Embed Size (px)
Citation preview
APPSEC Europe Date: 27 June – 1 July, 2016 Location: Rome http://2016.appsec.eu OWASP AppSec conference brings together industry, government, security researchers, and practitioners to discuss the state of the art in application security. The conference represents the largest AppSEc efforts to advance our mission of spreading security knowledge. Five days conference includes technical talks by security experts, panels to debate tough topics, training sessions on learning in top security areas, keynotes from industry leaders and vendor booths to promote the latest advances in security technology. Security IT Summit Tuesday July 5, 2016 Location: London, United Kingdom http://securityitsummit.co.uk The Security IT Summit is a highly focused event that brings together security IT professionals for one to one business meetings, interactive seminars and valuable networking opportunities. You will have the opportunity to meet with companies who offer the latest IT security solutions to reduce risk and threats in an increasingly insecure digital environment. With businesses frequently coming under attacks from hackers looking to steal sensitive data, many organisations fail to take adequate steps to repel these. The future of digital security services depends on organisations getting better at finding ways to keep the hackers at bay and protecting data. International Conference on Cyber Security Date: 21-22 July, 2016 Location: Zurich https://goo.gl/OGsh8H The ICCS 2016: 18th International Conference on Cyber Security aims to bring together leading academic scientists, researchers and research scholars to exchange and share their experiences and research results on all aspects of Cyber Security. It also provides a premier interdisciplinary platform for researchers, practitioners and educators to present and discuss the most recent innovations, trends, and concerns as well as practical challenges encountered and solutions adopted in the fields of Cyber Security.
AI will change our life and the future of cyber security Benjamin is a Long Short-Term Memory (LSTM) recurrent neural network, Artificial Intelligence (AI) that is often used for text recognition. Feed this network with scripts of science fiction, movies, including classics like Highlander, Endgame, Interstellar and more. Then ask the neural network Benjamin to create a screenplay that includes also actor directions and music. The result is Sunspring, a short science fiction film. It is a story of three people living in a weird future, possibly in a space station and probably in a love triangle, but SunSpring is not the product of Hollywood hacks, it was written entirely by AI. But we may talk also about TensorFlow that this week has published a new version of its machine learning software with the iOS support. The goal is to have App that will be able to integrate smart neural network capabilities making them smarter and capable. TensorFlow is the Google powerful artificial intelligence software that, already now, is powering many Google’s services and initiatives like InBox, Google Now, Alphago and Magenta. So the next Smartphone will be a new virtual assistant more acceptable to us as it become more personalized to our needs and more able to understand the context of our requests. AI is already present in many areas, we are already accustomed by Amazon that identifies items that we may want to buy before starting our search or NetFlix that is managing movies recommendations in advance of any decision we make. Also Elon Musk, founder of electric car maker Tesla, invests in OpenAi his new artificial intelligence company, a no profit organization that has to build value for all in the AI arena. They released a tool called OpenAi Gym for developing and comparing different, so-called, reinforcement learning algorithms. This tool includes code and examples to help all to get started with reinforcement learning. For example, you may create a program that learns through experimentation how to play video games.
Available, also on OpenAi, the possibility for users to upload and share the projects they are working on. In April MIT published a new paper related to AI and security, “Computer Science and Artificial Intelligence Laboratory”. In this paper they demonstrated that an artificial intelligence platform may predicts cyber-attacks better than existing systems by continuously incorporating input from human experts. In this area AI may improve enterprise capabilities to protect their assets. The arrival of AI security systems capable of machine learning and fast responses will be crucial for security; today companies need security experts with high skill and one of the problem is that these experts are busy and cannot be used on reviewing tons of data that have been flagged as suspicious. So an effective machine-learning system may be able to improve itself without overloading people. AI is changing the rules of the game that today are rule-based a kind of control type that will be no longer effective. The use of big data algorithms and the capability of this architecture to learn will increase security and defense capabilities. A big change will be introduce also in the video surveillance systems, today video analytics analyze video footage in real-time and detect abnormal activities; there AI may add more analysis and increase operational efficiency. In this scenario we will not depend solely on human, AI powered platform may notify people about potential threat helping companies to prevent illegal activities. AI will help people to work better, will secure our businesses, cities or homes and, as today, providing a better user experience in online shopping and entertainment. Nicola Sotira General Manager GCSEC
events
editorial
2016 June
Commentary for IT PRO on the impact of the impending EU Data Regulations on businesses. By Claudio Bastia, Managing Director Italy & South East EMEA, INFORMATICA Responsible Disclosure for Security Vulnerability By Elena Mena Agresti, GCSEC A National Cyber Security Integrated System by Massimo Cappelli, GCSEC Organizational Resilience: harnessing experience, embracing opportunity By Steve Cargill, Chief Information Officer, BSI
"The latest changes to the EU data protection legislation begins to spread the weight of responsibility across all of those involved in the data supply chain. Rather than just businesses who collect and use citizen data bearing the brunt of regulatory pressure, data-wranglers of all stripes will be expected to take on responsibility. Data service providers will not only have to prove their security chops to businesses they sell to, but also to the regulator in evasion of penalties.
