Technology + Data

The Best Cybersecurity Strategy is a Sound Risk-Management Strategy

We are engaged in a war. Our enemy is made up of global actors committed to exploiting any digital weakness they can find in our organizations. To complicate matters further, it is a battle that is forever shifting and moving as the threats and tactics change. Failing to effectively prepare for and respond to these dangers is not an option.

In this fight, cybersecurity is our best weapon. But using it is akin to fighting with one hand tied behind your back: We can only respond when we understand the nature of the threat. That is why we see cybersecurity, first and foremost, as a risk-management strategy, and one that is best broken down into the following three principal components:

1. Assessment and detection – Start by determining what it is you are going to do to secure your organization. This means addressing your deliberate controls, security protocols, and frameworks for maintaining a secure environment against known and emerging threats.

2. Vigilant management – After you have done everything you can to secure your organization, it is time to consider what you need in order to detect anomalies and drive a greater level of awareness across your entire environment.

3. Response and resiliency – The final piece is accepting that resiliency must be part of your strategy. In the event of a breach, it is important to know how quickly you can return to a standard operational posture.

Four Tenets of Cybersecurity Risk Mitigation

If you accept the proposition that cybersecurity is a risk-management effort and development issue, and if you have addressed the three strategic cornerstones just outlined, you can then focus on the four tenets of your company’s organizational structure:

To execute on the three components of our strategy, certain activities such as simulations and tabletop exercises will need to be conducted on a regular basis. Some key questions to consider are: What are the lines of accountability for these activities? What are the compliance and audit mechanisms? Answering these questions is a crucial step to ensuring that you are following up on and working through every issue.

It’s important to develop policies and frameworks that support the management of your cybersecurity risk-management strategy. Large critical infrastructure organizations such as NW Natural and other utilities can look to the National Institute of Standards and Technology (NIST) for guidance. Its framework helps us determine the must-have elements for our cybersecurity practices and policies.

Once your framework is in place, the next step is to conduct a detailed gap analysis. Where are you vulnerable? The Cybersecurity Capability Maturity Model (C2M2) program can assist. Aligned with and supporting NIST, the C2M2 program helps all types of organizations evaluate, prioritize and improve their cybersecurity capabilities.

The final piece is an action plan. Develop a list of your most pressing priorities as they relate to the determination of risk across your enterprise. The issues likely to produce the most material damage or losses must be spotlighted and addressed first. Isolate them, then work your way down.

At NW Natural, we work to ensure our response to threats is second nature, and that they are as clear and well-understood as our strategy for a pipeline rupture.

Success requires that everyone in your organization be unified under a single security mission and know how to execute it. Employees must have a command of the security landscape and known risks. They also should practice good cyber hygiene when it comes to how they use company devices and systems.

Today, one of the biggest emerging threats is what is commonly called social engineering. This refers to the increasingly popular approach of using familiar, low-tech schemes to gain entry. Tactics can include malware delivered through email, phishing scams, or even hackers masquerading as an employee to learn passwords. The use of ransomware, in which hackers gain entry, encrypt your files, and then demand payment to unlock them, is also on the rise.

Staying current on hacker techniques requires regular and ongoing threat intelligence education. That education and cyber awareness informs the behavior of your employees, your trade partners, and everyone who interacts with your infrastructure.

The final tenet is to strategically develop your investment strategy. There is no shortage of assets, tools and solutions in what has become a cyber arms race. It’s easy to slip into all-of-the-above thinking, which is both costly and less effective than making judicious investments that directly align with your risks.

Toward that end, it’s always instructive to conduct the simulations or tabletop exercises in an effort to uncover hidden or overlooked issues. It gives internal teams a chance to address and resolve an incident in a controlled setting. Such explorations are invaluable as a tool for helping employees orient themselves to new and emerging cyber realities. They expose lapses in understanding related to whom to contact in a given scenario, the mode of engagement, short-term versus long-term steps, etc.

The lessons learned from the simulations can then be shared, providing key insights to inform and sharpen future strategy and response plans.

Prepare and Prevail

In today’s world, you must be able to detect, log and monitor events that are out of the norm. That means establishing a good baseline for what the norm looks like. Incident planning and preparedness are key, and must lead to a sound understanding of your response and recovery protocols.

At NW Natural, we work to ensure our response to threats is second nature, and that they are as clear and well-understood as our strategy for a pipeline rupture. While we hope never to need it, we must have a strategy for recovery from a cyberattack. We are at war, but by being smart and proactively defensive, we can do much to secure our people and assets and keep our organizations safe.

About the Author

Ngoni Murandu, NW Natural
Ngoni Murandu is the CIO at NW Natural, where he oversees the Information Technology Department.