CTI database.

These platforms provide risk threat statistics (very few company-dependent). They also support in deploying and implementing the quantification method in the organization, which includes a guidance in obtaining the appropriate loss data.

RiskLens

The first of these solutions is the RiskLens[7] platform. This solution, directly derived from the FAIR methodology, was co-founded by Jack Jones. It is used as technical support for the development of the method, linked to the FAIR Institute. Emphasing on a technical approach of the method, it focuses on the respect of the standards of analysis  in general  and the definition of the perimeter (first  step  of FAIR) in particular.

RiskLens, FAIR’s application to the letter

Nevertheless, it should be noted that, on the one hand, this solution requires advanced notions in the FAIR methodology to be easily operable. Indeed, the platform does not provide a consequent help in obtaining data (which, as we have seen, remains the keystone of quantification), on the basis that the definition of the perimeter is enough to define precisely the data, and thus to obtain it easily. On the other hand, it is an American platform, which implies that the interface (quite unintuitive) is only available in that language, and that the data collected is also subject to U.S. regulations.

CITALID

The second platform we will mention here is the French startup CITALID, whose approach is fundamentally different. Indeed, it has been founded by two ANSSI analysts, who wanted to link the CTI to the risk management. Thus, using FAIR as the tool to make this link, it makes its effort on the conception and the maintenance of the database, made of solid figures kept up to date, to closely monitor the local and international cyber geopolitical situation.

CITALID, a high value-added database

The CITALID platform provides real support in the definition and the collection of the FAIR data, thus allowing to identify precisely where is the remaining part of subjectivity undeniably linked to risk. Available in French and English, it facilitates the management of cyber risk by taking into account all the parameters of the organization (location, size, sector of industry, level of maturity, compliance with standards, etc.), to provide data originating from appropriate contexts. Furthermore, and in addition to an interactive explanation of each of the platform’s fields, the startup supports its customers in collecting the needed inner data of their organization.

First step with FAIR…

Anyhow, the difficulty will always be to succeed in the transition from qualitative to quantitative estimation. Even if solutions can facilitate this shift, leaving a controlled qualitative method for a new unassimilated assessment method remains a challenge, despite all the benefits the new method promises.

If three points were to be highlighted to pursue on the quantitative way, they could be:

• First, to make sure the required maturity is reached. Quantification requires a good understanding of the level of security of the concerned IS, and a pre-existing and well-established risk management method. If quantification provides solutions to assess the cost of a risk, provision it or estimate  the  ROI  of a measure, it is however useless  (or even counterproductive) to embark on this path too early (at best it will be a waste of time, at worst it will degrade the existing risk management process).
• Then, to have a gradual approach in the deployment of quantification. In a mature IS with stable risk management, it is preferable to gradually adopt the quantitative method. This allows to gain confidence in the estimates produced (potentially by making it coexist with the elder qualitative estimation method) and to assimilate the methodology, while ensuring its integration into the existing risk management workflow.
• Finally, rely on existing experience in collecting cyber risk data. As the difficulty stays confined in obtaining reliable data, it is crucial (to be confident in the method) to have trusted figures. It then seems appropriate make use of a platform that can provide data of quality, and a support in the collection of our own data. It will furthermore have more experience deploying the methodology to various customers. The quality of the provided results will then be the key element in the confidence that the organization will have in the quantitative method.

[1] https://www.riskinsight-wavestone.com/en/2020/11/quantified-risk-assessment-1-2-a-quantification-odyssey/

[2] https://www.riskinsight-wavestone.com/2020/06/la-quantification-du-risque-cybersecurite/

[3] https://publications.opengroup.org/c13g

[4] https://www.sophos.com/fr-fr/medialibrary/Gated-Assets/white-papers/sophos-the-state-of-ransomware-2020-wp.pdf

[5] https://blog.opengroup.org/2018/03/29/introducing-the-open-group-open-fair-risk-analysis-tool/

[6] https://netflixtechblog.com/open-sourcing-riskquant-a-library-for-quantifying-risk-6720cc1e4968

[7] https://www.risklens.com/

Cet article Quantified risk estimate (2/2): What data, what tools? est apparu en premier sur RiskInsight.

It is therefore useful at this point to take a look at the existing methods and the theories that could lead us to concrete results. In the big bang of cyber risk quantification, what are the theoretical foundation for the development of a method? Which ones have succeeded, which ones seem mature? Can we expect in the short or medium term, alternatives to the current quantitative assessment methods?

Roadmap: Risk analysis and quantification:  what can we expect of it?

To locate the quantification in the field of risk management, let’s start by clarifying what we are looking for. Within the risk management process, the primary objective is to define an efficient numerical value, illustrating a level of risk (usually a financial cost).

It is therefore, according to the ISO27k standard, only a new risk assessment. Indeed, preceding phases of risk contextualization and identification have no reason to be affected by quantification. The phases of risk treatment, acceptance, supervision or communication, while they will benefit from the results of the quantitative analysis, are unchanged in their workflow. Simply put, it is only question of changing the way each risk is estimated and computed.

This point, rather trivial but crucial, allows us to ensure that, even if they are fundamentally different from the qualitative methods in their results, the quantitative ones will in any case support pre-existing methods. So, we can be reassured that, although it is necessary to use them to have a mature risk management process, it will also be the basis for the quantification (that will thus exploit the pre-existing risk identification phase).

Now that we have framed the contribution of quantification in an organization’s overall risk analysis, let us specify what we would expect (regardless of the possibility of achieving these assertions):

• On the one hand, it is imperative for this method to be more precise in its result, compared to the qualitative method that it has to replace. This means above all that, from the first occurrence and without having previous results records, it must give a precise numerical estimation (which may as far as possible contain several values: maximum risk or probable risk in particular).
• We may also want it to be faster to achieve (or at least to be carried out in an acceptable time), in order to be able to completely replace the qualitative estimate in the long-term. We are here talking about the time it would take to implement the analysis, without worrying a lot about the time it would take for computations (which can now be efficiently delegated, especially via the cloud). In the end, correlating this with the previous point, it is only question of having a better efficiency than the qualitative evaluation.
• Furthermore, we wish the quantitative assessment to be based on concrete data, in order to gain credibility in the results that will be produced. Indeed, since the workflow of a quantitative method is based on mathematical theories, only an incorrect implementation could introduce subjectivity into the values obtained. This last point would justify that in a time equivalent to qualitative analysis, we have finer results.
• Finally, and this stems from the previous point, we need to have a precise taxonomy, for the collected data to be clearly defined (regardless of the kind of risk). Indeed, if the quantitative estimate is based on proven mathematical theories, the quality of the data produced will then depend only on the quality of the data used as input, and in particular on the relevance and the consistency of the data, depending largely on its definition..

At the core of the galaxy: moving from theory to practice

Having specified what are the characteristics of quantification, let us now see what mathematical theories would take into account the hazard associated with a risk.

Consider, for example, the fuzzy sets theory. This mathematical theory is based on the principle that an element, instead of classically belonging or not to a mathematical ensemble, may only partially belong to it, according to a stated degree. This could be useful to highlight the occurrence or the impact of a risk with the degree of belonging of that risk to ensembles. This theory, while interesting, has not led to concrete applications.

Another approach, which could be called correlative, would be based on the use of self-learning neural networks, to determine from CTI data what the level of risk of a company would be, according to its characteristics. This theory has benefited from the current popularity for artificial intelligence. This led to academics’ studies comparing different modes of machine learning (notably BP[2] or RBF)[3], in order to be used in cyber risk analysis. However, to date, it does not appear mature enough to lead to a realistic method.

Finally, the only mathematical solution that has paid off has been the statistical analysis (and game theory, which offers the means to combine statistical distributions, see the “Risk Quantification and Data: Advice and Tools”[4] article about this subject). The principle of statistical analysis is to rely on statistical observations to estimate the level of a risk. The hazard of risk is then, in large part, taken into account by the distribution of the statistics.

Based on these statistics, two approaches are practicable:

• The first is illustrated by a method proposed by the IMF[5]. It proposes to assess a cyber risk by a detailed statistical analysis. However, it is highly computational and inaccessible for regular use or as a part of a quantified risk estimate. However, it retains an undoubted interest in an analysis of a level of cyber risk on several entities that would have similar data, which may be useful for an insurer or in the banking community. However, it remains confined to this use. Reduced to the already limited scope of entities with acceptable cyber maturity, this method does not seem to be able to offer in the short or medium term an exploitable solution for the IS level of an organization.
• The second is to break down any cyber risk based on common characteristics. This is in particular the approach of the FAIR methodology: it proposes in its taxonomy (see ‘how to apply the FAIR method’1) a dissociation of risk according to its occurrence and the estimated impact, from a financial point of view. FAIR then proposes a declination of these two parameters which, because of their universal nature, may therefore be applied to any cyber risk. This type of method has the advantage of proposing an identical process for the analysis of any cyber risk, facilitating its use in an organizational context (that can then compare cyber risks of distinct natures).

The galaxy of quantification

The FAIR method: a supermassive black hole

Currently, only the FAIR method has risen to applicated quantification solutions for a company. Its monopoly in the field is such that it has become an inescapable reference for a solution or methodology to remain credible. Like a black hole, it attracts to it all the current solutions of quantification. We can, for example, illustrate this with the Risquant Library, developed by Netflix’s R&D department[6]. This one clearly announces that it relies on the FAIR methodology. Nevertheless, he takes great freedom in the interpretation of taxonomy and analysis, but the fact of quoting it allows him to be more easily accepted and recognized.

This hegemony of FAIR can be explained quite easily:

• To begin with, it’s a pragmatic method by design. Its inventor, Jack Jones, set it up when he was an RSSI of a large American group, and was asked to justify cyber ROI. It was therefore initiated for operational purposes, then refined and gained credibility by relying on mathematical tools and theories. This concept of development  (i.e.  the fact that the method was born out of a need, and then mathematically justified) makes of FAIR a method particularly appreciated by the first concerned, that are the CISO and the other cyber-risk managers.
• Then, it was particularly visionary, as she preceded all other methods. Appeared in 2001, the first book about the method was published in 2006, detailing its operation and taxonomy. As time went on, a community was made up around Jack Jones and his method: the FAIR Institute. This community continued the maturation and thz diffusion of the method. More precisely, it helped developing the efficiency of the method by placing facilitators to make it ever usable.
• The FAIR method also has a particularly solid basis: in addition to the publication mentioned above and which was the subject of an enriched reissue in 2016, it is based on two  standardization documents, published by the OpenGroup (the consortium behind the architecture standard of SI TOGAF). The OpenGroup also offers certification to the method, based on its two standards, and which add to the interest laying on the method.
• Finally, FAIR is strongly supported (particularly across the Atlantic): the community that drives it is particularly active, and contributes as much to its evolution as to its promotion: the links between the OpenFAIR and the FAIR Institute, both mentioned above, are substantially close. The strength of his ties is ensured by the fact that Jack Jones, father of the method, plays a central role in both organizations.

Thus, in the world of cyber-risk quantification, the only operational solutions to date all rely on the FAIR methodology, with a more or less large but still displayed parentage.

If the maturity of this method seems now acquired, its monopoly in the field of quantification allows with little doubt to envisage, at least for next years, that it will remain the only method of quantification. In order for another method to be equal, and in addition to the fact that it will have to establish its conceptual credibility, it will above all have to make a place for itself  alongside the hegemony of FAIR, while proving that it is more efficient.

[1] https://www.riskinsight-wavestone.com/2020/06/la-quantification-du-risque-cybersecurite/

[2] Back-propagation

[3] Radial basis functions

[4] See the 2nd article on Risk Insight

[5] https://www.imf.org/en/Publications/WP/Issues/2018/06/22/Cyber-Risk-for-the-Financial-Sector-A-Framework-for-Quantitative-Assessment-45924

[6] https://netflixtechblog.com/open-sourcing-riskquant-a-library-for-quantifying-risk-6720cc1e4968

Cet article Quantified Risk Assessment (1/2): A Quantification Odyssey est apparu en premier sur RiskInsight.

Paradoxically, only 35% of organizations consider their third-party cybersecurity management process as effective (according to a study conducted by the Ponemon Institute).

How to define an effective third-party cyber risk management strategy? What are the key success factors?

Adapt your third-party cybersecurity strategy to the risks

From business partners to subcontractors and IT service providers, a lot of your suppliers manage or have access to your assets. Therefore, they represent a risk for your organization and thus it is important to ensure they are committed to respect a cybersecurity level that meets your requirements.

Depending on which business perimeter they operate and which type of service they provide, the level of risk would be more or less critical. Therefore, our recommendation is to classify your suppliers to adapt your cybersecurity strategy according to the risks they imply.

Since your suppliers can be thousands, this classification will also allow you to prioritize and keep an acceptable workload for your teams.

In order to do that, our first piece of advice is to inventory your suppliers. We notice that few organizations have an exhaustive cartography and that its realization is a tedious project that requires the involvement of many stakeholders (purchasing, legal, department, business…). Therefore, we advise you to start by defining a process to capture your new third parties and by identifying your suppliers involved in the critical business activities identified in your BIA (Business Impact Assessment). Afterwards, you will be able to extend progressively to other third parties.

From this cartography, you will be able to assess your supplier’s criticality and classify them on a scale with several levels. We advise you to consider the following criteria:

• The business criticality of the project or the asset the supplier is working on;
• The degree of interconnection to your information system;
• The access to sensitive or confidential data;
• The service exposure on the Internet.

Nevertheless, we can observe in our client’s environment that applying those criteria can be challenging due to the lack of information about some third parties. Then, we suggest organizing workshops with cybersecurity teams, IT teams and business teams to validate your cybersecurity classification by expert knowledge.

Example of a classification scale with 3 levels

Consider cybersecurity throughout the whole lifecycle

The feedbacks from the field show that most organizations assess their third party’s cybersecurity level before contracting and include cybersecurity clauses into their contracts. Nevertheless, cybersecurity is not always taken into account thereafter.

We recommend integrating cybersecurity throughout the whole third-party lifecycle by empowering them and adopting a control position.

Third party management lifecycle

During contractualisation

Before the contract signature, the objective is to ensure that the supplier chosen by your business meets your cybersecurity requirements. To do so, we advise you to integrate cybersecurity at each step of the supplier selection process:

• Include your cybersecurity requirements in your Request For Proposals;
• Assess the maturity level of the suppliers responding to your Request For Proposals;
• Provide a cybersecurity recommendation to your business according to the project sensitivity and the risk implied by the third party,
• Include in the contract cybersecurity requirements adapted to the criticality and the type of service delivered.

 During the contract period

 To ensure your third parties respect their cybersecurity commitments throughout the contract period, we advise to:

• Integrate your third parties into your risk analysis when they operate on the scope of a project. For instance, the methodology allows you to identify all the stakeholders involved in a project and to define an action plan to secure and monitor your ecosystem. The implementation of the security measures must be followed-up with the third-party;
• Organize cybersecurity reviews at a frequency adapted to the risks and thus the level of classification. For instance, the most critical third parties can be reviewed at least annually while the less critical ones can be reviewed at contract renewal;
• Define a process dedicated to cybersecurity incidents involving a third party and create emergency instructions;
• Perform audits only when necessary (for instance following a major cybersecurity incident or after identifying a critical risk…)

At the end of the contract

 A contract renewal is an opportunity to perform a new assessment of the third-party cybersecurity posture and if necessary, update the contractual requirements.

If the contract ends, you must apply your reversibility clauses and ensure that cybersecurity is part of the decommissioning of the service provided.

Industrialize third parties’ assessments thanks to market solutions

We observe that many organizations assess and monitor the cybersecurity level of their third parties with proprietary and non-automated questionnaires that require many external resources. In addition, big-sized suppliers may refuse to complete these questionnaires while smaller ones may not always answer correctly.
Furthermore, we also notice that few organizations have yet adopted a mass assessment approach.

In order to rationalize the approach, we therefore suggest giving-up these historical assessment tools to adopt solutions adapted to the supplier classification level and thus be able to scale up.

For the most critical third parties

We advise you to adopt a co-constructive approach with your most critical suppliers, while adopting a position of control. This translates into the following actions throughout the lifecycle:

• Assess your most critical suppliers based on their cybersecurity certifications and compliance reports on the scope of the service provided;
• Define a contractual Security Assurance Plan to precise the security governance of the service;
• Organize security reviews (at least once a year) to control the security level of your suppliers based on the indicators defined in the Security Assurance Plan (maintaining certifications, security incidents, audits, security roadmap…). These committees are also an opportunity to build a relationship of trust with your suppliers, for example by discussing security news and events as well as the conferences that you could do together.

For third parties with a medium to low criticality

In order to take a massive approach in assessing and reviewing the cybersecurity level of your non-critical third parties, market solutions can be used. Indeed, editors and startups (such as CyberVadis, CyberGRX, Risk Ledger…) are positioned on the industrialization of third party’s cybersecurity assessments. This will be the topic of one of our next articles.

Their solutions are based on maturity questionnaires whose results are shared with all their customers. More concretely, these platforms work as follows:

Third party maturity assessment platforms

Although these solutions are currently not customizable according to your organization’s specific requirements, they will allow you to:

• Get cybersecurity assessments tailored to non-critical third parties;
• Reduce the workload of your cybersecurity teams;
• Share third-party assessments with other customers and therefore be able to quickly access assessments already performed;
• Adopt a win-win approach with your suppliers who will share a single questionnaire with all their customers and will be proposed action plans to remedy any discrepancies;
• Popularize third-party cybersecurity management to your business or purchasing teams thanks to didactic scores on different topics.

Ensure the effectiveness of your third-party cybersecurity management process

From business to IT project managers and including purchasing and legal teams, third-party cybersecurity management involves many players in your organization. It can only be successful if your process is well-known and applied by all. Therefore, it is key to train and raise the awareness of all stakeholders.

To ensure that your process is properly implemented, it is important to define and implement controls covering all stages of the supplier management life cycle. As a first step, we recommend that you define realistic targets by focusing on your most critical third parties. Over time, these targets may evolve to consider your suppliers with lower levels of criticality. Your controls may include the classification of your third parties, their assessment and their review at an appropriate frequency during the contract period.

Integrate third-party cybersecurity management in a “Know Your Supplier” approach

Just as the KYC (Know Your Customer) approach in B2C sectors, we suggest that you include third-party cybersecurity management in a KYS (Know Your Supplier) spirit where the objective is to take all supplier risks into account in a consolidated way.

Cybersecurity assessments and notably maturity assessment platforms can be integrated within supplier management tools (source to contract), as well as financial, CSR, environmental impact, anti-corruption and anti-money laundering assessments. This will ease the integration of cybersecurity into your sourcing and supplier review processes.

See you next episode for an article about market solutions that automate the cybersecurity assessments of your suppliers.

Cet article How to define an effective third-party cyber risk management strategy? est apparu en premier sur RiskInsight.

For the time being less well known and less widespread in Europe than its sisters EBIOS RM & Mehari (among others), the FAIR risk analysis method nevertheless fills the gaps left by other approaches. Already highlighted by Wavestone in a previous article, its main assets lie in the perspective of data usually ignored by traditional risk analysis on the one hand, and on the other hand in its ability to generate metrics dedicated to strategic decision support and adapted to the language of decision-makers, such as Value at Risk.

Nevertheless, as this same article points out, this approach is a priori undermined by time, human resources and the multiplicity of knowledge required to carry it out. Therefore, although the concept is attractive, is it realistic to deploy the FAIR method? How can its nomenclature be translated operationally? What about its automation? More generally, does it provide enough added value to justify its use?

Despite its undeniable effectiveness in quantifying risks, such an approach requires both an appropriate technical system and functional support, which is essential in the collection of data. Quantifying its potential financial losses in the event of a cyber incident is not enough: it is also necessary to have the capacity to put them into perspective in an ecosystem of polymorphous and evolving threats. This is Citalid‘s innovation: to be able to carry out a dynamic quantification of cyber risk for decision-makers, by automatically crossing the reality of the threat that weighs on a company, its business context and its defensive maturity. And, above all, not to stop at analysis alone: to generate an action plan that reflects the optimal balance between efficiency and profitability.

Empiricism as FAIR’s automation framework

Contextualizing the external environment

As in any analysis, the objectivity of the observation increases with the number of parameters considered. If it is frequent, even usual, that the internal context of an information system is studied, it is rarer for the analyst to be interested in all the external dynamics that can influence the analysis. These dynamics, which can take on a variety of realities as we shall see, can however strongly influence the frequency and intensity of cyber threats. However, it is difficult to draw up an exhaustive typology of these data, and taking them into account is almost systematically a mixture of two ingredients:

• Curiosity and the logical mind of the analyst (in fine, his capacity to project himself into / adapt to a context);
• The good visibility of the person(s) responsible for the system and the activities within their perimeters;

Among the exogenous criteria that can influence the risk analysis are: the competitive environment, the company’s position on its market, its geographical locations, geopolitical dynamics, internal policies, the normative framework, the socio-economic climate, the diversity of its activities, etc.

However, it would be easy to get lost in this labyrinth of criteria. It is therefore necessary to support the decision-maker in the creation of a cartography of its environment in the most comprehensive sense of the term. It is therefore through exchange and collective intelligence that a first level of filter is created, by drawing up a perimeter of analysis that is both structured and flexible.

While defining the perimeter of the analysis makes it possible to establish a coherent framework, a multitude of risks can nevertheless be inserted into it. It should also be noted that the defined perimeter can itself be a component of a broader scope of analysis. In this sense, the various perimeters determined can be articulated in the form of a hierarchical tree, often tracing the internal organisation of the company (see diagram below).

Thus, in the example opposite, the group level is represented by the “Energy Company” perimeter, which aggregates the risk of all its “children” perimeters (here its “business units“). However, each perimeter has its own context and risks. This tree structure plays a predominant role in the construction of a relevant library of related risk scenarios. One could easily be tempted to go back up to the group level to globalize its scenarios, but this often de facto deteriorates the granularity, and therefore the quality, of the analysis due to the particularities of each perimeter.

Build a relevant library of scenarios

This framing work therefore conditions the choice and parameterisation of risk scenarios. This parameterisation and the resulting calculation is made complex by the number of criteria to be taken into account and the uncertainty inherent in cyber risk. Without going back over the FAIR methodology already discussed on this blog, it can therefore be long and tedious to build a large number of scenarios of risk while considering the specificities of each perimeter. A solution to this problem therefore lies in the construction of a library of scenarios that can be adapted to each business context and encompass several types of threats. Based on operators’ experience and accumulated data, Citalid now has several libraries of scenarios and losses, listed in ‘Business’ directories. These are easily exportable on the platform, while retaining a degree of flexibility that allows the scenarios indicated to adapt very precisely to the business context. Following on from the use-case used above, the image below illustrates a ‘fictitious’ library of scenarios related to the Energy sector. As this is a ‘Demo’ version, this panel is however not exhaustive.

Citalid‘s library of scenarios is thus part of a double dynamic that at first sight seems contradictory: capable of meeting the requirements of efficiency and automation of the analysis, it remains flexible enough to be implemented with precision and relevance in any context. Each typology of threat, combined with the characteristics of the perimeter analyzed, determines the frequency of occurrence and the financial losses, whether primary or secondary, inherent in the chosen scenario. In the case of an economic espionage scenario, for example, it is safe to say that there will systematically be a loss related to the remediation of the incident, a loss related to the exfiltration of data and a loss resulting from damage to the entity’s reputation if the attack were to become public.

In addition, for the quantitative parameters (frequency of the threat, IS resistance to the attack, frequency and magnitude of losses, targeted assets, etc.) of the scenario to remain relevant, they must be profiled on the characteristics of the target perimeter. Therefore, Citalid’s expertise lies in part in defining and keeping up to date – cyber threats and available abacus evolving rapidly – a library of templates from which the analyst must be able to draw to easily and automatically initiate his risk assessment.

Accumulating data on cyber threats and their impacts therefore makes it possible to calibrate scenario “templates” and thus gradually automate the FAIR analysis. By combining threat intelligence, technical models and abacuses from open source analysis and customer feedback to assist analysts, Citalid‘s award-winning innovation platform leverages collective intelligence to ensure scientific rigor and unparalleled accuracy in quantifying financial losses.

Putting risks in perspective with the defense ecosystem

The CISO as pilot of his IS

In terms of cybersecurity management, the CISO is, unsurprisingly, the focal point of the system. To do this, he must be able to quickly visualize the entire panorama of cyber risks weighing on his IS – a “cockpit” view, in order to then inflect orientations on a larger scale. He therefore needs a GPS to guide him in his decisions: how to take his IS from point A (current risk situation) to point B (desired risk exposure), taking care to optimize his trajectory (cyber investments) while avoiding obstacles (threats) that appear dynamically along the way.

Example of a risk dashboard, illustrating the ISSM’s cockpit vision.

Once the various scenarios have been established and the quantification carried out, the difficulty lies in the possibility of translating these “raw” risks into a strategic roadmap. The first step is to put these risks into perspective by comparing them with the current defensive infrastructure of the IS. Knowledge of its environment is a prerequisite for the CISO’s analysis. All the more so as, in terms of defensive infrastructure, two major options exist and sometimes complement each other: opting for a logic of defensive maturity based on compliance with one or more reference systems (ISO 27k, NIST, CIS, etc.) or carrying out – and then comparing with peers – an inventory and evaluation of all the security solutions deployed on the perimeter.

“A permanent confrontation between theory and experience is a necessary condition for the expression of creativity” [1]. 1] The aphorism could not be more revealing of the method described here: that of the confrontation between theory (raw risks) and experience (evaluation of defensive maturity based on a multitude of feedback and incidents) as a necessary condition for the creation of a roadmap. The confrontation makes it possible to obtain the “net” risk with which the company is really confronted, lower than the gross risk since it considers the defenses of the IS.

Fueled by “actionable” metrics, the decision-maker will now be able to have visibility on his real risk in his own language, and consequently be able to arbitrate and determine its destination – his B point – according to his appetite for risk and the company’s policy. Which scenarios should be dealt with by investing to reduce the associated risk? Which ones should be maintained, given their low economic impact? Which ones to share with a cyber insurer? However, as we will see, the modelling of net risk described in the previous paragraph requires a consequent knowledge of the threat ecosystem in which it is embedded.

Cyber Threat Intelligence, a catalyst for optimal risk management

One of the main shortcomings of risk management in cybersecurity is the difficulty in deploying an approach that reflects the reality of the risk “on the ground”. The CISO or Risk Manager must therefore also have a radar to dynamically detect obstacles in his path (threats) and, as far as possible, anticipate and prevent impediments.

Thus, just as a rock slide on a road is the result of a conjunction of multiple factors (weather conditions, geological characteristics, human activity, etc.), an attacker’s action depends on many elements. These elements should, as far as possible, be observed and included in the risk analysis. Consequently, Cyber Threat Intelligence (CTI), a discipline dedicated to the study and contextualization of attackers’ operating modes, enriches and energizes traditional risk analyses. The mastery and inclusion of this discipline in cyber risk management is one of Citalid’s major differentiators and permeates its entire corporate culture.

How can CTI data be operationally and sustainably combined with the risk calculations announced in the previous paragraph? We can get an intuition of this by noting the following three facts:

• The company’s market segment helps to determine the operating methods most likely to be of interest to the company;
• The attack techniques used by these operating methods and their centers of interest within the targeted information systems make it possible to identify the most critical assets and to know how to improve their protection;
• By comparing again the CTI data defined in the two previous points with its defensive infrastructure, the entity can identify which scope (in the sense of a security repository) or which defense solution is not cost-effective enough (reduction of the risk in relation to the cost).

The diagram above represents a concrete example of the application of CTI to risk analysis, acting as a real catalyst for drawing up guidelines. A modus operandi is technically expressed through its “Kill Chain”, i.e. the sequence of attack techniques it uses to achieve its objective. Citalid has mapped the links between these TTPs (Tactics-Techniques-Procedures) and specific points of different security reference systems (here the CIS20), the latter being the defensive measures best adapted to the TTPs defined in the diagram. On the first line, for example, the CIS 16.3 measure (among others) is sufficiently deployed at the target entity to limit the impact of the TTPs indicated at this stage of the Kill Chain. On the second line, on the other hand, the opposite occurs: the CIS 11.1 measure is not mature enough to provide effective protection against the sophistication of the attacker.  It is therefore on this line that the defender potentially needs to concentrate.

The last line crystallizes the interests of the enrichment of the analysis by the CTI. The yellow square determines the maturity progression due to the implementation of security solutions relevant to the CIS 11.1 measure (e.g. a network device management system), which are automatically determined and recommended to the user in the case of the Citalid calculation engine. In other words, this differential indirectly expresses a path towards optimal maturity and resilience for this specific scenario, the starting point for the definition of a tailor-made cyber investment strategy.

Turning analysis into strategy

Formulate a cyber strategy aligned with group objectives

A successful and relevant risk analysis is characterized by the ease with which the observer can immediately visualize how to translate data into action. It must therefore be intelligible and coherent for the recipient, whatever his or her technical level and position in the organization chart. In other words, risk analysis alone is insufficient: it can only be truly useful if it gives rise to a long-term strategy.

This vision, strongly oriented towards the most strategic levels, marks the very DNA of Citalid. Behind the calculation of the risks (raw and real) and the most effective recommendations (referential as solutions) thanks to CTI, the objective is to be able to propose an indicator of the return on investment (ROI) of the security solutions. By visualizing his initial position (A), his desired position (B) and the different possible paths (defense investments), the final decision-maker must be able to compare the ROI of the different options and draw up a cyber investment strategy in line with his budget and real objectives.

Moreover, the objective behind this singular approach is twofold. Firstly, it is a question of accompanying our clients in the definition of their cyber security strategies and in the application of a co-constructed action plan, aimed at compensating for the flaws made visible by the analysis. However, in order to keep this strategy realistic, it is essential to ensure that it can be part of a global dynamic and therefore quickly assimilated by a higher hierarchical body (COMEX). To meet this need, Citalid has refined its service so that it is in line with the realities of the CISO:

• By adapting the platform in terms of ergonomics, level of technicality and language, so that the dashboards are transparent and easy to interpret;
• By assisting our clients in defining budgets and in their legitimization and justification (advocacy) in view of the reality of the threat.

By aligning cybersecurity strategies with broader investment strategies, in line with the objectives set by the group, Citalid intends to guarantee and reinforce the predominant role of the CISO in steering cyber resilience.

Capitalizing on the approach through the deployment of a risk index

The major advantage in choosing to take a global approach to security lies in its potential for aggregating risk at any level (group, business unit, application, project, etc.) and for standardization (comparison between perimeters and peers). Like rating agencies, this “scoring” of the entity, which takes into account not only its level of maturity on its exposed assets but also its risk management strategy, internal organization, the reality of the threat, its own business context, etc., can be transformed into a global risk index, symbol of the entity’s resilience and monitored by its management. This is truer since a scientific approach based on many heterogeneous parameters presents a desirable objectivity, for the entity as well as for its partners and collaborators.

This time, it is no longer just a question of positioning oneself in one’s environment, but of positioning oneself in relation to possible peers (comparison) and partners (guarantees). A risk index reflecting high resilience and sound risk management will ensure that its suppliers or end customers have optimal security and respect for their data, while reassuring investors that their funds are being used correctly.

Examples of risk indices produced by Citalid: in this case, a ‘Cyber Weather’ that identifies variations in a client’s media exposure.

Other players could also benefit from such an index: the insurance industry, and cyber-insurers. The quantification of cyber risk remains an obstacle for them, as traditional actuarial approaches are limited by the lack of historical cyber security data. Citalid’s model, presented here, combines threat expertise, advanced probabilistic models and innovative attack-defense simulations to overcome this lack of data. Our scoring and metrics, based on risks rather than on a simple level of defense, allow us to refine the insurance model to be as close as possible to the real needs of our clients.

Thus, quantifying cyber risk and the return on investment of security solutions is one of the biggest challenges facing today’s CISOs, Risk Managers and insurers. Through its innovative approach, Citalid responds to this need to reposition cyber security at the heart of corporate strategies and to optimize its action plans and investments.

^[1] Attributed to Pierre Joliot-Curie

Cet article Citalid | Shake Up – Cyber Threat Intelligence for optimizing cyber budgets est apparu en premier sur RiskInsight.

Lately, strong attention is being paid to risk quantification, and rightly so. However, it remains a very complex topic. There are two obvious reasons for this: we are sorely lacking in precise information and feedback; but also because cyberattacks generate many intangible impacts (reputation, internal disorganization, strategic damage, shutdown of operations); or indirect costs (drop in sales, contractual penalties, drop in the company’s market value, etc.).

We can see promising avenues for quantifying risk, and solutions able to automate this quantification are been released.

Why cyber risk should be quantified?

Whether it is for communicating with senior management, business units, or even insurers, there is a real need to assess cyber risks as objectively as possible. The challenge is twofold: to gain relevance and legitimacy. One way forward is to treat cyber risk through a financial prism, like all other business risks, to make them meaningful to decision-makers.

One of the real challenges in quantifying cyber risks lies in building trust with executive committees over the long term. The first step is to adopt a clear posture to convince them and secure the investments needed to launch structuring security programs. Then, it should help proving the effectiveness of the investments made, and thus sustain the relationship with the executive committees over time, through the demonstration of the risk reduction in a quantified way and the evolution of risk over several years. This is key, particularly in the wake of the COVID crisis, as it will lead to a reduction and optimization of cyber security budgets within companies. It will therefore be essential to quantify the cyber risk for a stronger control on the ROI of cyber security investments.

The process of securing a company’s information system cannot be carried out without the implementation of Security by Design. Hence, it cannot be carried out without involving the business units. Speaking the same language is therefore necessary.

Finally, in order not to find themselves at the foot of the wall in the event of an attack, it is essential for companies to anticipate the potential costs of an attack in order to adapt provisions and insurance. This quantification allows them to do this.

What are the main difficulties encountered?

Given their intangible nature, it seems complex to objectively assess the impacts of cyberattacks. This is the case, for example, of the impact on a company’s image and reputation, or strategic damage and internal disorganization. Other risks are indeed tangible but indirect, which further complicates the task of companies that wish to quantify their risks, for example a loss of market share, a drop in the company’s market value, etc.

There is no universal formula for calculating the impact of an attack on a company. It depends on several parameters: the size of the company, the level of complexity and openness of the information system, the cyber maturity, etc. A company’s level of exposure depends essentially on its level of cyber security maturity. There are frameworks such as NIST, ISO, CIS, etc. for estimating the level of maturity in cyber security, but few companies manage to implement them or use them at their full extent.

Companies willing to quantify their cyber risks are faced with a lack of statistical databases on the cost of cyberattacks. Of course, most companies communicate little or nothing about it, probably to avoid scaring their customers and partners. And yet, collaboration would be key in the face of increasingly clever attackers: both to increase their cyber-resilience and to facilitate risk quantification. For example, Altran and Norsk Hydro have been affected by similar ransomwares from the same group of attackers!

Some first clues for quantifying cyber risk

IMF President Christine Lagarde has already taken up the issue and published a bill and a methodology for quantifying cyber risks in the banking sector, used within the IMF. So how can we extend quantification to other sectors?

Prerequisites for optimal risk quantification

The FAIR methodology is one of the most widely used to quantify risks. Effective risk quantification induces:

• A good knowledge of its most critical risks. Indeed, given the complexity of FAIR, it is better not to spread out and focus on the most important risk scenarios. You still have to know them! A risk mapping exercise is to be expected, in which the mobilization of the business units will be needed;
• A good understanding of existing security measures to ensure their ability to resist attacks and to estimate the residual impacts;
• A first draft of a repository of typical costs (legal fees, communications fees, etc.), which will be completed over time, and which requires business expertise to identify and estimate costs.

Also, estimating the cost of risk, due to its cross-functional nature, calls for the collaboration of many stakeholders in the company (HR, legal, etc.), which can be complex to set up.

The FAIR methodology, an approach that specifies certain phases of risk analysis and treatment

Introduction to the FAIR (Factor Analysis of Information Risk) methodology

In 2001, Jack Jones was the CISO for Nationwide Insurance. He was confronted with persistent questions from his senior management asking for figures on the risks to which the company was exposed. Faced with the dissatisfaction caused by the vagueness of his answers, Jack Jones set up a methodology to estimate, in a quantified way, the risks weighing on his business: the FAIR methodology.

Concretely, how does this differ from a risk analysis methodology, such as EBIOS in France?

The FAIR methodology is not a substitute for risk analysis: FAIR is a methodology for assessing the impacts and probabilities of a risk more reliably. The impacts are always translated into financial terms in order to make the evaluation tangible. The contributions made are illustrated in the diagram below.

Diagram 1: FAIR, an approach that specifies certain phases of risk analysis and treatment

Usually, cyber risk assessment results in several types of impact (image, financial, operational, legal, etc.). The particularity of the FAIR methodology is to transpose each impact to a financial cost (direct, indirect, tangible and intangible costs). For example, if a risk scenario has an impact on the company’s image, FAIR translates this risk into a financial risk by evaluating the cost of the communication agency that will be mobilized to improve the company’s image. If a company’s CEO is mobilized as part of crisis management, then it will be necessary to estimate the time spent managing this crisis and monetize it.

How to apply the FAIR methodology?

A risk quantified in euros is the factor of the frequency of successful attack (loss event frequency) and the cost of the successful attack (loss magnitude). The diagram below shows the approach used by the FAIR methodology to estimate these two characteristics.

Diagram 2: the criteria taken into account by the FAIR methodology to estimate risks

• « Loss Event Frequency » computation

The “contact frequency” represents the frequency at which the threat agent meets the asset to be protected. For example, it may be the frequency at which a natural disaster occurs at a given location.

The “probability of action” is the likelihood that the threat will maliciously act on the system once contact is made. This applies only when the threat agent is a living being (does not apply in the case of a tornado, for example). This is deducted from the gain, effort and cost of the attack and the risks.

The “threat event frequency” is derived from these two parameters.

The “threat capability” consists of estimating the capabilities of the threat agent both in terms of skills (experience and knowledge) and resources (time and materials).

The “resistance strength” is the company’s ability to withstand this attack scenario. The resistance threat is calculated based on the level of cyber maturity of the entity, for example with a gap analysis at NIST.

From these two parameters come the “vulnerability” and the “loss event frequency”.

• « Loss Magnitude » computation

“Primary losses” are the cost of direct losses. This includes: interruption of operations, salaries paid to employees while operations are interrupted, cost of mobilizing service providers to mitigate the attack (restoring systems, conducting investigations), etc.

“Secondary losses” are indirect losses, resulting from the reactions of other people affected, and are more difficult to estimate. For example, secondary loss can cover the loss of market share caused by the deterioration of the company’s image, the costs of notifying an attack through a communication agency, the payment of a fine to a regulator or even legal fees, etc. This is calculated by multiplying the “secondary loss event frequency” and the “secondary loss magnitude” for each of the indirect costs.

A solution that accompanies companies in the implementation of this methodology

Beyond the theoretical description of the methodology, solutions are being developed to enable companies to apply the methodology in a concrete way. This is the case of the French start-up Citalid, for example, which offers a platform for quantifying cyber risks based on the FAIR methodology. This enables the CISO to refine and make the quantification of risks consistent thanks to threat intelligence (for monitoring attackers over time). To use the solution, the company must fill in elements relating to its context and, for each of the risk scenarios to be quantified, complete a NIST questionnaire (50 questions for the most basic or 250 for a finer level of granularity) and the rest is calculated automatically.

What are the advantages and limitations of the FAIR methodology?

The FAIR methodology mainly provides the following elements:

• It allows the company to identify and evaluate more precisely the most important risks. For each of the selected risk scenarios, the methodology allows an estimate of average and maximum financial losses and an estimated frequency. For example: “the probability of losing 150 million euros due to the propagation of a destructive NotPetya type ransomware exploiting a 0-day Windows flaw is 20%”.
• It allows to estimate the cost-benefit of the risk reduction action plan. By playing with “resistence strength”, it is possible to estimate the return on investment (ROI) of the security measures to be put in place.
• It transposes all cyber risks into a financial risk which allows a better understanding of the risk by the company’s managers.

However, the FAIR application is not without constraints because it requires resources that are sometimes significant (both in terms of man-days and knowledge of the company’s context). Moreover, risk quantification only covers a limited scope (1 risk scenario). Also, risk quantification using the FAIR methodology needs to be refined with standard cost charts associated with a cyber impact. This can be done, for example, by capitalizing on post-mortem analyses of a cyber crisis, which can often provide a real illustration of the financial impacts.

Thus, the FAIR methodology is a promising approach that still needs to be fully understood and adapted to companies’ context in order to derive concrete benefits.

Cet article Cyber risk quantification : understanding the FAIR methodology est apparu en premier sur RiskInsight.

Testing is an important part of operational resilience and can take many shapes and forms, from disaster recovery testing for ensuring service continuity to end-to-end crisis simulations examining decision-making. It enables to proactively manage risk, embed crisis management framework, and allows to continuously improve capabilities such as business continuity (BC), crisis management (CM), disaster recovery (DR), and cyber resilience (CR). Needless to say, training plays an important role in such a testing programme.

“Better awareness nurtures an organisational culture that embraces operational resilience and, as a result, improves the company’s preparedness to deal with adversity.”

From firm to firm, good testing programmes vary in nature, scale and complexity. Depending on how a firm is structured and what it does, testing is addressed at different organisational levels and locations, with involvement of external parties (i.e. critical suppliers). In reality, given little guidance from the regulators on what ‘good’ looks like, programmes are often fragmented and can cause a real headache.

Principles for creating a successful testing programme

2. Start with threats

Every test needs to link to threat(s) resulting in one or several plausible major incident scenarios (and impacts). Anticipate and understand new threats through market watch and leverage audit reports and risk assessments when building or reviewing your programme.

 

3. Focus on Important Business Services (IBS)

Align testing of existing contingency arrangements to important business services and key processes. This ensures preparedness when a situation of high business impact occurs and avoids challenges arising from lack of end-to-end vision.

4. Diversify testing

The most likely and most impactful scenarios should be examined with different stakeholder groups through different types of testing. This ensures that the theory works in practice and different reflexes are embedded in the organisation’s DNA.

To achieve more benefits, go beyond standalone contingency plans and comms tooling testing and examine a combination of them with internal and external, business and technical stakeholders.

 

The radar above is an indicative example of what a good testing programme would consist of. The threat categories considered are random and could be selected differently as long as diversification is maintained (mix-and-match).

 

Crisis simulation

Crisis simulations examine a hypothetical disaster situation with defined parties and multi-cells of stimulus. They allow to rehearse the establishment and communication of recovery requirements and carry out relevant activities effectively. Crisis simulation can be a tabletop exercise (level 1), a hands-on simulation (level 2), a multi-cell hands-on crisis simulation (level 3) or an international hands-on multi-cell multi-party simulation (level 4).

Work area recovery testing

Work area recovery testing checks whether full end-to-end business processes can be run offsite, ensuring that all elements of a process can be completed during a test and not just the technical aspects. They can involve a team (level 2) or a number of geographically dispersed teams (level 3) working from recovery sites or home. Both third parties (i.e. outsourced teams) and internal teams should be considered.

IT disaster recovery plan and cyber range testing

IT DRP and Cyber range testing practically examines each step in a specific disaster recovery plan or tests cyber forensics capabilities. This ensures the possibility to recover data, restore critical IT system after an interruption of its services, critical IT failure or complete disruption due to cyber attacks or IT disruptions. This testing can happen as a standalone (level 2) or as part of a crisis simulation (level 3-4).

Business recovery plan walkthroughs

Business Recovery Plan walkthroughs for group/business divisions/business units are undertaken following a major revision of a plan or team and are designed to increase the understanding of the recovery processes, roles and responsibilities, and question the suitability and completeness of the plan. Normally this would be carried out as a review-and-challenge session with the plan owner and a BC expert (level 1) or to test the efficiency of the specific measures and planned workarounds (level 2).

Communication cascade tests

Communication cascade tests establish whether contact details are accurate, determine whether cascade roles and responsibilities are understood by staff, and establish whether or not the documented procedures are robust. They can be completed in one of three ways – either a standalone live test (e.g. text cascade; level 2), as part of a crisis simulation exercise (level 2-4), or an audit involving review of plans and interview of staff with key responsibilities (level 1).

5. Stay current

Review your testing programme at least once a year in order to adapt to the changing threats landscape and ultimately ensure operational resilience. Make sure your crisis management framework and contingency plans are regularly improved based on the testing outcomes and changes in the business.

6. Engage and drive

Involve different parties in shaping and running your testing programme (e.g. cyber, risk, Ops, DPO, legal, business resilience champions, etc.). Use MI to share progress and alignment with the 3-year operational resilience vision.

 

What next: how do you structure your testing programme?

While it is not possible to prescribe a testing programme without better understanding the organisation of interest and deep-diving into the specifics of a threat landscape, it is clear that investing time and resources is worthwhile from operational resilience and regulatory standpoints.

“Having recently gone through a pandemic, it is a high time to keep the momentum and continue fostering the right culture and correct reflexes for the next major crisis.”

A few concluding tips

• Make it realistic: Where maturity allows, aim for more complex and realistic tests as they are essential to effectively respond to real events and increase end-to-end resilience. This means engaging more internal and external parties in the ‘live’ exercises.
• Leverage internal and market crises: Continuously monitor events happening on the market (major incidents and crises) as well as your internal major incidents to feed your testing program, prioritise your threats and devise your scenarios making it more tangible for your stakeholders.
• Engage early: Share the vision for testing with key stakeholder groups so they understand the journey on which you want to bring the organisation. This will enhance collaboration and, therefore, outcomes.
• Facilitate remotely: Remote working arrangements should not put your whole testing programme on hold – use collaborative solutions or leverage tools from the market for carrying out the exercises. This is especially relevant for cyber range testing and follow-the-sun testing. Experience shows that digital workplace solutions introduce a more democratic participation and is an excellent way to record interactions.
• Continuously improve: Reflect on tests by producing post-test reports and defining an action plan to drive and track improvements. Involve key stakeholders throughout so they understand the gravitas of the outcomes and help with driving positive changes.

Cet article Test, test and increase your Resilience: how to build your testing programme est apparu en premier sur RiskInsight.

20 years later… the situation is totally different and security has taken on a whole new dimension in companies. The figures speak for themselves: in France, there is an average of 1 security FTE per 500 to 3,000 employees, with an average of around 1 per 1,000. Some financial players can even reach record ratios of 1 per 200 by integrating the different lines of defence. I’ll let you do the math: this quickly represents several hundred, even thousands of employees! ISSM are therefore now in charge of a plethoric and highly diversified workforce. The historical experts have been joined in recent years by loads of Project Managers, PMO, COO, Program Managers, and even sometimes by specialized buyers and HR, who are gradually learning to work together. Like a sports coach, the CISO now has to deal with such a workforce and find the right organization, the right game system to get results.

NO REVOLUTION, THE FUNCTIONAL SECTOR REMAINS THE NORM

The reasons for reorganizing are always broadly the same: lack of control, a feeling of inefficiency, diffuse responsibilities… and the work involved in reorganizing can seem colossal. This leads some CISO to very quickly consider disruptive solutions, and in particular the idea of grouping all security resources into a single, hierarchical team. Let’s not waste time and let’s be very clear: in 95% of cases, this solution is not chosen. Such a move simply presents too many risks of excluding the security function, which is difficult to reconcile with the need for business proximity for certain activities: support for business projects, raising awareness among specific populations, budget negotiations, etc. The functional channel remains the norm: a central team and relays (local CISO, security correspondents, etc.) spread throughout the organization. However, some industrial players have recently moved towards centralisation, but the move is more motivated by a desire to bring together cybersecurity resources with the security team, which is particularly mature in this sector.

The attachment of the CISO also remains an element of debate, which has been widely relayed and commented on for years. CIO, Risk Management, Financial Management, CEO… it sometimes seems as if it’s a race to see who will be the highest in the hierarchy! But contrary to popular belief, there is not necessarily a trend in the field towards the exit of the IT department. Quite the contrary: 3 out of 4 CISO report to the CIO in large companies and most reorganizations lead to such an affiliation. The reason is simple: it is often an excellent place to be in action, to make progress on issues and to obtain a budget! Warning: for those who decide to be attached to a different department, remember that 80% of a cybersecurity budget falls within the scope of the IT department. It is therefore essential to nurture a quality relationship between the CISO and the CIO. I have witnessed a few power struggles in recent years, and it is rarely the CISO who wins

That’s it… we’ve got the basic principles: a functional network, often attached to the CIO, with CISO in the company’s main areas of activity. The task now is to distribute all the cybersecurity activities within this organization, and there are many of them: policies, studies, awareness-raising, the Cybersecurity Program, project support, audits, SOC, CERT, etc.

BREAKING DOWN SILOS AND SEEKING OPERATIONAL EFFICIENCY

As a service provider, I can testify to this: it is quite common to be solicited several times for the same study within a Key Account, in several different entities. This is quite understandable: in a pipeline model, each entity/country has a safety team, and without clearly established rules of the game, local management often has the reflex to reinforce its team at the slightest need (specific study, audit results, etc.). This is the whole trap of a sector: it has many advantages but creates complexity and redundancies. And believe me, when the Group CISO finds himself explaining to top management why the company has 3 SOC and 4 incident response units… it’s rarely the best meeting of the day ;-).