“We are moving into a data centric era where big data fuels all interactions. Many are discovering how to build new revenue streams using the data available, whether through developing new services or selling on the raw information. So it’s clear that the trend toward regulating all those involved in the data supply chain is not going to reverse. This latest iteration of the regulation and the spectre of breaches, has the potential to dampen the data gold-rush we are currently experiencing. The adoption of big data and all the promise it holds could be significantly restricted unless a different approach to security is taken. Security needs to become data centric, being able to protect
Russian government hackers spent a year in our servers, admits DNC http://goo.gl/CrRc9w The US Democratic National Committee (DNC) has confirmed that hackers thought to be part of Russian state intelligence have had access to their servers for nearly a year. They have read emails, chat logs, and opposition research documents. The attack was uncovered six weeks ago, after IT admins noticed something strange was going on in the DNC's servers. All the computers in the opposition research department had been accessed and two files had been stolen. "The security of our system is critical to our operation and to the confidence of the campaigns and state parties we work with," said Representative Debbie Wasserman Schultz (D-FL), the DNC chairwoman, told the Washington Post. "When we discovered the intrusion, we treated this like the serious incident it is ... Our team moved as quickly as possible to kick out the intruders and secure our network." North Korea hacks 140k computers in planned mass attacks on Seoul http://goo.gl/X2vs4n North Korea has hacked a whopping 140,000 computers located in 160 South Korean firms stealing 40,000 defence-related documents, Seoul says. The attacks which targeted defence contractor firms among others began in 2014 and were noticed in February. Police in the South say Pyongyang hoped to "cause confusion on a national scale" stealing "industrial and military secrets" and to compromise the nation's transport systems. Some 42,000 documents and files were stolen of which some 40,000 were defense-related. Pyongyang denies ever hacking the South. Popular "network management software" was targeted in the attacks but South Korea cops refused to name the affected platform. Hacked computers were not immediately emptied and rather held in what is assumed to be preparation for a later co-ordinated mass attack. Unnamed officials at the South's cyber investigation unit told Reuters stolen documents included blueprints for the wings of F-15 fighter jets. Can artificial intelligence wipe out cyber terror? http://goo.gl/Omn9WE Slowly but surely, cyber security is evolving from the days of castles and moats into the modern era of software driven business. In the 1990s, after several failed attempts to build secure operating systems, the predominant security model became the network-perimeter security model enforced by firewalls. The way it works is clear: Machines on the inside of the firewall were trusted, and anything on the outside was untrusted. This castle-and-moat approach failed almost as quickly as it began, because holes in the wall had to be created to allow emerging internet services like mNews, email and web traffic through.
Commentary for IT PRO on the impact of the impending EU Data Regulations on businesses by Claudio Bastia, Managing Director Italy & South East EMEA, INFORMATICA
in this number news
and track data in-flight and regardless of where it resides. In our experience, very few businesses have granular awareness of where data is held and the risks it may be exposed to. At the heart of successful data security is understanding where applications create sensitive information in databases and how that information is proliferating as it's used by line-of-business applications, cloud services and mobile apps. Only then can businesses visualise where sensitive data resides - regardless of whether it’s inside or outside of the corporate perimeter – and secure information at its source. This will be critical to comply with these new mandates which can only be enforced if companies know where within their data stores, person specific data resides. A data centric approach will help both hosting providers, integration companies and end user businesses, giving them the ability to assess and manage risk more accurately. Another benefit of this is that businesses will be in a better position to negotiate contracts with their data service providers, by having an accurate picture of how much risk they can tolerate."
