The events of this year have fundamentally changed the calculus of technology and cyber resilience planning. The shape of the technology ecosystem has altered; attitudes towards resilience have evolved; and regulators are considering new approaches to supply chain continuity planning. Enterprises preparing themselves for the future should reimagine their approach to understanding, planning and executing resilience efforts, encompassing security teams, the business, and the broader operating ecosystem.
The landscape as we see it
If there could be a silver lining of this pandemic for security and infrastructure teams, it would be that organizations now understand the degree to which technology underpins business productivity and revenue. In enterprises dominated by remote working and cloud deployments, it’s no longer enough to think of technology as an enabler to business — it is the business.
While there’s an increased appreciation for the role of security in resilience, the new reality has opened up a new set of targets and challenges, which require novel approaches. New virtual infrastructure models have changed the priorities of both threat actors — who are now being creative over their use of phishing and malware — and business continuity teams in response to the threat. And the new working models are forcing SecOps teams to review their incident playbooks, detective and responsive tooling, and shift patterns.
At the board level, some of the fundamental assumptions of business continuity planning have been challenged. Can businesses assume anymore that their network of incident response suppliers, data centers and archive services are working as normal? What does a worst-case scenario really look like in the post-pandemic reality? Organizations need to take a much more holistic view of their technological dependencies and single points of failures — including third parties and off-shore teams. And with an eye over the whole architecture of the business, security needs to play a vital role in outlining and managing the threats.
Meanwhile, regulators are paying close attention. With nation states becoming more active in the cyber threat landscape, and cyber attacks on many industries being used to serve economic and geopolitical agendas, governments will be undertaking resilience planning at the sector and nation-state level. Organizations supporting those plans will need to offer unprecedented levels of cooperation, transparency and trust, working with competitors, suppliers, regulators and law enforcement bodies to ensure resilient ecosystems.
What we believe you should do about it
A few key actions can help an organization to refresh their resilience planning activities in preparation for the new reality. Start by questioning some of the key assumptions that have been made in the past — did your list of worst case scenarios include the pandemic? What could be the next example? Can you rely on your ecosystem for support, or do you need security resilience skills in house?
Think about the mechanics of the first line of defense. What’s changed about security operations in the new reality — can analysts work in the same way they have done? Do you need to offer new routes of access to key security incident and event management (SIEM) tooling to cater to new working modes? Communication pathways need to be updated as well — can you rely on corporate collaboration and conferencing tools? How do you interact with partners such as cloud providers? And how do you manage the containment of malware when you can’t guarantee immediate access to an endpoint, as you would in the office?
Rethink how you devise your playbooks. The pandemic will have demonstrated to many businesses that a number of the same threats lead to the same fundamental impact on technology and the business. By reorienting your playbook design from scenario-based to impact-based, it’s possible to cover all bases in a much more efficient way. It also helps the security team to capitalize on the newfound appreciation of business teams for the impact of technology infrastructure.
Work with business teams to understand the long-term consequences of the pandemic on their working models. It may be that those models change your priorities by presenting a different threat surface. Ransomware might start targeting VDI solutions rather than databases, holding to ransom business productivity instead of data — ask yourself how to adapt your response and recovery efforts to new operating models. And re-assess your priorities — do you have to worry as much about “loss of building” scenarios as much as you used to, or are “unavailability of personnel” scenarios now a higher likelihood?
Finally, start making external connections. As cyber-attacks grow in scale and complexity, we’ll have to start relying on each other. Develop supportive relationships with regulators, law enforcement, industry peers, and up and downstream suppliers. The shape of the technology has changed, both globally and locally, and a good faith culture of transparency and collaboration can help alleviate pressures on critical infrastructure and services.
The excerpt was taken from KPMG Thought Leadership, All hands on deck: Key cyber considerations for a new reality