In order to avoid such situations, the trend is towards the pooling of expertise and the creation of central cybersecurity service offerings. In very concrete terms, this means that many organizations are pooling 1. cybersecurity expertise (studies, innovation, awareness-raising, etc.) 2. Detection and response (SOC, CERT, crisis exercises, Threat Intel, etc.) 3. Audits and controls (slopes, redteam, code analysis, etc.) 4. Project management and PMO (reporting, PMO, communication…). Add a governance and strategy entity, and you are not far from getting the organization chart of many Group CISO! Note that there are alternatives: some organisations opt for a distributed model, consisting of distributing services across entities (for example: the USA is now in charge of the intrusion test service for the entire company), and very large companies often opt for the creation of intermediate Hubs (by region, by business line…) delivering these services. Regardless of the organisation chosen, this consolidation movement is underway: it is estimated that around 40% of the sector’s employees work on activities with a cross-functional scope… and the increase has been exponential in recent years.

This move towards centralisation frees up local teams (CISO or business/country/entity correspondents) who can thus consume services and refocus on activities requiring close proximity to their businesses: risk assessment, integration of security in projects, security revenues, etc. In the security sectors, this is where we still find the bulk of the workforce (easily 30 to 40%)… but this situation is very probably temporary! The widespread use of agile technology has a direct impact on these teams, who find themselves changing jobs from one day to the next because they are projected into the Feature Teams to train, coach and equip “Security Champions” who are gradually gaining in autonomy. Result: local CISO are also industrializing and organizing their teams into service centers for these Feature Teams (development standards, code review, analysis methods…) Follow my eye: the spectre of a single, centralized security team is likely to resurface quite quickly in the debates… and it is the agile transformation that accelerates the process!

IT IS NOW POSSIBLE TO MAKE A CAREER IN A SAFETY FIELD

We have widely commented on this: some security channels have gone from a few dozen people to several hundred or even thousands in the space of a few years. Of course, this requires a bit of organisation… but it is also a great opportunity for all the employees in the sector! Project management, team management, expertise, communication… very few sectors offer such diversity, and the situation is ideal for attracting and retaining talent. I can only recommend that you take advantage of a cyber-security reorganization to highlight this wealth and work on skills management: salary alignment, re/up-skilling, training/certification plans, individual responsibilities, mobility processes… there are many topics to be addressed to boost well-being and enable employees to build a full and rewarding career within the industry!

Cet article Organize or reorganize the security sector of a large company – Feedback est apparu en premier sur RiskInsight.

Dans un précédent article, on vous racontait tout sur la nouvelle directive européenne NIS et le choix de la Belgique de se baser sur la norme ISO 27001 pour accroître la sécurité des Opérateurs de Services Essentiels (OSE) avec tout ce que ça entraînait pour les organisations nouvellement désignées.

Qui dit directive européenne ne dit pas règlement européen : il revient donc à chaque pays membre de transposer les exigences de la directive NIS dans son droit national. La Belgique a fait le choix d’un standard existant (la norme ISO 27001) alors que certains de ses voisins, dont la France, ont choisi une approche basée sur la définition d’un référentiel d’exigences précis mêlant à la fois des mesures techniques et de gouvernance (SI d’administration, cloisonnement, démarche d’homologation, etc.).

Intéressons-nous aujourd’hui à ce que ça implique pour les OSE belges, et plus largement pour toutes les organisations attirées par les normes internationales, de suivre les exigences de la norme ISO 27001.

La norme ISO 27001, adulée par certains et critiquée par d’autres

Des voix se lèvent contre la référence du milieu, fustigeant notamment son aspect bureaucratique et sa paperasserie qui, pourtant, peuvent aider à mettre en place un référentiel utile à la continuité des services et la formation des personnes via le partage des pratiques – surtout lorsqu’il est pensé avec pragmatisme. Les critiques vont également bon train sur le niveau de complexité ajouté, encore plus présent pour les plus petites structures. Là encore, la règle est au pragmatisme et les mesures doivent être adaptées à la taille de l’organisation et s’intégrer à l’existant pour éviter les structures ex nihilo trop lourdes à gérer.

Enfin, certains aprioris ont la vie dure et réduisent souvent une conformité ISO 27001 à une liste de cases à cocher, dépourvues d’implications réelles sur la sécurité de l’organisation. Mais la fameuse déclaration d’applicabilité (DdA), exigée par la norme ISO 27001 à tous ceux qui visent une certification, ne revient pas uniquement à lister tous les contrôles de la norme ISO 27002. Elle demande une véritable évaluation au regard des enjeux et des risques. De quoi apporter des éléments concrets pour la sécurité de l’organisation.

ISO 27001, ISO 27002, il y en a beaucoup comme ça ?

Dans la famille des ISO, beaucoup, vraiment beaucoup. En revanche pour la cybersécurité, ce sont bien ces deux-là qui sont les plus utilisées, avec l’ISO 27005 pour la gestion des risques (si c’est la protection des données qui vous intéresse, lisez aussi notre article sur la nouvelle venue ISO 27701).

La norme ISO 27001 apporte un cadre à la cybersécurité et vise à mettre en place un SMSI (Système de Management de la Sécurité de l’Information). Pour aider les organisations dans cette direction, elle est accompagnée de la norme ISO 27002 qui détaille les bonnes pratiques sécurité présentées dans l’annexe A de l’ISO 27001. La certification (le graal des OSE belges) porte sur la norme ISO 27001 mais les deux normes fonctionnent bien de pair.

La certification s’obtient sur un périmètre délimité d’un point de vue métier et IT sur lequel les principaux risques sont identifiés. Cette évaluation par les risques, mêlée à la prise en compte du contexte de l’organisation, aide à sélectionner les bonnes pratiques ISO 27002 pertinentes pour formaliser la Déclaration d’Applicabilité (DdA) et à exclure les contrôles qui ne sont pas applicables (attention à bien justifier ces exclusions : elles seront analysées par l’organisme de certification). Si on peut retirer des pratiques moins utiles, on peut aussi en rajouter d’autres : l’organisation peut ainsi compléter la liste existante des 114 mesures de sécurité au regard de ses risques. La norme ISO 27002 n’adresse pas l’exhaustivité des mesures de sécurité possibles. C’est là qu’une expertise cybersécurité prend tout son sens.

5 conseils pour trouver le bon équilibre et réussir sa mise en conformité ISO 27001

Bien entendu, vu dans son ensemble, un programme de mise en conformité à la norme ISO 27001 peut rapidement donner le vertige… Voici 5 réflexes à avoir en tête pour faciliter le lancement d’un SMSI et le maintien de ses performances dans le temps :

1. Identifier un sponsor investi au service de l’objectif de sécurisation. Comme pour le cinéma, il n’y a pas de film sans réalisateur, et pas de réalisateur sans le soutien du producteur. Le match parfait doit avoir pleine conscience de la valeur ajoutée de la mise en conformité à la norme ISO 27001 pour améliorer le niveau de sécurité, au-delà de la pure conformité au cadre légal. Il doit utiliser les cadres normatifs au profit d’un meilleur niveau de sécurité et doit donc voir ce projet comme un chantier de sécurisation plutôt qu’un chantier de conformité.

Implémenter un SMSI pérenne demande des ressources et moyens humains, organisationnels, physiques et financiers. Le pilotage du projet de mise en conformité ne fonctionnera que s’il est soutenu par un responsable qui a le pouvoir d’allouer les ressources et les moyens nécessaires pour piloter les risques et assurer un niveau de sécurité acceptable au regard des enjeux métier. Le respect de la directive NIS, à l’échelle européenne ou à l’échelle belge via une mise en conformité à la norme ISO 27001, constitue avant tout un moyen d’augmenter le niveau de sécurité et non une fin en soi.

2. Piloter par les risques. C’est la base de la sécurité ; le concept clé à toujours garder en tête. Ce pilotage permet d’identifier les risques du périmètre et de s’assurer que les enjeux métier sont bien pris en compte. La gestion des risques ne s’arrête pas à leur identification et au traitement initial. Elle demande la mobilisation des équipes et des activités pour traiter les risques existants et suivre l’évolution des risques (existants et nouveaux qui apparaissent) et leurs traitements, via une mise à jour périodique et lors d’évènements majeurs sur le périmètre.

Par la mise en place de cette démarche globale des risques, l’organisation s’assure une vision transverse des risques qui permet de focaliser les efforts des mesures de sécurité là où il y a le plus d’enjeux. Cette validation et cet arbitrage doivent se faire en concertation avec les propriétaires des risques (métier ou IT) qui portent la responsabilité du risque sur leurs périmètres et doivent se positionner sur les traitements possibles (acceptation, réduction, transfert ou évitement). Un pilotage affiné et resserré des risques permet ainsi de prendre de véritables décisions éclairées, par des acteurs parfois éloignés de la sécurité.

3. Constituer un référentiel documentaire pragmatique. Cette étape aide à définir et documenter les pratiques et ainsi favoriser la continuité des opérations, leur contrôle et leur amélioration continue. Cette documentation doit être le reflet de la réalité tout en assurant la cohérence avec les exigences de la norme ISO 27001 pour aider à définir les pratiques à mettre en œuvre et les gérer au quotidien (implémentation et mises à jour au gré des évolutions, etc.).

Les maîtres-mots lors de la constitution de ce référentiel sont pragmatisme et utilité : il doit s’intégrer à l’existant en complétant les procédures existantes et en en créant de nouvelles qui manquaient ; il ne doit pas compliquer inutilement la situation mais se baser sur une interprétation pertinente de la norme ; il doit être utile aux équipes qui assurent les activités pour permettre le maintien des opérations. Evitez donc les copier-coller des exigences des normes. Ils créent un référentiel inutile aux équipes terrain et attiseront la curiosité de vos auditeurs qui douteront alors de l’effectivité des mesures…

4. Évaluer régulièrement les performances. Tout système de management qui se respecte nécessite une boucle de contrôle pour évaluer ses performances et, dans le cas du SMSI, ses non-conformités à la norme ISO 27001 et au référentiel en place dans l’organisation (synthétisé dans la DdA). L’identification de ces non-conformités doit permettre de remonter jusqu’à leur source et d’initier la réflexion sur la meilleure manière de les gérer. La réflexion à mener doit porter sur la manière dont la non-conformité va être résolue pour assurer l’augmentation du niveau de sécurité tout en s’assurant que les mesures correspondent aux exigences de la norme et sont adaptées au contexte, aux risques et aux enjeux de l’organisation.

Les différents niveaux de contrôles (auto-contrôles par les équipes, audits internes/externes, revues de direction) doivent tous garder l’objectif d’amélioration du niveau de sécurité en tête en utilisant de manière pragmatique les exigences de la norme et le référentiel de l’entreprise, et au besoin faire évoluer ce dernier au regard de la réalité pratique de l’organisation. Il s’agit de trouver le bon équilibre entre le contexte de l’organisation et la gestion des risques identifiés. Si vos enjeux portent essentiellement sur la disponibilité d’une activité, focalisez vos efforts (mesures et contrôles) sur cet enjeu en priorité. Pour être pertinent, ce cycle d’évaluation doit distribuer les efforts sur les périmètres les plus pertinents pour l’organisation (selon ses risques et enjeux) et alimenter les prochaines étapes du cylce de vie du SMSI.

5. Engager les équipes. Un projet de mise en place d’un SMSI n’est pas uniquement l’apanage du RSSI ou d’une équipe de documentalistes. Il s’agit avant tout d’un projet d’envergure qui demande un large éventail d’expertises allant de la cybersécurité au business en passant par l’IT, le juridique, les achats, les ressources humaines, etc. C’est une véritable conduite du changement qui est à organiser avec l’implication pleine et complète des différentes équipes et du management de l’organisation pour assurer un SMSI qui sert l’amélioration durable du niveau de sécurité pour l’ensemble du périmètre.

La certification ISO 27001, oui mais pragmatique !

La véritable force de la certification ISO 27001 est avant tout d’enclencher une dynamique de sécurité dans l’organisation. La documentation peut certes alourdir les pratiques mais n’enlève rien de la philosophie d’amélioration continue du niveau de sécurité. Par l’apport d’un socle minimal pour la cybersécurité, sans définir des exigences strictes, la norme laisse à l’organisation le choix de placer le curseur sécurité à un niveau qui lui est adapté et d’obtenir des résultats positifs – à condition de s’entourer de bonnes personnes sensibilisées au sujet !

Traitée avec un regard critique et pragmatique, la norme apporte ainsi un cadre pour installer la gouvernance de la cybersécurité au sein de chaque organisation en mobilisant les concepts clés tout en laissant la marge nécessaire pour proposer des mesures complémentaires qui, ensemble, servent l’amélioration du niveau de sécurité.

Au-delà de l’approche traditionnelle de la conformité, la mise en conformité à la norme ISO 27001 doit servir de boîte à outils à toute les équipes et non constituer une fin en soi.

La liberté de mise en œuvre de la directive NIS au niveau européen offre un nouveau terrain d’expérimentation où se mêlent cultures différentes et visions divergentes de la cybersécurité. Seul l’avenir pourra nous dire ce qui fonctionne au niveau européen, mais l’approche belge démontre une nouvelle fois la culture du compromis entre cadre strict et liberté de mouvement. Pour les OSE belges comme pour les organismes de certification, l’inconnue demeure avant tout sur le positionnement du curseur entre les deux extrêmes.

Il leur faudra alors éviter une approche scolaire et mettre à profit une interprétation utile et pragmatique de la norme en gardant l’objectif final en tête : plus de cybersécurité.

Cet article OSE belges et ISO 27001 : quel chemin vers plus de cybersécurité ? est apparu en premier sur RiskInsight.

In a previous article, we told you all about the new European NIS directive and Belgium’s choice to use the ISO 27001 standard as a basis for increasing the security of Essential Service Operators (ESOs) with all that it entailed for the newly designated organizations.

A European directive does not mean a European regulation: it is therefore up to each member country to transpose the requirements of the NIS directive into its national law. Belgium has chosen to use an existing standard (ISO 27001), while some of its neighbours, including France, have chosen an approach based on the definition of a precise reference system of requirements combining both technical and governance measures (administrative IS, partitioning, approval process, etc.).

Today, let’s try to understand what it means for Belgian ESOs, and more broadly for all organizations attracted by international standards, to follow the requirements of ISO 27001.

The ISO 27001 standard, adulated by some and criticized by others

Some voices are rising up against the reference in the field, castigating in particular its bureaucratic aspect and its red tape which, however, can help to set up a useful reference system for the continuity of services and the training of people through the sharing of practices – especially when it is thought out pragmatically. Criticism is also rife about the added level of complexity, which is even more present for smaller structures. Here again, pragmatism is the rule, and measures must be adapted to the size of the organization and integrated into existing structures to avoid ex nihilo structures that are too cumbersome to manage.

Finally, some preconceptions have a hard time and often reduce ISO 27001 compliance to a list of checkboxes, with no real implications for the security of the organization. But the famous Declaration of Applicability (DoA), required by ISO 27001 for all those seeking certification, is not the same as listing all the controls of ISO 27002. It requires a real assessment regarding the issues and risks. This will provide concrete elements for the security of the organization.

ISO 27001, ISO 27002, are there many like that?

In the ISO family, a lot, really a lot. For cybersecurity, on the other hand, it is these two that are the most used, with ISO 27005 for risk management (if it is data protection that interests you, read also our article on the newcomer ISO 27701).

The ISO 27001 standard provides a framework for cybersecurity and aims to set up an ISMS (Information Security Management System). To help organizations in this direction, it is accompanied by the ISO 27002 standard which details the good security practices presented in Annex A of ISO 27001. The certification (the Belgian ESOs’ holy grail) is based on the ISO 27001 standard but the two standards work well together.

Certification is obtained on a perimeter defined from a business and IT point of view on which the main risks are identified. This risk assessment, combined with the consideration of the organization’s context, helps to select the relevant ISO 27002 good practices to formalize the Declaration of Applicability (DoA) and to exclude controls that are not applicable (be careful to justify these exclusions: they will be analyzed by the certification body). If less useful practices can be removed, other practices can also be added: the organization can thus complete the existing list of 114 security measures regarding its risks. The ISO 27002 standard does not address the exhaustiveness of possible security measures. This is where cybersecurity expertise comes into its own.

5 tips to find the right balance and achieve ISO 27001 compliance

Of course, seen as a whole, an ISO 27001 compliance program can quickly make you dizzy… Here are 5 reflexes to keep in mind to facilitate the launch of an ISMS and the maintenance of its performance over time:

1. Identify a sponsor invested in the service of the security objective. As with cinema, there is no film without a director, and no director without the support of the producer. The perfect match must be fully aware of the added value of compliance with ISO 27001 to improve the security level, beyond pure compliance with the legal framework. He must use normative frameworks for the benefit of a better security level and must therefore see this project as a security project rather than a compliance project.

Implementing a sustainable ISMS requires human, organizational, physical and financial resources and means. Steering the compliance project will only work if it is supported by a manager who has the authority to allocate the resources and means necessary to manage the risks and ensure an acceptable level of security regarding the business challenges. Compliance with the NIS directive, at European or Belgian level through compliance with the ISO 27001 standard, is above all a means of increasing the security level and not an end in itself.

2. Manage by risk. This is the basis of security; the key concept to always keep in mind. This management makes it possible to identify the risks within the perimeter and to ensure that the business challenges are considered. Risk management does not stop at the identification and initial treatment of risks. It requires the mobilization of teams and activities to deal with existing risks and monitor the evolution of risks (existing and new risks that emerge) and their treatment, through periodic updates and during major events within the scope.

By implementing this global approach to risks, the organization ensures a cross-functional vision of risks that allows it to focus its security measures where the stakes are highest. This validation and arbitration must be carried out in consultation with the owners of the risks (business or IT) who are responsible for the risk within their perimeters and must position themselves on the possible treatments (acceptance, reduction, transfer or avoidance). Refined and tightened risk management thus enables real, informed decisions to be taken, by players who are sometimes far removed from security.

3. Establish a pragmatic documentary repository. This step helps to define and document practices and thus promote business continuity, control and continuous improvement. This documentation must reflect reality while ensuring consistency with the requirements of the ISO 27001 standard to help define the practices to be implemented and manage them on a daily basis (implementation and updates as changes occur, etc.).

The key words when setting up this reference system are pragmatism and usefulness: it must be integrated into the existing system by completing existing procedures and creating new ones that were missing; it must not unnecessarily complicate the situation but be based on a relevant interpretation of the standard; it must be useful to the teams carrying out the activities to enable operations to be maintained. Therefore, avoid copying and pasting requirements from the standards. They create a useless referential for the field teams and will arouse the curiosity of your auditors who will then doubt the effectiveness of the measures…

4. Regularly evaluate performance. Any self-respecting management system requires a control loop to assess its performance and, in the case of ISMS, its non-compliance with the ISO 27001 standard and with the reference system in place in the organization (summarized in the DoA). The identification of these non-conformities must make it possible to trace them back to their source and initiate reflection on the best way to manage them. The reflection to be carried out must focus on how the non-conformity will be resolved to ensure an increase in the level of security while ensuring that the measures correspond to the requirements of the standard and are adapted to the context, the risks and the stakes of the organization.

The different levels of control (self-monitoring by the teams, internal/external audits, management reviews) must all keep the objective of improving the security level in mind by pragmatically using the requirements of the standard and the company’s reference framework, and if necessary, make the latter evolve in the light of the practical reality of the organization. It is a question of finding the right balance between the context of the organization and the management of the identified risks. If your challenges are mainly related to the availability of an activity, focus your efforts (measures and controls) on this issue as a priority. To be relevant, this assessment cycle must distribute efforts on the most relevant perimeters for the organization (according to its risks and impacts) and feed the next steps of the ISMS life cycle.

5. Engage the teams. An ISMS implementation project is not only the prerogative of the CISO or a team of documentalists. It is first and foremost a large-scale project that requires a wide range of expertise, from cyber security to business, IT, legal, procurement, human resources, etc. It is a real change management process that needs to be organized with the full and complete involvement of the various teams and the organization’s management to ensure an ISMS that serves the sustainable improvement of the security level for the entire perimeter.

ISO 27001 certification, yes but pragmatic!

The real strength of ISO 27001 certification is above all to trigger a security dynamic within the organization. Documentation can certainly make practices more cumbersome but does not detract from the philosophy of continuous improvement of the level of security. By providing a minimal basis for cybersecurity, without defining strict requirements, the standard leaves the organization the choice of placing the security cursor at a level that is suitable and to obtain positive results – as long as you surround yourself with good people who are aware of the topic.

Treated with a critical and pragmatic eye, the standard thus provides a framework for installing cybersecurity governance within each organization by mobilizing key concepts while leaving the necessary room to propose complementary measures that, together, serve to improve the level of security.

The free implementation of the NIS Directive at the European level offers a new testing ground where different cultures and different visions of cybersecurity are mixed. Only the future will be able to tell us what works at European level, but the Belgian approach once again demonstrates the culture of compromise between strict framework and freedom of movement. For Belgian ESOs and certification bodies alike, the unknown is above

Cet article Belgian ESO and ISO 27001: which way to more cyber security? est apparu en premier sur RiskInsight.

Cet article Organiser ou réorganiser la filière sécurité d’une grande entreprise – retours d’expérience est apparu en premier sur RiskInsight.

After having made several dozen speeches to executive committees, audit committees and boards of directors, I wanted to share with you the essential steps for advancing the relationship over the long term. The first phase of this trip should make it possible to create an initial contact and raise the EXCOM’s awareness on cybersecurity issues. First step, awareness! The objective for these sessions is often to manage to attract attention so as to be able to trigger further reflection within the organization. Later on, we will see the following steps: presenting a balance sheet, obtaining a budget, monitoring the progress on the security level…

An essential prerequisite, knowing where you are starting from and who you are going to deal with

This may seem like a cliché, but it is certainly the most important element before going to meet an executive committee or a board of directors. Thanks to its wide media coverage, cybersecurity is often already present in executives’ minds. But their degree of digital literacy and their level of appetite for the topic can completely change the way the topic is raised. Will it be necessary to be very didactic (going so far as to re-explain the principle of data, applications, if any) or will it be necessary to immediately address complex points such as the latest attacks observed and their methodologies? You would be surprised to see the diversity of levels between companies, but also within the same EXCOM. And it is necessary to interest each of the stakeholders, at the cost of having comments that are not very helpful during the intervention.

It is therefore important to prepare this first meeting by talking with other members of the ECOM their deputies or with people familiar with this forum to determine the tone to be adopted and the level of the speech to be given. Obviously, the operating rules will also have to be known: is it common for questions to be asked as they arise? Can a member be questioned? Should subjects relating to the company be raised from the outset? Plan to clear the ground upstream! And even if there is no perfect recipe, I will give you below the elements I use most often to make these meetings useful and effective.

To start, draw the attention by revealing the behind-the-scenes of an attack…

The topics quickly follow one another during the EXCOM. The directors think very, very quickly, so it is necessary to be concrete and to give food for thought and experience. The element that I find most effective consists in presenting a recent attack, published in the press or having affected the sector, and deciphering the stakes and the background: what is the timeframe? what motivation for the attackers? what weaknesses in the company? what is the reaction internally? publicly? with the authorities? This will have the effect of mentally projecting the directors concerned into their role as if they were going through the same thing. We at Wavestone are fortunate enough to frequently manage major cyber crises and we use these elements, both as a benchmark but also by anonymizing them or in agreement with the victims, to give a very concrete meaning to our feedback.

Follow-up with a generalization about cybercrime

An case is good to understand, but it doesn’t explain everything! After zooming in on a case, it is a question of generalizing it by explaining what are the mainsprings cybercriminality ways of proceeding. We then analyze the motivations of criminal groups, their organizations, but also and perhaps above all how they make money!

For an EXCOM to know that it is a DDoS attack or ransomware that has done damage is of little interest, it is especially important to show them that cybercriminal activities are profitable, even very profitable. We have calculated the ROI of several types of attacks and I can tell you that when you explain a 600% profitable attack like a ransomware, the eyes of the directors are wide open. We then highlight very concretely why their structure could be attacked and especially how much money the criminals would make. This often puts an end to the question “but why would we be targeted by an attack? We’re not known/we’re small/we don’t do anything strategic”.

Explain the company’s current situation in concrete terms

This is the right time to present the company’s IT posture and its current organization in terms of security. It is then a question of presenting it simply, with clear and meaningful images: are you rather in an old-fashioned “fortress” model? Or have you already opened your doors as a result of the digital transformation and have you adopted a porch model where security is reinforced the further you go towards critical systems? This will help to make the situation more concrete.

After this phase of mobilization and explanation, comes naturally the phase of questioning by the members of the executive committee. “But then, where are we now, or are we facing this risk of a cyberattack? ». Faced with this question, either you are lucky enough to have a detailed maturity assessment and you can present it immediately, or you can bring in initial qualitative or even partial quantitative elements and explain that today you need to have more visibility. The elements that speak for themselves are the latest audit reports, the latest incidents, budgetary elements.

If it is difficult at the beginning of the process to talk about the budget and to compare oneself because of a lack of data, it is possible to use a simple and effective indicator, that of your staff dedicated to cybersecurity. We have a database on this point and we can quickly show a EXCOM where it is just by mobilizing its HR. It’s simple and effective to convince them!

Don’t leave emprty-handed

The major risk of this awareness is that everything goes well but nothing moves. Indeed, you may have a positive message, “thank you and see you in a year for an update”, you will be happy but you will not have helped cybersecurity situation moving forward. It is then necessary to prepare the next step by indicating from this presentation the main points of weakness or strength felt and how you would like to evaluate them more precisely.

Indeed, the second step is often the realization of a dedicated maturity assessment in order to know how to position yourself! If at this point the meeting has taken place, the EXCOM, intrigued and interested in the topic, will want to know more and will give an agreement in principle. Beware that this may not be a budget directly, it will certainly refer you to the CIO or the Risk Director to get it, but with their agreement you will have a great lever to move on to the next step! See you on the next episode.

Cet article Creating a relationship of trust with the EXCOM: first step, raising awareness! est apparu en premier sur RiskInsight.

However, it is a difficult exercise to raise their awareness to security risk and to teach them good practices. Headache for CISOs, lack of interest or even state of tension from end-users interpreting security measures as restrictions. Ways to raise awareness on information security must evolve continuously.

Is an escape game the way to bring end-users and cybersecurity back together?

A fun approach to raise awareness among end-users

Like any classic escape game, the game master welcomes players and introduces the game’s context and rules. They get into the game’s room where they have to reach their goals in a limited time.

During the game, the game master follows remotely the team progress and gives clues if the players encounter difficulties.

At the end, the game master performs a debriefing. He goes through the different bad security practices used by the team during the game and remind them the good security practices.

 Goals to be reached during the game depends on the scenario. It can be:

• Someone pretending to apply for a job that will search the desk of the R&D director of a competitor company to steal the design and technical details of a new product.
• A hacker forcing people to steal classified documents and to do bank payments within their own company by threatening them to reveal private sensitive information.
• Someone using the opportunity of an invitation at their CEO’s home to steal evidence of their involvement in misappropriation of funds.

Which awareness areas are raised?

An escape game enables to raise awareness on different topics:

Let us take as example the “Password” area. The game will expose players to bad practices they will have to leverage to reach their goals:

• Straightforward password based on personal information (first name, last name, birthdate…),
• Passwords saved in Web browsers,
• Same passwords used for personal and professional life,
• Passwords written on a post-it.

Players will exploit themselves vulnerabilities set-up in the game and will get a better understanding of associated risks than if they had to read a policy.

Furthermore, the escape game will help them understand the part they have to play to avoid being unintentionally accomplice of a cyberattack. It means to have a cautious behavior like being discreet on social media, being careful when talking to someone new, having reflexes to identify phishing e-mail, shredding confidential papers, etc.

How to successfully build a cybersecurity escape game?

First, define the overall scenario: goals to be reached, roles taken by players and location of the game.

Then, design secondary objectives and the series of actions that will allow the players to reach the main goals. Let us take an example: to reach the goal “steal the confidential document of a product’s design”, players will have to:

• Rebuild a document torn apart manually from the trash,
• Use this document to find the answer of a secret question to reset a user password,
• Leverage the account hacked to connect to a SharePoint to fetch the confidential document.

A classic escape game is using clues / objects in unexpected hiding places. On the contrary, the idea of a cybersecurity escape game is to recreate real life circumstances that players will be able to reflect on their own working life.

It is important to adjust the difficulty level according to the people targeted. Clues must be comprehensible to people with no IT expertise if the escape game is targeting a large group of coworkers. On the contrary, clues must be more complex if the target is IT people. Like, having them do easy SQL injections on an application to access confidential data. The approach to use the SQL injection can be provided through a Web app thanks to a bookmark saved in a Web browser.

Finally, once everything is designed and ready, test sessions are required to refine the game and adjust when the game master needs to give clues. It is important that players reach all goals to ensure they see all security awareness topics expected.

A very effecient tool to be included in a global awareness strategy

Role-playing provided by escape game enable great awareness and ensure a good assimilation of messages. Players spontaneously create links between life experience and ones encountered during the game which allows rich debriefings: multiple discussions and players are engaged in depth in the topic approached.

Escape game does not replace other methods of awareness campaigns. It must be part of a global strategy which alternate actions with strong impact (but costly) and other cheaper actions (but with less impact) to allow continuous awareness with a controlled budget.

Finally, cybersecurity escape game is also an excellent teambuilding tool!

Cet article Is cybersecurity escape game the best way to raise awareness? est apparu en premier sur RiskInsight.

But these projects are not only the work of systems security managers. These projects also come from executive committees who seek a 360 view of the security of their institution to better evaluate potential risk. So, what are key success factors that we have seen in the field?

Step 1: Know the purpose and expectations of your evaluation

Evaluations can be entirely different levels of depth. From a high-level interview with the Chief Security officer to an in-depth assessment of the security mechanisms and processes of all the subsidiaries of a multinational group, everyone can choose their areas of focus and advance step-by-step.

Our first advice is to keep in mind the objectives of your evaluation. This will allow you to orient yourself toward the right security benchmarks and ultimately define the depth of the evaluation. Do you only want to measure the security maturity of your subsidiary’s information systems or also its efficiency? Perfectly documented security processes and an ISO 27001 certification can unfortunately hide problems on the ground that can expose you to vulnerabilities. It can be judicious to combine a technical test (pentest, red team, etc.) to the evaluation in order to avoid situations that seem fine on the surface but hide underlying issues.

Step 2: Find and mobilize the right people at the right level, easy to say but harder to do…

The next difficulty that you can encounter in your assessment is to succeed at meeting the right people. From experience, we advise you to confirm your list of the necessary collaborators as soon as possible.

Logically, this list will certainly depend on the granularity of the analysis but also on the organization of the business. For example, the necessary people will differ if the security staff are at the group level and function as a service center or if they are merged into each entity and service. Consequently, if you want to have a high-level estimate first, it could suffice to only have a half day exchange with the Chief Security Officer, who generally has a sufficient and global vision of the subject.

The second stage of analysis can be performed in gathering information from all actors involved in cybersecurity at the group level. In this group, it can be interesting to meet a large group of people involved in information systems and the cloud.

Finally, when the assessment must be thorough and exhaustive, it becomes necessary to widen the list of collaborators to all of the concerned entities. Obviously, you should expect a larger workload, so do not skimp on preparation and tools to help you in your work. It can also be the right moment to think about your presentation format: face-to-face, distance, strategic, operational, etc.

Step 3: Equipment, finding the right balance between too much and not enough

Choosing the right tools is one of the main assessment challenges that you will face. The more complete the assessment, the more it will require tools that ensure simplification and understanding of the whole project. Indeed, for large evaluations, the consolidation and restitution of results are two of the great challenges that you will encounter. In particular, commonly used tools don’t take into account the organizational complexity of large groups or the effectiveness of allocated resources. It is for these reasons that, from our side, we have chosen to develop a specific tool.

A good tool also allows you to position yourself against your competitors and understand your exposure to current attack trends and points where your COMEX is particularly sensitive, ensuring you can legitimize the assessment.

So it begins! It’s time to get your hands dirty and start the work of collecting information! There is a classic phrase that applies to these situations: entirely feasible from a distance. Be aware and transparent about the limits of the exercise: those questioned will sometimes have the impression that the assessment is too theoretical and this is normal, according to their objectives. During this phase, it will also be necessary to be able to juggle between the various unknowns because it is not uncommon to have people who are ultimately absent for long periods of time, added parameters, changes in methodology. Make it a point of honor to remain agile.

Step 4: Reforming at the right level to act, everything is a question of the point of view

A good habit to keep is to honestly adapt each reform to each person. From the managerial summaries where we talk about trends without much detail to presentations for technical teams that are highly detailed, adapting the discourse to the necessary format is important to convey the right messages to the right people.

Usually, we start the reforms in terms of the organization’s budget and workforce dedicated to cybersecurity. These very concrete points allow you to attract attention and be able to then analyze the situation from four different angles:
· Compliance with different global benchmarks (ISO/NIST)
· Assessment of the level of maturity of different entities compared to others in the same sector or market
· Quantification of the effort reach the market level and/or the required level according to cybersecurity benchmarks
· Evaluation of the level of robustness of the organization against the last known cyberattacks

With senior management, the restitution is often going to focus on organizational and governance matters. However, there can always be surprises. In cases where businesses have already been hit by serious cyber attacks, we have had surprisingly precise and technical questions from executive committees. For example, we have been asked for details on encryption algorithms and “How secure is my active directory?”

Get started

As mentioned earlier, the maturity assessment is an effective means for measuring the effectiveness and progress of your cybersecurity roadmap. Consequently, even if you don’t want to immediately begin an assessment involving all security systems and dozens of teams at your business, we advise you to familiarize yourself with the approach and its usefulness in starting out with more modest goals.

At Wavestone, with years of experience and expertise, we have developed the W-Cyber-Benchmark, a multi-use tool that has been implemented by dozens of clients. We know that just writing about it isn’t enough, so don’t hesitate to contact us to discuss further!

Cet article How to effectively evaluate your cybersecurity est apparu en premier sur RiskInsight.

A campaign launch is all well, but how do you keep it going over time?

The creation of TRUST was not an end in itself, but a stepping-stone for the future.

At the start of the project, we immediately envisaged the annual pace of our two awareness plans.

Two, because we had to keep in mind that we were raising awareness for two distinct populations: newcomers and existing employees.

For newcomers, the solution is simple: plan the launch of all existing TRUST resources over one year to space out messages.

For all other employees, it’s more complex. How to get the messages across again without giving a feeling of déjà vu, fatigue or even an overdose?

We have therefore organized our awareness plan with 3 major initiatives spaced out over time.

A new monthly meeting: The Trust minute

A one-minute film broadcasted on all our communication channels to present 5 different messages per month:

1. An example of an anonymous user or client incident
2. A Trustee, our security tool presented in the previous article
3. A security indicator (e.g. the percentage of new recruits who have completed e-learning, the number of those leaving the firm detected downloading documents before they leave). Sharing these indicators helps raising awareness and demonstrates that controls have been lifted.
4. A daily tip given by our friend Sofia
5. A popularized cyber news story

A new campaign of cybercoffee quizzes because it gets results

Of course, we must reinvent it, change the quizzes (but not necessarily the themes) and change the prize? All of this is easy and requires little preparation. Admittedly, this period of lockdown slightly challenged our initial plan. But it has been an opportunity to be creative and to release, in partnership with my colleagues in the Cybersecurity & Digital Trust practice, the new #TotalCyberAwakening video series about lockdown.

An annual global event in October during Cyber Security Month

In 2019, we organized a firm-wide competition on the theme of protecting personal digital information.

Every week, all employees received a question by email which they could answer directly via option buttons (sending a multiple-choice approval via Power Automate). Depending on their answer, they received a second email with the answer and the various tips associated to be used on a personal basis.

Answering a question and getting a correct answer would help contributing to a Euro prize fund. More than €2,100 was donated to the ISSA association, an association which Wavestone has partnered with to promote cybersecurity among schools and children.

This first game, based entirely on voluntary participation, enabled us to reach more than a third of Wavestone’s employees.

We are already preparing for next October’s initiative and this time we will go further with videos, games, meetings, quizzes under a global theme inspired by a famous TV series. What if this time, the new threat of Wavestone was the return of the White Walkers?

6 key elements to keep in mind

To sum up, the key elements for creating a successful awareness program are as follows:

1. Set achievable goals
2. Define a common thread (a theme, a brand) that will allow users to easily associate your messages with security
3. Define a short list of messages to be communicated and stick to it
4. Diversify the media and channels (posters, films, emails, e-learning, games) but always keep at least one event to meet the users
5. First use the tools already at your disposal (PowerPoint, emails, PowerAutomate) before acquiring new interesting solutions if needed, but not necessarily a priority to get started
6. Be creative and use humor to get your messages across (however, culture differences may have an impact in case of an international group)

Cet article The creation of Wavestone’s new internal awareness program (2/2) est apparu en premier sur RiskInsight.

Un lancement de campagne c’est bien, mais comment tenir dans la durée ?

La création de TRUST n’a pas été une finalité, mais un tremplin pour la suite.

Au démarrage du projet, nous avions tout de suite imaginé quel serait le rythme annuel de nos 2 plans de sensibilisation.

Nous devions avoir en tête de gérer la sensibilisation de 2 populations distinctes : les nouveaux et les anciens collaborateurs.

Pour les nouveaux, la solution est simple : planifier le lancement de tous les supports TRUST existants sur une année pour espacer les messages.

Pour tous les autres collaborateurs, c’est plus complexe. Comment faire à nouveau passer les messages sans donner un sentiment de déjà vu, de lassitude, voire d’overdose ?

Nous avons donc organisé notre plan de sensibilisation avec 3 grandes actions espacées temporellement.

Un nouveau rendez-vous mensuel : The Trust minute

Un film d’une minute diffusé sur tous nos canaux de communications pour présenter 5 messages différents par mois :

1. Un exemple anonymisé d’incident utilisateur ou avec un client
2. Un Trustee, nos outils de sécurité présentés dans l’article précédent
3. Un indicateur de sécurité (ex : le pourcentage de nouveaux ayant réalisé le e-learning, le nombre de démissionnaires détectés à télécharger des documents avant leur départ). Le fait de partager ces indicateurs permet de sensibiliser sur la problématique et de démontrer l’existence des contrôles.
4. Une astuce du quotidien donnée par notre amie Sofia
5. Une actualité cyber vulgarisée

Une nouvelle campagne de cybercoffee quizz car le résultat est au rendez-vous.

Evidemment, il faut se renouveler, changer les questionnaires (mais pas forcément les thèmes), changer le goodie, mais tout cela est facile et demande peu de préparation. Certes, je vous l’avoue, cette période de confinement a légèrement remis en cause notre plan initial. Cependant, cela a été l’occasion d’être imaginatif et de sortir, en partenariat avec mes collègues de la practice Cybersécurité & Digital Trust, la nouvelle série en vidéo TotalCyberAwakening sur le confinement.

Un évènement global annuel en octobre lors du mois de la cybersécurité.

En 2019, nous avions organisé un jeu concours à l’échelle du cabinet sur le thème de la protection de la vie numérique personnelle.

Chaque semaine, tous les collaborateurs recevaient une question par mail à laquelle ils pouvaient répondre directement via des boutons de choix (envoi d’une approbation à choix multiples via Power Automate). En fonction de leur réponse, ils recevaient un second email leur annonçant la réponse et différents conseils associés à utiliser à titre personnel.

La participation à une question et une bonne réponse alimentaient une cagnotte en euros. Plus de 2100€ ont ainsi été reversés à l’association ISSA à laquelle Wavestone s’est associée pour promouvoir la cybersécurité auprès des écoles et des enfants.

Ce premier jeu sur base de volontariat nous a permis d’atteindre plus d’un tiers des collaborateurs de Wavestone.

Nous sommes déjà en train de préparer celui d’octobre prochain et cette fois-ci nous irons plus loin, avec des vidéos, des jeux, des rencontres, des quizz sous un thème global inspiré d’une célèbre série TV. Et si cette fois-ci la nouvelle menace de Wavestone était le retour des marcheurs blancs ?

6 éléments clés à retenir

Pour résumer, les éléments clés de succès pour la création d’un programme de sensibilisation réussi sont les suivants :

1. Se fixer des objectifs chiffrables et atteignables
2. Définir un fil rouge (un thème, une marque) qui va permettre aux utilisateurs d’associer facilement vos messages à la sécurité
3. Définir une courte liste de messages à faire passer et s’y tenir
4. Diversifier les supports et les canaux (affiches, films, mails, e-learning, jeux) mais toujours conserver au moins un évènement permettant d’aller à la rencontre des utilisateurs
5. Utiliser dans un premier temps les outils déjà à votre disposition (PowerPoint, mails, PowerAutomate) avant d’acquérir si besoin de nouvelles solutions intéressantes mais pas forcément prioritaires pour démarrer
6. Faire preuve de créativité et utiliser l’humour pour faire passer vos messages (attention toutefois à prendre en compte les différences de culture dans le cadre d’un groupe international)

Cet article Récit de la création du nouveau programme de sensibilisation interne de Wavestone (2/2) est apparu en premier sur RiskInsight.

A year ago, the idea of TRUST was born, the name of the new awareness program at Wavestone. My team and I spent a year thinking about and developing a whole new strategy to raise awareness among Wavestone employees. Wavestone has 3,500 employees in 8 countries, whose main job is consulting (but not only!), rather young (but not only!), who know about IT and cybersecurity (but not only!).

This anniversary was an opportunity to reflect on the results and think about what we are going to do next. In view of the very positive feedback that I have received from our employees, I consider this program to be a success in terms of our objectives and I would therefore like to share it with you to explain how it is possible to build a program and develop materials without necessarily having an enormous budget. In a nutshell, awareness-raising is within the reach of every company, even the smallest.

It all starts with a review and objectives

The assessment at the beginning of 2019 was simple: for several years, I had already developed various awareness-raising tools: a virtual character (Sofia), an e-learning module, phishing campaigns, a very stylish user charter (but I am not fooled by its actual read rate), videos, an Intranet page, awareness-raising emails, security tools available to users… but then why did our users always continue to act as if they didn’t know?

At the same time, within the framework of the Wavestone 2021 strategic plan and its aim to position the firm in the top 3 of its category in terms of CSR, we have set ourselves the objective of being a trusted partner with 100% of our employees being aware of data protection issues.

100%! At the beginning of 2019, I only had a 70% participation rate of employees in e-learning safety.

But then how? What more could I do?

After several group sessions and one or two sleepless nights, the ideas were there:

Our various actions were too diverse, a common thread was missing: a brand!

A digital format is a good thing, but there is no substitute for a verbal discussion (we forget the traditional 2 hour face-to-face mandatory training for all newcomers, which is very time consuming and has a limited impact due to the large number of messages addressed in the 2 hours. I have led so many of them as a consultant).

We always talk about risk and threat, but employees need more practical examples that are well adapted to their company’s situation. What mistakes can they make on a daily basis and what would be the actual impact for Wavestone?

“Humor! We need humor!” Yes, but not always! Humor is a great tool to grab the attention of your target audience, to lure them in, to make them receptive to you… but what you really need is pragmatism!

It is difficult for the employee to ultimately know what to do with the many rules given. In the end, a large part of data protection remains the mission of IT management, by implementing protection tools, alerts and controls. For example: is it up to users to be more vigilant against phishing or malicious emails? For my part, I think it’s more up to the company:

1. to implement a better messaging protection solution,
2. a better EDR that will block the action of the faulty part,
3. to have solutions to avoid the spread of ransomware or data backups,
4. to have a multi-factor solution that will greatly reduce the use of stolen logins and passwords via a fake password reset email.

It is more important to work on limiting the impact of a malicious email that will always find a willing victim, rather than focusing energy on educating users on this topic.

Based on this observation, what are the messages I wanted to convey? What is really in the control of the Wavestone employee, and not IT management?

They can be summed up in 5 messages:

1. Transfer documents from your client ONLY WITH authorization:When you are a consulting firm whose employees spend so much time on your clients’ IS, the primary risk is a lack of awareness and the loss of a client because your employees have taken out sensitive documents to make it easier for them to work on their workstations, or with their project manager who does not have access to the client’s IS (at least not yet, which can often happen with long processes for providing access to client’s IS). This is not a security risk as such for Wavestone, but rather a risk of a client incident that is dealt with through data protection awareness.
2. Respect the project confidentiality procedure: the fundamentals! Comply with the instructions for handling client data. On the other hand, for it to be effective, this procedure must be very simple… no more than 2 or 3 rules.
3. Use security tools to protect data: as long as they are easy to use! We’ll talk about this later.
4. Store personal data only if necessary and process only for the intended purpose: you have to put a little GDPR message in the formula…
5. Think twice before opening an attachment, clicking on the web link, and working in transport and public places: “but you just told us it was the role of IT management!” Yes, sure, you’re right, but it doesn’t cost anything to add it at the end. Anyway, we always forget the last piece of advice!

5 messages. Perhaps the more visual among you have noticed… but the first letter of each line combines to form…

And here’s the TRUST brand that was born, with its logo, design, style guide and visuals.

We have the brand! Like any good marketing product, it must now be broken down into multiple promotional formats.

Once we had our central theme in terms of messages and visuals, all that remained was to communicate it, but not in a single action, in a series of actions linked to each other to simultaneously increase formats, channels and messages to different categories of users.

Production of the TRUST video. 5-minute film in 3 parts:

1. An introduction to set the scene with fictional press or radio articles presenting the consequences for Wavestone of a security incident (loss of clients, loss of turnover, stock market decline, etc.).
2. 5 messages: 5 humorous sketches including a Wavestone employee and a different CISO. What better than CISOs to play their own role? I was lucky that the CISOs of 2 CAC40 companies, a large French public company and a large English bank agreed to play the game in a humorous way. Many thanks again to them! Each consequence of the scene is then explained by the managing director of Wavestone, Mr Patrick HIRIGOYEN. Small video excerpt here.

3. Finally, a conclusion with a message from Mr. Pascal IMBERT, Chairman and Chief Executive Officer of Wavestone, as a more serious reminder of the risks involved for the firm and the need for each employee to feel committed and to apply the proposed measures.

We received a very good feedback from the employees on this humorous film, which was widely distributed through all the firm’s communication channels.

The TRUST brand was quickly identifiable. But this film was just for the launch, it needs more!

Creation of cybercoffee quizzes

The principle is simple: answer at least 3 security questions and get a free coffee and 1 goodies (a TRUST webcam cover for this year).

An excellent opportunity to meet employees at a time when they are open to discussion: during their coffee break.

For this, you need visuals: kakemonos, polo shirts, screens with the awareness film and 1 coffee machine with free coffee. You can’t miss us!

Every fortnight, my team would go to a different break room in our offices to introduce TRUST, get the staff playing and answer their questions. This initiative was greatly appreciated by the employees. Beyond the lure of winning, they were delighted that we took the time to explain to them individually things they didn’t know or didn’t know well and all the simple things that were available to them. “It’s not as complicated as it sounds!”

These quizzes, in the form of presentations at management meetings or team meetings in our various offices, enabled us to meet with more than 1,000 employees in person in 9 months, i.e. around 1/3 of our staff. Although time-consuming, this action remains one of the most impactful in terms of making ourselves known and getting our messages across.

Technical tip: it’s very easy to implement in practice:

• 3-question form, for us, made on Microsoft Forms,
• QR code displayed on a kakemono or a poster so that from its phone, the participant can easily access this form (just take out the camera, no application to install)
• Finally, a simple workflow (via Power Automate) to save the result in a database and automatically send a summary email to the participant with key messages and links to videos.

The score and corrections being displayed directly on the phone after confirmation, the facilitator can directly discuss with the participant to explain their mistakes and offer them their gift.

What if the security tools were superheroes?

“Encrypt your document”, “Protect your passwords”, “Encrypt your emails”… so many instructions given to users who, despite their good intentions, often find themselves saying “I want to, but how can I do it?”

We had a whole catalog of tools installed on the workstations and were available for employees, which were simply unknown to everyone. So, we had to bring them out of the shadows and into the spotlight to show their existence and their usefulness. That’s how our League of Trustees was born!

Each tool has its own superhero whose duty is to show our employees what they are used for and how easy it is to use them in less than 1 minute:

“I want to send a secure document to my client”: Encrypt it with 7zip!

“I want to protect the documents on my USB flash drive”: Encrypt it with BitlockerToGo, it’s on your computer!

Posters and short demonstration videos were used to communicate on our different channels and to present them during our Cybercoffee quizzes.

I wouldn’t say that they are now used every time, but at least they are better known and therefore are used more than they were before.

Technical tip: did you know that you don’t need professional software and a 5-year degree in audiovisuals to make short animated films?

There are tools such as Powtoon or Vyond that allow you to make awareness videos very easily with a whole series of characters or settings already proposed. In 1 to 2 days you can already make your first one-minute video. Quickly, you will only need half a day of editing. The most complex part is always the script writing, the duration of this step can be very varied depending on the message you want to convey, your context or requirements (it’s this last point that personally takes me a lot of time!).