Cylance Cybersecurity Startup Raises $100 Million To Develop AI System http://goo.gl/K9jGEB Cylance, a company specialized in artificial intelligence (AI) and machine-learning solutions against malware and cyber crime, has announced on Wednesday, June 8, that it raised $100 million for developing an AI system for cybersecurity. Cylance claims that it already has around 1,000 customers that are using company's software to protect themselves from advanced security infiltrations. However, this is not the only company using artificial intelligence systems to improve online security. Darktrace and Jask are using similar systems, while the Israel-based Fortscale uses big data analytics and machine learning to detect malicious user behavior.
Today organizations have to face an evolving scenario characterized by more sophisticated and targeted attacks that in many cases exploit known or zero-day vulnerabilities. The number of vulnerabilities discovered per year is increasing. Only in 2015, the vulnerabilities related the top 50 products by total number of "Distinct" vulnerabilities have been 6084 with Microsoft at the first place followed by Adobe and Apple.
Figure 1: Year 20141 Figure 2: Year 20151
Security teams of organizations, such as researchers or hackers directly identify numerous vulnerabilities. In 2012, an Italian university research group discovered and neutralized a serious vulnerability present in all versions of Android2. One year ago Vu University of Amsterdam discovered a Google Android two-factor authentication vulnerability. Hackers and security expert community have skills, knowledge and know-how that could help organizations to identify and fix vulnerabilities.
Many international organizations like Facebook3, Google4, Nokia5, Apple6 have already adopted the mechanism of “Responsible Disclosure” where experts, researchers or hackers report vulnerabilities directly to the owner of the information system affected, to provide the organization the opportunity to diagnose and remedy the vulnerability before detailed information is disclosed to third parties or the public. This helps to enforce cyber security of the organization, minimizing opportunities for cyber criminals to exploit these vulnerabilities and give opportunities to obtain awards. On 12th of May in Amsterdam, 30 organizations have signed the Manifesto "Coordinated Vulnerability Disclosure” an initiative started by Rabobank, a Dutch multinational banking and financial services company, and the CIO Platform,
1 http://www.cvedetails.com/top-50-products.php?year=2014 2 http://www.fbk.eu/press-releases/archive/italian-research-team-debugs-android 3 https://www.facebook.com/whitehat 4 https://www.google.com/about/appsecurity/reward-program/ 5 http://networks.nokia.com/responsible-disclosure 6 https://hackerone.com/apple
Responsible Disclosure for Security Vulnerability
by Elena Mena Agresti, GCSEC
independent association of CIOs and IT directors of private and public organizations in the Netherlands. In the Manifesto all the signatory parties raise awareness for the importance of cooperation between organizations and the ICT-community to find and solve ICT-vulnerabilities.
The Manifesto isn’t a legal document but a declaration of intention where the companies declare to support the principle of coordinated vulnerability disclosure and to be committed to implementing the best practices described. Signed parties include: ABN AMRO, ENCS, Honeywell, ING, NS, NUON, NXP, Palo Alto Networks, Philips, PostNL, SAAB, SNS Bank, Stedin, Surfnet, Tennet, TNO and Vodafone.
In Netherlands and other parts of the world this cooperation mechanism is already active for several years and is based on cooperation between the organizations and the community of cyber security. A reporter, the expert that discovers vulnerability, may responsibly (respecting the terms and conditions of shared disclosure) report the vulnerability related to the information system to the member organizations. In this way, he enables the organizations to identify and mitigate vulnerability before third parties can exploit it. The “responsible vulnerability disclosure” is related only to security vulnerability. The “service” can not be used to report claim related to fraud, service quality or availability, phishing. The reports can exclusively test vulnerabilities in accordance with specific rules that each organization defines into its "Coordinated Vulnerability Disclosure Policy" published on its website. The reporter agrees on terms and conditions for disclosure, acts in good faith and doesn’t cause any services damage/interruption. He doesn’t abuse the vulnerability or publicly disclose or share knowledge about the vulnerability with others without a prior consent. He doesn’t also publicly disclose a bug before it has been fixed and doesn’t make any changes in the system and compromise services, systems or data. In return, the organization will not take legal action against who discover and responsibly report the vulnerability and may choose to give a reward. To be eligible for credit, a reporter shall be the first person that responsibly discloses the bug and follows responsible disclosure principles. It’s important to note that security team of organization or other reports may have already identified the vulnerability. If an organization decides to give a reward, the mount of reward varies from case to case and depends on the value of disclosure. For example in the case of Google, the rewards for qualified bugs range from $100 to $20,0007.
