Worldwide Flight Service IT Chief
CIOs who ensure long-term resilience against cyberattacks move beyond a reactive approach to incidents and take a proactive stance that embeds security within the business strategy.
That was the view of a cybersecurity panel at the DTX Tech Predictions Mini Summit, which included Adam Lalani, head of IT at ground-handling specialist Worldwide Flight Services (WFS), as well as industry experts from Sophos and Rapid7.
The potential cybersecurity threat from nation-state hackers was discussed during the panel in the light of escalating tensions between Russia and Ukraine. While Lalani recognized that cyber risks can come from multiple directions, he said WFS does not deal with state-sponsored hackers as a separate and discreet security threat:
We always have to be alert - and I think anyone in any enterprise would feel the same. It's very much an arms race between threat actors that are looking to leverage their tools and then for us to find the defensive tools to stop that. I don't think we've changed our posture in any way. We are always aware that there is a possibility of things happening to us.
Lalani said he finds it more concerning that far too many businesses only start to focus on cyber defence once they see other companies struggling. What's more, he said that reactive style of approach often only begins when companies see the impact of a cyberattack in closely related enterprises:
An organization will only start to take these sorts of things seriously if another organization in this same sector or a similar field has been affected.
To provide further clarity, Lalani gave an example from earlier in his own career, when he worked for an oil company and a competitor suffered a serious cyber issue. That incident at the rival firm led to a range of security projects being implemented in the company that he worked with at the time:
That incident led to a massive amount of investment in tools to help defend ourselves against ransomware.
Lalani gave a second example from a subsequent position he held at a local government organisation in London. After a London borough suffered a major security incident, other closely connected organizations took steps to halt the potential cyber threat:
Councils up and down the country started taking things seriously. I worked for two London councils as a bi-borough IT service and there was such a reaction. There was a huge amount of work that had to be done to try and remediate things that would never have been approved previously. There was such a reaction that led to us taking steps to make sure that we had mitigated as far as possible any potential avenues of attack.
The onus is on IT
The panel suggested these kinds of experiences are far from rare. Lalani recognized that in-built reactivity is "a big problem" across the private and public sectors, with investment in cybersecurity is often seen as a nice-to-have rather a must-have:
Cybersecurity is not seen as exciting or something that is relevant to the board - it's just seen as an IT thing and that's completely wrong. It should be part of board-level risks that are discussed.
He said the onus is on IT professionals and other experts in the security space to change that perception and help everyone else in the business to understand the potential dangers that come from under-investing in cyber-defence technologies:
We need to remove some of the jargon. We're all guilty of using jargon down the years. But we ought to try and make things as simple as possible because we're the ones that have to clean up afterwards. I suffered a ransomware attack in another organization. Thankfully, it was a recoverable one. And because we'd made the efforts to take steps after an incident at another company in the sector, we were able to recover with no loss of data and it was just a bit of downtime to rebuild.
The panel agreed that visibility into potential threats is key. Senior executives must recognize that their customers will want to know that the businesses they work with are taking steps to protect systems and data. A CIO who doesn't have the tools in place to measure the potential cyber threat won't be able to manage it successfully. Lalani says there are two key take-aways for other senior business leaders: identify what data is most important to your business; and make sure that you have as much visibility into your systems and infrastructure as possible:
Identify what is important to your organization. Perform a proper business impact analysis, so you identify what is key and what would cause the most significant loss to your organization. These are the areas that you should be looking to defend the most. That analysis is extremely important, but I think it's often overlooked. It's common sense when you say it, but the reality sometimes can be challenging.
When it comes to ensuring visibility across networks and systems, Lalani said he worked at one point in his career with a well-known cybersecurity provider that sold network probes. He said installing these probes across different segments of the network identified a range of devices that people were unaware were being used. Lalani said it's extremely important that businesses use these kinds of specialist measuring tools because the things your organization doesn't know about are the things it can't defend against:
The key is visibility. Organizations often slap a couple of monitors onto servers and endpoints, and they think it's great because they're getting lots of information coming in. But having probes sitting on various network segments and being able to analyse the traffic is extremely important. Often, that's where the things that we wish weren't happening are happening - and we don't see them.
You need to know what's going on across the network outside of the devices that have got monitoring in place. So, I feel that this is an area that is often overlooked and that is where there is a lot of space to play for the threat actors.
Gloss