For simpler films, including video clips and text, personally, my new video editing tool has become Microsoft PowerPoint! You all already know how to use it to put text, animations and transitions. All you have to do now is use the video insertion, screen recording and video export functions. 3 features that make your life easier because usually you always have to find third party tools to record your screen, cut them and convert videos.

You can even save your films in GIF format to integrate them directly into your awareness emails! No need to redirect your user to a video site!

The ultimate advantage is that you can have your videos edited by other people and modified afterwards by others without training because most of your employees know how to use PowerPoint. Creativity becomes your only limit.

3 new materials, that’s it?

As soon as our new materials were ready, we took the opportunity to bring our old awareness tools back to TRUST’s colours:

The e-learning for all new employees has been revamped with TRUST visuals by integrating the videos presented previously and refocusing the questions on our 5 messages. This more entertaining aspect enabled us to achieve our goal of having 100% of our new employees completing this e-learning programme by 2019. It is also thanks to good follow-up efforts and perseverance that this objective has been achieved! It’s not that easy getting 100%…

The Intranet page has also undergone a makeover to centralize all these resources and highlight the messages.

The security alerts for employees have also been rebranded under the TRUST brand. It should not be forgotten, but these alerts can be a great tool for raising awareness. Between the automatic email saying “We saw you, it’s not right, you’re going to be punished” and the prevention email sent by the awareness character explaining the right way to do things, the message gets across differently. And I strongly believe that it is more effective… the proof is in the observed decrease of these alerts since their implementation.

End of the first article… how to keep it going and my conclusion soon to be published in part 2.

Cet article The creation of Wavestone’s new internal awareness program (1/2) est apparu en premier sur RiskInsight.

However, for some time now, some executive committees are no longer as generous and require more effort from the IT Security sector. It is well known that it is not easy to prove the effectiveness of the means committed, and some CISOs find themselves struggling to even maintain their annual budget. The post-COVID situation may not help, and we can think that there is no reason why cybersecurity should escape the imperatives of future savings.

In the field, the following three levers may present opportunities to optimize the costs in the IT Security industry: 1. review of the Operating Model, 2. contracts optimization, 3. automation and offshoring.

1/ REVIEW OF THE OPERATING MODEL

To optimize an IT Security Operating Model, the question of redundancy must be quickly addressed. The observation is often the same from one company to another: the IT Security industry has grown very quickly, and different teams have very similar or even redundant missions. Many service providers can attest to this: it is quite common to be called upon several times for the same study within a Key Account, in several different entities. Even if some companies are considering to deal with this subject by a complete centralization of the security team (some recent examples in the industry), the key is rather to gather at least the cyber expertise in a centralized way and to structure service offers that can be used by all: pentests, SOC, redteam, policy writing, awareness…

Be careful, this may represent a major change in stance for many CISO teams, which move from a role of prescriber to a role of service provider with all its facets (SLA, quality measurement, and even penalties). However, it is an excellent way to eliminate redundancies, optimize costs and clarify responsibilities in the process.

2/ CONTRACTS OPTIMIZATION

Purchasing contracts often account for more than half of the IT Security industry’s expenses and can obviously present excellent avenues for optimization. Many companies have multiplied the tactical deployment of security solutions and it is not uncommon to find situations with 4 types of IPS, 3 EDRs and 3 SIEMs… A simple way to regain control and optimize costs is to return to the use of a catalogue with centrally negotiated prices: maximum 2 products referenced per technology and an obligation for all entities to use the catalogue. The results can be spectacular by playing on volume effects.

Same approach for services: the aim is to avoid scattering contracts and to ensure competition. In the field, there is typically a trend towards contracts optimization that do not require specialized cyber expertise: project management, change management… From experience, it is quite simple to get 10%-15% off the daily rates, the panel of companies being much larger for this type of task. However, security value must be kept: it is not a question of lowering the guard on expertise or cyber strategy.

3/ AUTOMATION AND OFFSHORING

Automation can also be an optimization avenue to be explored in the medium term. Especially since the movement is already underway: SOAR solutions for incident handling, automatic learning for anomaly detection, deployment of measures in the Cloud… Many cyber security activities are currently seeking optimization through the automation of repetitive tasks. The results are obviously not immediate, but the current economic climate clearly risks boosting projects of this type.

An offshore strategy, on the other hand, can have much more immediate results, but beware of rushed projects. Offshore security activities are anything but tactical and require a great deal of framing work to understand the specificities of each country, to establish proximity with local management, and above all to integrate offshore seamlessly into the IT Security operating model. Successful offshore operations involve up to 20% of the industry’s offshore workforce. The key to achieving such volumes is to focus on providing standardized offshore services (operations, vulnerability scans, translation, etc.), and to limit extended teams, which can be attractive on paper but often counter-productive because they are complex to manage.

Cet article Cybersecurity will not escape cost reduction est apparu en premier sur RiskInsight.

Après avoir réalisé plusieurs dizaines d’interventions auprès de comité exécutif, de comités d’audit ou de conseil d’administration, je souhaitais partager avec vous les étapes essentielles pour faire progresser la relation dans la durée. La première phase de ce voyage devra permettre de créer un premier contact et à sensibiliser le comité exécutif aux enjeux de cybersécurité. Première étape, la sensibilisation ! L’objectif pour ces séances est souvent d’arriver à attirer l’attention pour pouvoir déclencher une réflexion plus approfondie dans l’organisation. Nous verrons plus tard les étapes suivantes : présenter un bilan, obtenir un budget, suivre la progression du niveau de sécurité…

Un pré-requis essentiel, savoir d’où l’on part et avec qui l’on va échanger !

Cela peut apparaitre comme un poncif, mais cet élément est certainement le plus important avant d’aller rencontrer un comité exécutif ou un conseil d’administration. Grâce à sa large couverture médiatique, le sujet de la cybersécurité est souvent déjà présent dans l’esprit des exécutifs. Mais leur degré de connaissance du numérique et leur niveau d’appétence pour le sujet peuvent changer complètement la manière d’aborder le sujet. Faudra-t-il être très didactique (en allant jusqu’à réexpliquer le principe de données, d’applications, si si) ou alors faudra-t-il tout de suite aborder des points complexes comme les dernières attaques observées et leurs méthodologies ? Vous seriez surpris de voir la diversité des niveaux entre les entreprises, mais aussi au sein d’un même COMEX. Et il est nécessaire d’intéresser chacun des acteurs, au prix d’avoir des commentaires peu amènes pendant l’intervention.

Il s’agit donc de bien préparer cette première réunion en échangeant avec d’autres membres du COMEX, leurs adjoints ou avec des personnes familières de cette enceinte pour déterminer le ton à adopter et le niveau du discours à tenir. Evidemment, les règles de fonctionnement devront aussi être connues : est-il courant que les questions soient posées au fil de l’eau ? Peut-on interpeller un membre ? Doit-on évoquer dès le début les sujets relatifs à l’entreprise ? Prévoyez de déminer le terrain en amont ! Et même s’il n’y a pas de recette parfaite, je vous livre ci-dessous les éléments que j’utilise le plus souvent pour faire de ces rencontres des moments utiles et efficaces.

Pour commencer, attirer l’attention en dévoilant les coulisses d’une attaque

Les sujets s’enchaînent rapidement durant les COMEX, les directeurs réfléchissent très très vite, il faut donc très rapidement être dans le concret et donner de la matière à réflexion, du vécu. L’élément que je trouve le plus efficace consiste à présenter une attaque récente, parue dans la presse ou ayant touché le secteur, et en décrypter les enjeux et les coulisses : quelle temporalité ? quelle motivation pour les attaquants ? quelles faiblesses dans l’entreprise ? quelle réaction en interne ? publique ? avec les autorités ? Cela aura pour effet de projeter mentalement les directeurs concernés dans leur rôle s’ils vivaient la même chose. Nous avons la chance chez Wavestone de gérer fréquemment des grandes crises cyber et nous utilisons ces éléments, à la fois sous forme de benchmark mais aussi en les anonymisant ou en accord avec les victimes, pour donner un sens très concret à nos retours d’expérience.

Enchaîner avec une généralisation sur la cybercriminalité

Une attaque, c’est bien mais ça n’explique pas tout ! Il s’agit après avoir zoomé sur un cas de le généraliser en expliquant quels sont les ressorts du fonctionnement de la cybercriminalité. Nous analysons alors les motivations des groupes criminels, leurs organisations, mais aussi et peut être surtout comment ils gagent de l’argent !

Expliquer concrètement où en est l’entreprise

C’est le bon moment pour présenter la posture IT de l’entreprise et son organisation actuelle en terme de sécurité. Il s’agit alors de la présenter simplement, avec des images claires et parlantes : êtes-vous plutôt dans un modèle « château fort » à l’ancienne ? Ou avez-vous déjà ouvert vos portes suite à la transformation numérique et avez-vous adopter un modèle porche de l’aéroport ou la sécurité est renforcée plus on va vers des systèmes critiques ? Cela permettra de concrétiser la situation.

Après cette phase de mobilisation et d’explication, vient naturellement la phase d’interrogation par les membres du comité exécutif. « Mais alors nous, nous en sommes ou face à ce risque de cyberattaque ? ». Face à cette question, soit vous avez la chance d’avoir un bilan de maturité fin et vous pouvez tout de suite le présenter, soit vous pouvez amener des premiers éléments qualitatifs voire quantitatifs partiels et expliquer qu’aujourd’hui vous avez besoin d’avoir plus de visibilité. Les éléments qui parlent sont les derniers rapports d’audits, les derniers incidents, des éléments budgétaires.

 

S’il est difficile au début de la démarche de parler budget et de se comparer car les données manquent, il est possible d’utiliser un indicateur simple et efficace, celui de vos effectifs dédiés à la cybersécurité. Nous disposons d’une base de données sur ce point et nous pouvons rapidement montrer à un COMEX où il en est rien que par sa mobilisation sur le plan RH. C’est simple et efficace pour les convaincre !

Ne pas repartir bredouille

Le risque majeur de cette sensibilisation, c’est que tout se passe bien mais que rien ne bouge ! En effet, vous pouvez avoir un message positif, « merci et rendez-vous dans un an pour une mise à jour », vous serez content mais vous n’aurez pas débloqué pour autant la situation. Il faut alors bien préparer l’étape d’après en indiquant dès cette présentation les principaux points de faiblesses ou de force ressenti et de quelle manière vous souhaiteriez les évaluer de manière plus précise.

En effet la deuxième étape est souvent la réalisation d’un bilan de maturité dédié pour bien savoir comment se positionner ! Si à ce moment, la réunion s’est déroulé, le COMEX intrigué et intéressé par le sujet voudra en savoir plus et donnera un accord de principe. Attention cela ne sera peut-être pas directement un budget, il vous renverra certainement vers le DSI ou le directeur des risques pour l’obtenir, mais vous aurez avec leur accord un levier formidable pour passer à l’étape d’après ! Rendez-vous au prochain épisode.

Cet article Créer une relation de confiance avec son comité exécutif : première étape, la sensibilisation ! est apparu en premier sur RiskInsight.

Aujourd’hui, une attention forte est portée à la quantification du risque, et à juste titre. Il reste pour autant un sujet très complexe. Deux raisons évidentes à cela : nous manquons cruellement d’informations et de retours d’expérience précis sur le sujet ; mais aussi parce que les attaques cyber engendrent de nombreux impacts intangibles (réputation, désorganisation interne, préjudice stratégique, arrêt des opérations) ; ou à couts indirects (chute des ventes, pénalités contractuelles, baisse de valorisation de l’entreprise sur les marchés, etc.).

Nous distinguons aujourd’hui des pistes prometteuses pour quantifier le risque, et des premières solutions permettant d’automatiser cette quantification.

Pourquoi chercher à quantifier le risque cybersécurité ?

Que ce soit pour échanger avec les directions générales, les métiers, voire même les assureurs, il y a un véritable besoin de parvenir à évaluer les risques cyber de la manière la plus objective possible. L’enjeu est double : gagner en pertinence et en légitimité. L’une des pistes possibles est donc de traiter le risque cyber sous le prisme financier, comme tous les autres risques de l’entreprise pour les rendre significatifs pour les décideurs.

Convaincre et démontrer l’efficacité des investissements auprès des comités exécutifs

L’un des véritables enjeux de la quantification des risques cyber réside dans la construction d’une relation de confiance avec les comités exécutifs sur le long-terme. Dans un premier temps, adopter un discours clair pour les convaincre et décrocher des investissements nécessaires au lancement de programmes de sécurité structurants. Pour ensuite démontrer l’efficacité des investissements menés et ainsi pérenniser la relation avec les comités exécutifs dans le temps : démontrer la réduction des risques de manière chiffrée et l’évolution du risque sur plusieurs années. Cela est clé, notamment à la suite de la crise COVID va déboucher sur une réduction et une optimisation des budgets cybersécurité au sein des entreprises. Il sera donc primordial de quantifier le risque cyber pour un contrôle plus fort sur le ROI des investissements cybersécurité.

Sensibiliser et ainsi embarquer les métiers dans la démarche de cybersécurité

La démarche de sécurisation du système d’information d’une entreprise ne peut se faire sans l’instauration du Security by Design, et en ce sens, ne peut se faire sans embarquer les métiers. Parler le même langage est donc nécessaire.

Adapter les plans d’assurance sécurité (PAS) pour ne pas être pris au piège

Enfin, afin de ne pas se retrouver au pied du mur en cas d’attaque, il est primordial pour les entreprises d’anticiper les potentiels coûts d’une attaque afin d’adapter les provisions et les assurances. Cette quantification leur permet de réaliser cela.

Quelles sont les principales difficultés à date ?

Des impacts qui restent pour la plupart intangibles, ou indirects

Compte tenu de leur nature intangible, il parait de prime abord complexe d’évaluer objectivement certains impacts d’attaques cyber. C’est par exemple le cas de l’impact sur l’image de marque, sur la réputation d’une entreprise ou encore le préjudice stratégique, la désorganisation interne. D’autres risques sont bel et bien tangibles mais indirects, ce qui complexifie encore la tâche des entreprises souhaitant quantifier leurs risques, c’est par exemple le cas de la perte de parts de marchés, de la baisse de valorisation de l’entreprise sur les marchés, etc

Une difficulté à estimer avec certitude le degré d’exposition d’une entreprise au risque cyber

Il n’existe pas de formule universelle pour calculer l’impact d’une attaque sur une entreprise. Cela dépend de nombreux paramètres : taille de l’entreprise, niveau de complexité et d’ouverture du système d’information, maturité cyber, etc. Le niveau d’exposition d’une entreprise dépend essentiellement de son niveau de maturité cyber sécurité. Il existe des référentiels tels que NIST, ISO, CIS, etc. pour estimer le niveau de maturité en cybersécurité, mais encore peu d’entreprises parviennent à les mettre en œuvre ou à les utiliser pleinement.

Un cruel manque d’informations sur les attaques les plus récentes et leur coût

Les entreprises souhaitant quantifier leurs risques cyber sont confrontées à une absence de base de données statistiques sur le coût des cyber-attaques. Bien sûr, la plupart des entreprises communiquent peu, voire pas à ce sujet, probablement pour ne pas effrayer leurs clients et leurs partenaires. Et pourtant, la collaboration serait clé face à des attaquants toujours plus astucieux : tant pour augmenter leur cyber-résilience que pour faciliter la quantification du risque. Par exemple, les entreprises Altran et Norsk Hydro ont été touchées par des ransomwares similaires en provenance du même groupe d’attaquants !

Quelques premières pistes pour quantifier le risque cybersécurité

Christine Lagarde, présidente du FMI, s’est d’ores et déjà emparée du sujet et a publié un billet et une méthodologie de quantification des risques s’appliquant au secteur bancaire, utilisée au sein du FMI. Alors comment étendre la quantification aux autres secteurs ?

Les prérequis à une quantification des risques optimale

La méthodologie FAIR est l’une des plus répandues pour quantifier les risques. Une quantification des risques efficace induit :

• Une bonne connaissance de ses risques les plus critiques. En effet, vu la complexité de FAIR, il ne vaut mieux pas s’éparpiller et se concentrer sur les scénarios de risque les plus importants. Encore faut-il les connaître ! Un travail de cartographie des risques est à prévoir dans lequel la mobilisation des métiers sera nécessaire ;
• Une bonne compréhension des mesures de sécurité existantes pour estimer sa capacité à résister à des attaques et les impacts résiduels ;
• Une première ébauche d’un référentiel des coûts types (honoraires d’avocats, de cabinet de communication, etc.), que sera complété dans le temps, ce qui nécessite une expertise métier pour identifier et estimer les coûts.