Figure 3 Google usual reward8
In the case of IRCCLoud, an IRC client company, the value of reward depends of vulnerability severity and creativity. There is no maximum value defined but in general the reward varies from $50 USD for minor issues to $500+ USD for major vulnerabilities. Radobank offers a reward but doesn’t provide public information about it. Also IFIXIT, a wiki-based site that teaches people how to fix almost anything, provides a reward to users who report valid security vulnerabilities. In other case like Ppcelerator, a mobile app development platform & MBaaS based in California, the company does not compensate for identifying potential or confirmed vulnerabilities.
7 https://www.google.com/about/appsecurity/reward-program/
In accordance with best practices provided by CIO Platform Nederland the following flowchart shows the sequence of the various stages of Coordinated Vulnerability Disclosure.
Figure 4: Staged of Coordinated Vulnerability Disclosure (CIO Platform Nederland) When a report finds a vulnerability, he should send a report to the organization’s security team by emailing. The report should provide more possible detailed information about vulnerability like descriptions, attack scenario evidences like screenshot, video, logs and IP Address, vulnerable URL and parameter, instructions to reproduce the security vulnerability, possible solutions. It is possible adopt anonymous or pseudonymous reporting to not disclose the reporter’s identity. In this case, the researcher that sends the report by an anonymous account, under or via an intermediary can’t receive feedback or obtain reward for its report. Many organizations like KPN accept anonym email. To guarantee an high security level, usually message to organization can be encrypted and verified using the organization’s GPG key. Once vulnerability is reported, usually companies respond within 2 or 3 days depending of the time needed to investigate. Some companies, like GitHubSecurity, declare to allow up to 24 hours for an initial response. The security team of the organization validates the report, sends the agreement about publication to the reporter and fixes vulnerability. If needed, the security team can ask reporter to update
the investigation and provide more evidence or information. The reporter is constantly informed of the progress of the investigation, has to accept and sign the agreement about publication and can publish the vulnerability when approved by company. In some cases when the remediation of vulnerability is too expensive, difficult or impossible to implement, the organization can require reporter to not make the vulnerability public. The reporter is responsible for his own actions and has to comply with the rules as set out in the Vulnerability Disclosure policy of the organization. The policy specifies what information should or should not be reported. In almost of cases, the organization indicates to report bug related to web application vulnerabilities such as XSS, CSRF, SQL injection, authentication issues, remote code execution and authorization issues. Self-XSS, denials of service vulnerabilities, spam or social engineering techniques are usually not valuable. Usually the companies provide on their website a list of people who responsibly disclosed vulnerabilities in the past. The international commitment and the Dutch experience have shown the effectiveness of this type of collaboration with a high number of reports received by different organizations with subsequent vulnerability remediation. The responsible disclosure brings many benefits to the organizations. It enhances security level of organization limiting economic impact and reputation damage related to vulnerability discovered. Moreover it improves relation and cooperation between companies and security community. In the same time we have to keep in mind some constraints or barriers. Legal implications are very relevant. Each country has its national or regional regulations that can significantly impact on disclosure. A not clear responsible disclosure policy can cause the reception of a lot of notifications of which only a small part is valuable (i.e. duplicated information, not applicable vulnerability, …) or no one report. We have also to consider that responsible disclosure is also a “cultural” matter. In many cases organizations are reluctant to publish information on their vulnerabilities, thinking to expose their weaknesses. If on one hand the companies declare to have been vulnerable, in other hand they announce to have fixed it, demonstrating their commitment in data and systems protection, organizational transparency and social responsibility enhancing confidence and trust of customers. In Italy this mechanism is not well known. Only few local branches of international company seems to be interested on it or probably know details about this approach. GCSEC aims to disseminate knowledge and awareness on coordinated responsible disclosure, creating the conditions for improving cooperation between companies and cyber security community. GCSEC are supporting the creation of an Italian Manifesto on Coordinated Responsible Disclosure.
