RSA CONFERENCE 2021 – When the Colonial Pipeline attack made headlines earlier this month, Steve Grobman knew that every security practitioner would soon be talking about ransomware risk in their organizations again.
"Here we are halfway through 2021 and the pendulum has swung back to discussing ransomware attacks," he says. "If all of our focus is on the last thing to [have] happened, then we can get in a really dangerous situation."
Grobman, senior vice president and chief technology officer at McAfee, served as a keynote speaker at RSA Conference this week, pointing to the flaw in heeding headlines to make risk-based decisions. Grobman's argument is this: As humans, we are awful at perceiving risk. We are too easily influenced by media, anecdotal data, and evolutionary biology. He called on security leaders to lean on data and science, not headlines, when deciding where to invest in tools and how to craft security strategy.
"A lot of what we can focus on in the media are these high-impact, high-profile incidents, like Sony and Ashley Madison," he said. "But we're getting too caught up in the exact playbook that is in any of these attacks. We need a holistic view of all events that could impact an organization."
Grobman is advocating for more security teams to build risk models that consider three factors: impact, scale, and frequency. How likely is a certain type of attack or incident when it comes to your organization's threat profile?
"How do we prep for earthquakes in earthquake-prone regions? It should be the same thing in cybersecurity," he says. "Organizations need to do red teaming [and] tabletops on how they will respond to different types of attacks that could impact them."
Always Evolving: A Cyber-Resilience Plan
In a panel on building cyber-resilience, which was also this year's conference theme, panelists echoed many of Grobman's assertions. In "Building Cyber Resilience: Considerations for CISOs," