Cyber Security and the Need to Safeguard People, Society, Companies and Nations
We had the privilege of interviewing Erin Casteel, a major contributor to the development of ISO/IEC 20000, the International Standard for service management. She has been project editor for multiple parts of this standard. Erin works with the ISO organization in creating standards and she is passionate about helping organizations to run, build and improve resilient integrated organizational ecosystems to support certain products and services and also improve their risk profile.
This is our take away from the discussion:
Cyber security means a lot of different things for different people. In an ISO Standard you can understand the context of this because the 27,000 series for information security management has the information security management system, the scope of information security management and the ISMS is the organization.
Erin said in the interview (with Ivanka Menken) that the working definition of “cybersecurity” is the safeguarding of a society, people, organizations, and nations from digital risks.
But we need to be able to differentiate between information security and cyber security. For one, cybersecurity is public. It is not something that is able to be controlled within the organization. That means that between organizations it is the security of the cyberspace.
While there are overlaps between information security and cyber security, there are also differences. We need to look, understand and manage both.
The question is how?
Erin stressed that providing some examples to people so they can understand is important. We can explain that we’ve got the organization and the scope of the organization protecting the information of the organization- that is the scope of information security management.
The cyberspace is something that all of us interact with as individuals and as organizations, as nations – It exists in all of those levels.
As an individual we need to be very conscious and we need to have control. We need to manage and protect ourselves in that cyberspace. It comes down to every person having the responsibility to do the right things in relation to cybercrime protection. Organizations now share threat intelligence. It is in their common interest to be protected against cyber threats.
If your organization already has an ISMS, you might say you already have control. You may think you’re covered because you’re already doing a lot of safety measures but in reality this is not the case.
It really isn’t something where we get there and we achieve it because it’s always an ongoing journey where we look at our current cybersecurity posture. We should always be looking at what our preferred posture -or improvements to our current posture is, and then we look at the things we need to be doing all the time in order to improve.
There are about 196 different cybersecurity frameworks that have been developed and they have a lot of useful information that can help organizations like NIST cybersecurity framework which is already an existing content, an ongoing thing and an ongoing journey. It’s always a never ending thing.
It isn’t just about the organization and neither is information security because you have to look at and really have a clear understanding of your full ecosystem and you have to understand the entire supply chain. If you’re a service provider, you have to understand all your customers.
For example, every time you onboard a customer, you onboard that customer’s adversaries as well. And when you are a service consumer, you also have to be cognizant of the ecosystem of your service providers. It is quite an interesting and challenging scope, but there are quite a few things out there that can help you to improve. And all organizations and all individuals can improve.
The myth that “a hundred percent perfect security is possible” is not even remotely true- we live in the real world. We all have to address this. We have to understand how to deal with cyber attacks, and we have to do them within the constraints of real life.
And then there’s the myth that cyber security, or information security is an I.T. issue. That is absolutely not the case. And luckily, there’s far more visibility and understanding in the boardroom now around Cybersecurity, a lot more focus. There’s a significant improvement on that front, just in the last four or five years, probably because there is now the regulation or the law that you have to actually tell people when you’ve been breached, there’s that mandatory reporting issue.
When boards know that they’re going to be responsible and accountable for something, obviously they’re going to pay a lot more attention and, if you think about GDPR, which is a big topic these days, there’s also the issue of all the fines that organizations can incur. So when you think about the boards having to pay these, just the nominal fines, of course, they’re going to pay attention.
There should be a more comprehensive way of looking at organizations and their ecosystems and cyber space. One primary areas of focus is organizational resilience and organizational agility. And cybersecurity is absolutely essential to that, but it needs to be thought of in the context of how it works in an integrated way with everything else rather than something that happens.
It doesn’t matter whether you are a small or large organization, everybody needs to be resilient. We all need to have that resilience to be able to make it in this competitive world not just on the short but also on the longer term. Like, you need to keep your ears and eyes open. What’s happening in the industry and outside, that whole ecosystem.
One thing to do is to differentiate between agility and resilience. And, the reason is that, we talk a lot about organizational agility and it is internal set of capabilities, whereas resilience is in terms of everything external to the organization.
So when we talk about resilience, we think about it in terms of, resilience from external things; resilience, in terms of economic and political and environmental and technical and all of those sort of external things that can influence our ability to be successful, our ability to survive and thrive.
By looking at the organization in terms of its internal ability to be agile, to be able to move and change in this incredibly fast paced world that we live in now, and then combining that with that external perspective, which is the resilient side, you’d get both perspectives. And, it’s much more solid, more complete.
Cyber security is essential to all of that and all of the capabilities that we put in place to facilitate that resilience so that we can be delivering value and not stumbling with all of these obstacles that we encounter on a daily basis. That is the goal, and it’s always sort of an ongoing challenge and an ongoing opportunity. But that’s what’s exciting. And it depends on what your focus is, If you focus is on your vision, on your strategy, yes, you have obstacles along the way, but you just hurdle over them because that’s just part of your journey. But, if you’re really focused on those obstacles, it becomes so overwhelming that you forget to see what’s at the end of the tunnel. You forget to see why you’re doing the things you’re doing. You lose track of your purpose as an organization and the vision where you want to go. Even the decisions that you need to make, like “are we collecting too much data?”
Specifically in terms of information security and cybersecurity capabilities, there’s quite a bit of really good information out there to help organizations who are looking for people, which is around agility and resilience because in order to do that you also need to add in other skill sets, completely different.
You need to look at the people side. You need to look at people who have really good written and verbal communication skills and ideally if you can combine all of these in a couple of people, then that’s great…
You need to think about training and communication. You need to think about people who are really good at policies, people who are good at measurements and doing the analytics which is a pretty massive aspect of cybersecurity for organizations. Having that kind of a skillset is incredibly helpful.
And then making sure that you’ve got balance. That way you have a focus within your team on people and organizations. You’ve got to focus on both information and technology. You’ve got to focus on your products and services and your supply chain.
But 85 percent of businesses are small to medium sized businesses and they’re the target, maybe even more- 95 percent maybe, they’re biggest target for cyber crime, for hacking, for whatever people come up with in that creative nastiness, those organizations probably don’t have this skill set in house. So, what can they do? What can business owners do? What can people in small to medium businesses do to protect themselves? Knowing that you can’t protect yourself 100 percent, what’s an easy thing to do to be better aware or to be better protected or to be a step towards that agility and resilience?
There are really easy steps that anybody and any organization can take no matter the size.
ISO standards, management system standards such as 27,001 are designed for any size and any type of organization.
What can be a really easy starting point is to just read 27,001 and 27,002, which is on the controls. Those are not really very long documents. They give you sort of that basic minimum set of things that you need to be thinking about and things that you need to be considering.
If you read even just those two standards to start with, and you read the NIST cybersecurity framework, this gives you a nice set of tasks.
It actually sort of helps you through the process of figuring out what you need to do in what order and identifies a lot of really sort of tangible things.
Even if you’re going to bring in external people who have those kinds of capabilities to help support you (and if you are a very small organization and that’s a very common way to handle it) when you don’t have the in house capability, it’s useful for you to at least have your head around it a little bit. Start to understand the terminology, start to learn about this before you just go off, at least know what you don’t know and know where you need help and have a base idea of your scope and what you want to approach.
It’s just the starting point and taking it extremely seriously is always the first step for everyone and for every organization, regardless of where they’re at. Over time, as we evolve, as we are doing continual improvement, we can add things, there are lots of resources because the world is full of fantastic resources that can help us in our need to safeguard ourselves, our businesses and our nation.