Our National Cyber Security System is a car already assembled? During the last months, Italian cyber security experts debated on the importance to go further on the National cyber security affairs after a period of slow motion, due to the “waiting for Godot” syndrome, the nomination of the cyber security advisor of the Prime Minister. The main statements reported by media and experts have been:
• Need of a clear governance for national cyber security; • More dialogue between public-private sector; • More investments; • Centralization within an Agency; • More education and training.
In Italy, currently, several actors guarantee National cyber security at coordination and operational level. All of them are working together to implement the National Plan for Cyber Security. I will not highlight the strong efforts already done by Institutions to build a strategy and a cyber security plan. A lot of people already expressed it on media. I had just some observations on the overall picture. The assumption is that probably I have not all the information, because I missed some of them or I have not the clearance to know it. The first observation is on the link between the 6 strategic directions (Indirizzi strategici) and the 11 operational ones (Indirizzi operativi). It is not evident the relation between strategic and operational directions. There are connections but they have not been clearly declared in a top down approach. I.e. the 2 operational directions: 4. International Cooperation and Exercises and 6. Legislative interventions and compliance with International obligations are related to the strategic direction number 6. Strengthen of International Cooperation or not. The second observation is the approach used to describe the specific objectives (obiettivi specifici). The objectives are a mix of activities/services (i.e. 1.1 Threat and Vulnerability analysis) and methodology (i.e. 2.1 Integration). In this way, I find activity to implement at the same level of methodology in which I have to implement it. The third observation is that the plan is not driven by the services the National Cyber Security System wants to deliver. The services are deduced reading between the lines. Different Specific objectives and Lines of Actions (Linee di Azione) are related to a potential single service (i.e. Risk Management is one service that we read between the lines: see table below – not exhaustive).
Operational Direction Specific Objectives Line of Action 1. Strengthen of the capabilities of intelligence, civil and military defense
1.1. Threat and Vulnerability Analysis
1.1.a. Analyze and assess cyber threats and vulnerabilities on a periodical base
2. Strengthen the organization, the coordination and the interaction at national level of public and private stakeholders
2.2. Infrastructure 2.2.d. Implement strategy to mitigate vulnerabilities
5. National CERT, CERT-PA and Departmental CERTs
5.3. Development of a National Integrated Computer Incident Response Capability
5.3.d. Develop a proactive integrated approach to reduce the risks of cyber security, that contemplates also a database of incidents and countermeasure…
10. Resource 10.2. Measure the cost related to cyber event
10.2.a. Identify metrics to assess the direct and indirect economic impact of cyber events, potential or already happened
11. Implementation of a National Information Risk Management System
11.1. Methodology 11.1.a. Identify a unique and shared Information Risk Management methodology at a strategic level, adopting a model for the Critical Information Infrastructure
Moreover, some lines of action seem to overlap each other (i.e. Information sharing cited in 1.1.c.; 2.1.a.; 5.2.b.; 7.2.a). Looking at the 102 lines of action, they could be clustered in circa 11 services: planning; early warning; awareness; intelligence; incident response; legal affairs; test & quality assurance; risk management; investigation; education & training; standard & certification. A clearer approach could be to start from the identification of the services to be delivered by the system.
A National Cyber Security Integrated System
By Massimo Cappelli, GCSEC
The fourth observation is the relationship with the private sector, above all the critical infrastructures, described in 30 lines of action. The critical infrastructures are cited more times in the document. I hope that the definition of critical infrastructure is clear and measurable by all the stakeholders. It means, first of all, to have clear what are the parameters and thresholds to distinguish an event from a National crisis. The definition of National crisis is vital to create that severity impact matrix (see example below for a company) useful to understand the thresholds of impacts and to map services and related assets, critical at National basis, needing a priority of protection. The definition of crisis, I read until now, is let to the subjective interpretation. Probably these thresholds are under clearance and communicated only peer to peer to the private sector.
Conclusion: The National Cyber Security Plan contains all the means useful to implement an integrated system. It is exhaustive but the implementation could create criticalities because of the amount of stakeholders participating with different visions and interests. The main criticalities could be generally represented by: overlapping activities, investment duplications; redundant information, grey areas more or less controlled. All the lines of action could be compared to the parts of a disassembled car (engine, wheels, window, steering wheel and so on). It is not so evident from the public documentation what is the project of the car. Summarizing again the several statements discussed on the media during this “Waiting for Godot” period, my opinion is:
• Need of a clear governance for national cyber security: Yes, definitely but it doesn’t mean Italy needs a Cyber Security Agency to do it. It is necessary to clarify exactly the roles and responsibilities of each Institution. No grey areas for interpretations. Define the services each institution will deliver, the output needed by the system and the dependencies with the other services. This will create some antipathies but doing a step behind from a component could bring a step forward for all the system, producing economies of scale and disengaging resources.
• More dialogue between public-private sector: No, I don’t think the National system needs more dialogue. All Institutions are doing a great job involving private sector. This last one just needs clear rules and methodology to participate actively in the system. The dialogue should be structured, not increased. Do ut des principle. The private public partnerships of success are based on the reciprocal support or exchange. Working groups are ok if focused on a specific objective with clear results and deadlines (definition of a common standard; methodology, …).
• More investments: Maybe. The first step is to design the National Integrated Cyber Security System departing from the services needed to protect the Nation:
o Define the services and output (early warning, risk management, incident handling, ….) and their dependencies;
o Define assets and processes needed to deliver the services; o Assign the responsibility to an Institution and the roles of the other actors inside the process
(input/output needed to deliver the service outputs) o Identify the needs in term of investment or resources and fill the gap.
• Centralization within an Agency and so on: See the first point. I am not sure is the solution. It could become an issue and bring further delay to the operations.
• More education and training: Yes, but also structured and addressed. In the last months, CINI presented the Italian National Cyber Security Framework, based on the NIST initiative. The framework is a good departing point to understand the cyber security maturity level of companies. NIST has also promoted another initiative very interesting: “National Initiative for Cybersecurity Education” (NICE). The NICE initiative and the Cyber Security Framework are not connected. The clusters of activities presented in the National Framework are not matched with the categories, knowledge, skills and abilities described in NICE. In order to provide concrete
work force to cyber security, it could be wise to find the relations between the NICE and National Framework for Cyber Security. This could bring to reshape also the education and training offer of Universities, Academies and Secondary school, leading them to a more operational educational path. We will discuss this topic in the next newsletter.
Long-term prosperity in business is rare. In the US, for example, research has shown that companies currently remain in the S&P 500 index for an average of just 18 years, down from 61 years in 19588. And it’s a similar story elsewhere in today’s dynamic, interconnected world. Every business and IT leader will agree that to ensure lasting success their organization must become ‘resilient’. But what does this mean in practice for businesses in general – and for CIOs in particular? Beyond survival There have been numerous management papers on companies creating resilience in order to protect themselves in the face of growing business threats. But ‘Organizational Resilience’ – in the sense that we use the term at BSI – indicates a much broader principle of resilience as a value driver for an organization. For us, the principle involves more than simply the ability to survive. Resilient organizations harness experience and embrace opportunity in order to prosper over the long term. As a result, we
regard Organizational Resilience as a strategic imperative for all companies, large or small. In the words of the British Standard for Organizational Resilience, BS 65000, Organizational Resilience is “the ability of an organization to anticipate, prepare for, respond and adapt to incremental change and sudden disruptions in order to survive and prosper”. Here, the words “and prosper” really matter. Organizational Resilience reaches beyond risk management towards a more holistic view of business health and success. A resilient organization is Darwinian, in the sense that it adapts to a changing environment in order to remain fit for purpose.
Building a resilient organization
8 Source: https://www.aei.org/publication/charts-of-the-day-creative-destruction-in-the-sp500-index/
Organizational Resilience: harnessing experience, embracing opportunity
by Steve Cargill, Chief Information Officer, BSI
BSI’s model for Organizational Resilience comprises three fundamental elements:
• Product excellence In this context, ‘product’ refers to whatever product, service or solution an organization brings to market. Today’s business leaders – not least CIOs – must ask themselves which markets their organization serves. Do its capabilities and products match those markets’ requirements and comply with their regulatory environment – and, if not, how can it adapt them? Truly resilient businesses innovate, creating new products and markets, and differentiating their offering to stay ahead of their competitors.