Aussi, l’estimation du coût des risques, du fait de sa nature transverse appelle à la collaboration de nombreux acteurs de l’entreprise (RH, juridique, etc.), ce qui peut être complexe à mettre en place.

La méthodologie FAIR, une approche qui vient préciser certaines phases de l’analyse et du traitement des risques

Introduction à la méthodologie FAIR (Factor Analysis of Information Risk)

En 2001, Jack Jones était le RSSI de Nationwide Insurance. Il était lui-même confronté aux interrogations persistantes de sa direction générale lui demandant des données chiffrées sur les risques auxquels était exposée l’entreprise. Face à l’insatisfaction causée par le flou de ses réponses, Jack Jones a mis en place une méthodologie pour estimer, de manière chiffrée, les risques pesant sur son entreprise, c’est la méthodologie FAIR.

Concrètement, comment celle-ci se différencie d’une méthodologie d’analyse des risques, tel que EBIOS ?

La méthodologie FAIR ne vient en aucun cas remplacer l’analyse de risque : FAIR est une méthodologie permettant d’évaluer les impacts et les probabilités d’un risque de manière plus fiable. Les impacts sont toujours traduits en pertes financières afin de rendre tangible l’évaluation réalisée. Les compléments apportés sont illustrés par le schéma ci-dessous.

Schéma 1 : FAIR, une approche qui précise certaines phases de l’analyse et du traitement des risques

Habituellement, l’évaluation du risque cyber se traduit par plusieurs types d’impact (impact d’image, financier, opérationnel, juridique, etc). La particularité de la méthodologie FAIR est de transposer chaque impact à un coût financier (coûts direct, indirects, tangibles et intangibles). Par exemple, si un scénario de risque présente un impact sur l’image de l’entreprise, FAIR traduit ce risque sous forme de risque financier en évaluant le coût de l’agence de communication que l’on mobilisera afin de redresser l’image de l’entreprise notamment. Si le directeur général d’une entreprise est mobilisé dans le cadre d’une gestion de crise, alors il faudra estimer le temps passé à gérer cette crise et monétiser celui-ci.

 Comment appliquer la méthodologie FAIR ?

Un risque quantifié en euro est le facteur de la fréquence d’attaque réussie (loss event frequency) et le coût de l’attaque réussie (loss magnitude). Le schéma ci-dessus présente la démarche utilisée par la méthodologie FAIR afin d’estimer ces deux caractéristiques.

Schéma 2 : les critères pris en compte par la méthodologie FAIR pour estimer les risques (traduction non disponible à date)

• Calcul de la « Loss Event Frequency »

Le « contact frequency » représente la fréquence à laquelle la menace (« threat agent ») entre en contact avec le bien à protéger. Par exemple, il peut s’agir de la fréquence à laquelle a lieu une catastrophe naturelle à endroit donné.

La « probability of action » est la probabilité que la menace agisse de manière malveillante sur le système une fois le contact effectué. Celui-ci ne s’applique que lorsque le threat agent est un être vivant (ne s’applique pas dans le cas d’une tornade par exemple). Cela se déduit du gain, de l’effort et du coût de l’attaque et des risques.

De ces deux paramètres en découle la « threat event frequency ».

La « threat capability » consiste à estimer les capacités du threat agent tant en matière de compétences (expérience et savoir) qu’en matière de ressources (temps et matériel).

La « resistance strength » est la capacité de resistance de l’entreprise face à ce scénario d’attaque. la resistance threat se calcule à partir du niveau de maturité cyber de l’entité par exemple avec une analyse d’écart à NIST.

De ces deux paramètres en découle la « vulnerability », puis la « loss event frequency ».

• Calcul de la « Loss Magnitude »

Les « primary loss » constituent le coût des pertes directes. Cela comprend notamment : l’interruption des opérations, les salaires versés aux employés alors que les opérations sont interrompues, le coût de la mobilisation de prestataires pour pallier l’attaque (restaurer les systèmes, mener les investigations), etc.

Les « secondary loss » constituent les pertes indirectes, provenant des réactions d’autres personnes impactées, et sont plus difficiles à estimer. Par exemple, les « secondary loss » peuvent couvrir la perte de part de marché engendrée par la dégradation de l’image de l’entreprise, les coûts de notification d’une attaque via une agence de communication, le paiement d’une amende auprès d’un régulateur ou encore des honoraires d’avocat pour se défendre en justice, etc. Celle-ci se calcule en multipliant la « secondary loss event frequency » et la « secondary loss magnitude » pour chacun des coûts indirects.

Une solution qui accompagne les entreprises dans la mise en application de cette méthodologie

Au-delà de la description théorique de la méthodologie, des solutions se développent pour permettre aux entreprises d’appliquer la méthodologie de manière concrète. C’est le cas de la start-up Citalid qui, par exemple, propose une plateforme de quantification des risques cyber en s’appuyant sur la méthodologie FAIR. Celle-ci permet au RSSI d’affiner et de rendre cohérente la quantification des risques grâce à de la threat intelligence (pour le suivi des attaquants dans le temps). Pour utiliser la solution, l’entreprise doit renseigner des éléments relatifs à son contexte et, pour chacun des scénarios de risque à quantifier, compléter un questionnaire NIST (50 questions pour le plus basique ou 250 pour un niveau de granularité plus fin) et le reste est calculé automatiquement.

Quelles sont les avantages et les limites de la méthodologie FAIR ?

La méthodologie FAIR apporte principalement les éléments suivants :

• Elle permet à l’entreprise d’identifier et d’évaluer plus précisément les risques les plus importants. Pour chacun des scénarios de risque choisis, la méthodologie permet une estimation des pertes financières moyennes et maximales et une fréquence estimée. Par exemple : « la probabilité de perdre 150 millions d’euros en raison de la propagation d’un ransomware destructif de type NotPetya exploitant une faille 0-day Windows est de 20% ».
• Elle permet l’estimation des coûts-avantages du plan d’actions de réduction des risques. En jouant avec la « resistence strength », il est possible d’estimer le retour sur investissement (ROI) des mesures de sécurité à mettre en place.
• Elle transpose tous les risques cyber en un risque financier ce qui permet une meilleure compréhension du risque par les dirigeants de l’entreprise.

Cependant, l’application de FAIR n’est pas sans contraintes car elle demande des ressources parfois importantes (tant en nombre de jours hommes que de connaissance du contexte de l’entreprise). La quantification du risque ne couvre par ailleurs qu’un périmètre restreint (1 scénario de risque). Aussi, la quantification du risque avec la méthodologie FAIR nécessite d’être affinée avec des abaques types de coûts associés à un impact cyber. Cela peut par exemple se faire en capitalisant sur les analyses post-mortem d’un crise cyber qui permettent souvent de donner une illustration réelle des impacts financiers.

Ainsi, la méthodologie FAIR est une piste prometteuse mais qu’il faudra se l’approprier dans le but d’en tirer des bénéfices concrets.

Cet article La quantification du risque cybersécurité est apparu en premier sur RiskInsight.

Defining a cybersecurity strategy in a large company

The name is not always the same: master plan, security model, action plan, roadmap but the basic idea is always to set a set of projects that will allow to converge towards a 3-4 year security target, shared and understandable by the top management. 15 years of master plans means 15 years of introductions based on accelerating the threat, tightening regulations, accompanying transformations; the reasons for establishing a cyber strategy are still globally the same. The method for designing a cyber master plan has evolved considerably.

10-15 years ago, life was simple.

A master plan could be constructed in a few interviews with the ISSR and his team, “according to experts”. To provide a logic, consultants would base themselves on a pictorial model such as a fortified castle or an airport, which served as a pretext for setting up the fundamentals and explaining the choices. The attacks still seemed remote, the cyber was less dispersed than today and all the master plans were more or less the same. With a little hindsight, these cyber strategies above all had a great real role in raising awareness / training top management, who were gradually involved in the choices and discussions.

In 2021, the context has changed a lot. It is no longer enough to say “expert opinion”: some major accounts are now investing hundreds of millions of euros a year in cybersecurity, and executive committees are demanding more evidence of the effectiveness of the strategy deployed. All the more so since the “fundamentals” (patching, bastion, etc.) are now supplemented by an arsenal of measures, each more specific than the last, which raise questions about the relevance of a single strategy for a large company. It is clear, for example, that between a retail bank focused on the leakage of customer data and an investment bank fearing unavailability of certain trading channels, the priorities are different. The current crisis is certainly likely to reinforce this trend: strategies must now be much more finely tuned to the business lines.

A pragmatic and agile strategy, aligned with business priorities

The first months of work are always devoted to the method that will bring rigour and credibility with management and regulators. Very concretely, it is a question of defining the company’s Cyber Framework and a method enabling each entity to define its Target Profile (target to be reached on the Framework). Differentiated strategy for each entity.

Large companies no longer have questions about the Framework and NIST has established itself as the market leader. The 5 functions (identify, protect, detect…) speak volumes to management and above all its popularity favours the Benchmark. The frameworks chosen do not matter anymore, as long as they are based on a market reference. It should be noted that most companies do not hesitate to specify controls to make them more pragmatic: EDR, SOAR, AD security, anti-fraud; the Framework simply acts as a library of potential controls on which the company will base its strategy.

In large companies, the Group often imposes a first level of security for all, corresponding to the pursuit of fundamentals: SOC, bastion, patching, etc. Most systemic attacks still exploit these weaknesses, and the risk of inter-entity propagation must be managed in a cross-functional manner. This common target is quite similar from one company to another and is generally established on the basis of benchmarks provided by the consulting market. More challenging, each entity is then led to define its own target, according to its own stakes. Beware, the mapping and weighting mechanism between the Framework controls and the risk mapping can be complex. The key is often to get out of the cyber sector and work jointly with the Risk Department.

The must-haves of the moment: AD and IAM security

The figures resulting from the cyber strategies of major French companies are important: 10-20M of investment on average per year in the industrial sector, and up to 100-150M per year for Financial Services. Each strategy is different but recent feedback shows that budgets are fairly evenly balanced between 4 types of projects:

1. Security foundations (patching, awareness, director security, etc.)
2. Protection of sensitive environments (LPM, AD security, data protection, etc.)
3. Zero-trust convergence (inventories, IAM, risk-based authentication, compliance, etc.)
4. Cyber-resilience (detection, crisis management, reconstruction, business continuity, etc.).

A few years ago, the NCS and the LPM were definitely emerging as the top priority topics. Today, they are very much in competition with Active Directory security and AMI.

Cyber strategy is an essential tool for setting the course, federating actions, and involving management. However, establishing a multi-year master plan is a great opportunity to get teams on board around a common goal. Some security departments have grown from a few dozen people to several hundred or even thousands in the space of a few years, and many employees are currently looking for a meaning in their role. One should take advantage of this “moment” that is the creation of the strategy to create aspiration, enthusiasm, real team spirit in the sector. It is the ideal moment to multiply the work groups, involve as many employees as possible, adopt a transparent approach, have the top management challenge the teams; in short, turn this strategy construction into a sector event.

Cet article Defining a cybersecurity strategy in a large company est apparu en premier sur RiskInsight.

DIFFERENT STRATEGIES TO safeguard AGAINST DEEPFAKES

Concurrently with the legal framework, public and private organisations get organised to put forward solutions allowing to detect and prevent the malicious spread of deepfakes. We can distinguish four strategies to safeguard against deepfakes.

1/ Detecting the imperfections

Detecting the deepfakes by their imperfections is one of the main existing methods. Some irregularities remain in the generated contents, such as the lack of blinks and of synchronisation between the lips and the voice, distortions of the face and accessories (arms of the glasses), or the inaccuracy of the context (weather, location).

The deepfakes are however built to learn from their mistakes and generate a content that is increasingly alike the original, making the imperfections less perceptible. The tools using this deepfake detection strategy can be effective but require a constant improvement to detect ever more subtle anomalies.

We can cite in this category Assembler, a tool intended for journalists developed by Jigsaw (branch of Alphabet, parent company of Google). It enables to verify the authenticity of contents through their analysis via five detectors, amongst which the detection of anomalies of patterns and colours, of copied and pasted areas, and of known characteristics of deepfakes algorithms.

2/ Screening and comparative analysis

Comparing the contents with a database of authentic content or by looking for similar content on search engines to see whether they have been manipulated (for instance, by finding the same video with a different face) is another strategy allowing to pre-empt deepfakes.

In 2020, the AI Foundation should make available a plugin, Reality Defender, to integrate to web browsers and over time to social networks. It will allow the detection of manipulations of contents, targeting first the politicians. Users will be led to adjust the sensitivity of this tool, according to the manipulations they will want to detect or not, not to be notified for every manipulation of content, notably for the most ordinary manipulations (photo retouch on a web page done on Photoshop for example).

3/ Watermarking

A third method consists in marking the contents with a watermark, or digital tattoo, to facilitate the authentication process by filling in their source and following the manipulations undertaken on these contents.

A team from the New York University works on a research project to create a camera embedding a watermarking technology meant to mark the photographed contents, in order not only to authenticate the original photography, but also to mark and follow all the manipulations carried out on it throughout its lifecycle.

4/ Involving the human factor

Involving the users in the detection process allows both mitigating deepfakes’ impacts by making them realise that the alteration of the acceded contents is possible, and to reduce deepfakes’ occurrence by allowing them to report the ones they suspect.

The plugin Reality Defender already mentioned will give users the possibility to report the contents they judge as fake so as to inform the other users – which once added to the analysis realised by the tool, will be able to see if the contents have been reported by other users, offering a second level of indication.

Some initiatives carried by cooperation of cross-sector actors combine these four strategies for a maximal efficiency against deepfakes. Some are already used or tested by journalists. It is the case of InVID, initiative developed within the scope of the European Union Horizon 2020 program of financing of research and innovation, used by the French press agency (AFP).

Solutions and strategies are therefore emerging, the market is developing, and new innovative solutions should appear very shortly with the results of the Deepfake Detection Challenge. This contest anti-deepfake was launched by Facebook upon the approach of the American presidential election, and more than 2,600 teams signed up. Results the 22^nd of April!

Below a table presenting examples of initiatives combining different strategies to safeguard against deepfakes.

Different means to protect one’s activity

The risk deepfakes present for businesses is genuine, and a few actions can be taken to protect one’s activity and mitigate its impacts from now on.

• Estimating the exposure: The use cases of deepfakes and the worst-case scenario of their use must be determined on the perimeters of the company, taking the fraud and undermining risks into consideration, and identifying the appropriate security strategies.

• Raising awareness: The collaborators must be made aware of the detection of deepfakes (to avoid the cases of fraud) but also of the limitation of shared contents on social media that can be reused to create deepfakes (to avoid the undermining). Just like anti-phishing campaigns, this awareness campaign focuses both on the detection of technical faults (form) of the deepfakes (although they will be led to disappear with the improvement of techniques), but mostly on the detection of the suspicious nature of information (content), encouraging the audience’s suspicion, cross checking of information and notification of the suspicions to the appropriate teams (what to do if I see a suspect video of my head of communications on the social networks during the weekend? What to do if I receive a vocal message of my chief asking me to execute a punctual operation that is slightly out of my perimeter?).

• Adapting the verification processes: The existing anti-fraud plans can be redesigned to be applied to deepfakes. For instance, for a Fake President fraud via deepfakes, one of the recommendations is to suggest to the interlocutor to hang up and call him back (if possible on a known number, and after an internal check). For the most sensitive fraud scenarios, these reaction processes must be finely defined, and the concerned collaborators regularly trained to the reflexes to adopt. Tools such as the ones defined earlier can also be used to verify all or any part of the media used by the collaborators.

• Protect the contents: The contents representing collaborators shared internally or externally by the company can be controlled to avoid them being reused to generate deepfakes. Businesses can limit the diversity (angle of the people and types of media) of the data potentially usable by malicious actors, and play on the digital quality (definition) of the shared contents. In fact, the more the malicious actors benefit from diverse and good quality contents representing the collaborators, the more it facilitates their reuse to generate deepfakes. Moreover, businesses can limit their means of communication to an official channel, verified social networks and their official websites – which creates contents’ consumer habits for the audience, that will be suspicious of all diffusion out of these habits.

• Anticipate the crises: The communications requirements in the case of a proven incident linked to deepfakes must be anticipated, and the management of the deepfake case must include the “generic” communications scenarios addressed in the crisis communication plans.

Cet article Deep dive into deepfake – How to face increasingly believable fake news? (2/2) est apparu en premier sur RiskInsight.