A good cybersecurity strategy should always start by defining what risks a company can tolerate. This is a task that requires her IT security manager to involve her colleagues.
But it’s also essential that chief information security officers (CISOs) know how to clearly articulate investments and actions that support risk reduction efforts when preparing a cybersecurity strategy. This is the recommendation of Kris Lovejoy, his leader in the global practice of security and resiliency at Kyndryl, an IT services provider he spun out of IBM in 2021.
“Time and time again, I have seen CISOs fail because they were unclear about the value their investments would deliver in terms of people, processes, and technology. Without a clear understanding, executives often “You expect your investment to give you complete protection. We all know that’s not possible,” she says.
This includes the introduction of generative artificial intelligence (GenAI). For Lovejoy, GenAI is a tool that will improve his IT security team’s ability to deal with today’s onslaught, but to use it as a “trusted partner” they must first establish proper boundaries and governance. .
In an interview with Computer Weekly, Lovejoy explained that improving IT security requires simplifying IT environments and modernizing legacy infrastructure, and said that improving IT security requires simplification of IT environments and modernization of legacy infrastructure, and that companies need to improve their workforce to achieve a culture of cyber resilience. It emphasizes the importance of investing in training and exercises that strengthen employee awareness.
One recommendation for CIOs and CISOs is to work on simplifying their IT environments to improve management and security. But how do you start this? Are there different models for achieving this? What do you think is the best way?
chris lovejoy: It’s easiest to approach simplification from a “prioritize important services” perspective. Given an accurate understanding of these systems that support critical business opportunities, CIOs and CISOs can analyze security management and integrate vendors to reduce costs with the goal of transferring cost savings to control automation. We recommend that you determine if there is an opportunity to reduce your
In parallel, for non-critical systems, consider options to remove them from use or at least radically simplify the infrastructure supporting their operation. No matter where you are on your journey, remember that success depends on a culture of collaboration and a dedication to continuous improvement. Without these elements, your simplification efforts will fail.
Cybersecurity threats and risks can come from multiple dimensions, and they are constantly evolving. Are AI-enabled tools ready to properly identify them?
lovejoy: AI is increasingly enhancing an organization’s ability to identify and detect potential threats and vulnerabilities in a faster and more streamlined manner. Security teams are inundated with tons of data every day, and making sense of it all is a huge challenge.
As a result, organizations are using machine learning and AI to sift through the noise in a more effective way by leveraging automation and analytics techniques. We believe generative AI is the next evolution of AI and machine learning. With the right guardrails in place, generative AI could take the next step and further enhance the ability to analyze these threats faster and make security teams more effective.
How can you train your employees to deal with AI-amplified attacks?
lovejoy: The cyber resilience landscape is becoming more complex every year. Sophisticated and well-funded attackers, increasing success rates of destructive attacks such as ransomware and denial-of-service attacks, skills shortages, budget constraints, an increasing number of vulnerable legacy devices, and prescriptive cyber regulations make it difficult to manage cybersecurity. is more difficult than ever. .
While organizations can take appropriate steps to track these changing dynamics and put strong safeguards in place to protect their business, employees remain the weakest link. Generative AI is proving to be an increasingly effective technology that can be used to leverage that connection.
To combat risk, leaders must foster a culture of responsibility and transparency. This includes empowering employees to actively contribute to creating a cyber-resilient environment and emphasizing the importance of reporting security issues without fear of repercussions.
More tactically, investing in cyber security training, tabletop exercises, testing, and cyber simulations is critical to ensuring employees understand the importance of training and retain information.
With the rise of generative AI, many organizations are keen to adapt. How can organizations looking to take on AI projects overcome these challenges?
lovejoy: Organizations are entering uncharted and largely unregulated territory to develop and use autonomous technologies ethically and responsibly. It is important to keep these strategies in mind and execute them in a systematic and risk-aware manner.
Take a look at emerging AI standards. Be aware of the source and integrity of your data. Start your generative AI journey with a use case. One of the most effective approaches to successfully using GenAI is customer support.
AI is very attractive and well-intentioned, but it can also wreak havoc if not properly guided and managed. Therefore, for AI to act as a trusted partner for your business, you need to have the right guardrails and governance in place from the beginning. And it’s important that these guardrails strike the right balance between managing risk and enabling sustained innovation and growth.
What should you consider when developing a successful cybersecurity strategy? What are the first steps a CISO should take? How can you achieve the right state of protection?
lovejoy: Cybersecurity is a risk management process. This enables organizations to identify, defend against, withstand, and recover from cyber-attacks that can impact business operations and data.
A good cyber security strategy always starts with defining your business risk tolerance. In other words, how much risk is the company willing to take on? No risk, minimal risk, moderate risk, etc? We need to clearly define a common understanding of what it is.
“So much data flows into security teams every day, and making sense of it all becomes a huge challenge.”
Chris Lovejoy, Kindler
This understanding allows CISOs to develop a logical strategy based on the risk framework and articulate what investments and activities will support risk reduction efforts. The next issue is for managers to decide whether the trade-off between risk and reward is acceptable.
By creating a strategy based on a shared understanding of “what is good enough,” CISOs are not left “holding the bag” when the inevitable breach occurs.
Another major reason CISOs fail at strategy development is trying to make something secure that is inherently insecure. Most organizations today have a variety of legacy assets that can never be safely used. In this context, CISOs must become key champions of modernization to support more resilient business operations.
How does data quality relate to security?
lovejoy: There’s an old adage – bad data in, bad data out. In an era of ever-increasing reliance on AI, we need to recognize the absolute truth of that statement. Trusted data, with minimal guarantees of provenance and integrity, is the foundation of all forms of analysis. I see this as an area where organizations are at significant risk.
While there is a healthy debate about the ethics and security of AI algorithms, we often fail to consider the provenance and integrity of the data we use to feed them. It’s important to ask yourself, can I trust that my data hasn’t been manipulated? Keep in mind that once an AI algorithm is trained, it is nearly impossible to “untrain” it by removing features that represent problematic data.
Think of it as if you were training a child. Just as you can’t “unsee” what your child sees on TV, you can’t easily “unseen” the data fed to AI.
How is business resilience achieved? Do you think businesses have a good understanding of this concept and what it entails?
lovejoy: Kyndryl has taken a unique approach to address customers’ needs to ensure the resilience of their digitally enabled businesses. We have distilled this approach into what we call cyber resilience. We define this as the ability to anticipate, protect against, withstand, and recover from any adverse conditions, disruptions, or breaches that impact a cyber-enabled business.
We help organizations move beyond a myopic focus on traditional cybersecurity threats to anticipate and protect against a wide range of disruptions to cyber-enabled businesses, including ransomware attacks, hurricanes, floods, power outages, pandemics, and infectious diseases. , I strongly believe that we need to consider enduring and recovering. more.
This can be achieved through the adoption of a cyber risk management framework that considers the broader perspectives discussed above.
While this may be a statement about human behavior, we have seen mature and aware organizations based in countries or operating in regulated sectors. Without regulation, organizations tend to invest only after an incident occurs. Looking at a map of cyber regulations makes it easy to predict which organizations will fare better than others in the face of a major disruption or breach.