• Process reliability
Embedding best practice (or ‘making excellence a habit’, as we say at BSI) in developing and marketing products and services is a key component of success. Resilient organizations ensure that they ‘do the basics right’ consistently through the strength and reliability of their processes, while still leaving scope for innovation and creativity. Business-critical processes in the management of areas such as quality, information security and business continuity must be robust and compliant, both within an organization and also throughout key parts of its supply chain.
• People culture
Resilient organizations seek alignment between customer expectations and employee engagement. Today’s CIOs are inclusive and consultative, not simply dictating rules to be followed, but encouraging employees’ behaviour to become an integral part of their job and their organization’s culture. The challenge for leaders is to understand, articulate and demonstrate their organization’s values clearly, so that everyone ‘lives’ them, not because they’ve been told to, but because ‘it’s the way we do things around here’.
BSI’s model is deliberately drawn as a positive feedback loop, with process excellence driving up product reliability, indivisibly linked to the people culture of an organization. Long-term resilience requires looking at your organizational capabilities holistically, enabling you to hold on to new ground, and to strive for continuous improvement. The model identifies three areas that are critically important in achieving Organizational Resilience in both large and small companies. These are operational resilience, supply chain resilience – and information resilience.
Information resilience is key – especially for the CIO Information is clearly an essential element within an organization in managing performance, ensuring reliable processes and protecting the quality of the end product. Furthermore, it is key in maintaining trust and transparency across a supply chain. While the digitization of information has greatly boosted business productivity, it has left organizations vulnerable to security threats such as computer-assisted fraud, espionage, sabotage and ‘cyber vandalism’. The rapid expansion of cloud computing and outsourcing of personal and business data has only exacerbated problems. Some threats are not external, but stem from poor practice internally, such as the misuse or failure to apply intelligence, or simple human error or inaction. One of the largest information risks comes from the people within any process or organization. BSI’s recent Information Security Breaches Survey reinforces the point. It found 70% of companies that have a poor understanding of security policy experienced staff related breaches, compared with only 41% in companies where security is well understood.
GCSEC - Global Cyber Security Center Viale Europa, 175 - 00144 Rome - Italy http://www.gcsec.org
In today’s digital world individual and business customers must be able to trust companies to be run securely and to have adequate protocols in place to protect their sensitive data. Standards can help them (see box). Whether it is their own data, or that of customers or partners, resilient organizations gather, use and store information appropriately, adhering to best practice and complying with relevant regulations. They ensure their employees follow procedures to ensure data security measures become embedded in daily routines and organizational culture – ‘the way we do things around here’. By definition, information security counters today’s many digital threats, but as a critical component of Organizational Resilience it also goes beyond protection, supporting rapid and effective decision-making and an organizational culture that embraces opportunity.
Box] Standard practice A resilient organization will protect data integrity through a robust information security management system (ISMS). A starting point for companies, including many small firms, is to adhere to the UK government’s Cyber Essentials scheme, which provides a clear statement of the basic controls all organizations should implement to mitigate the risk from common internet-based threats. Certification through the scheme’s assurance framework enables companies to demonstrate to customers, investors, insurers and others that they have taken these essential precautions. Many organizations can, and should, go further, seeking certification to globally recognized ISMS standards, particularly ISO 27001 and STAR for cloud computing providers. Both standards can dovetail with the business continuity standard ISO 22301 to establish ‘information continuity’ if the confidentiality, integrity or availability of
data is compromised. As the digital transmission of confidential financial and personal information increases, so too does the need for the appropriate security to be in place. But, a recent BSI survey showed 30% of people do not trust apps as a secure way to manage their money, and 42% have concerns about the security of their personal data when shopping online. Importantly, all these certification schemes will help organizations comply with the imminent harmonized Data Protection Regulation across the EU, which will bring new rules enforcing data breach notification among other tough measures. Stay secure – and win CIOs could be forgiven for feeling anxious. Barely a day goes by without the emergence of another cyber threat or damaging data breach – not to mention the need to comply with the rising tide of regulation in this area. The threats are very real, but it is possible to counter them effectively. To stand out and win, every organization, regardless of its size, sector or location, must develop information resilience, as part of a wider organizational approach to resilience that is right for it – underpinned by its culture and defining its brand.
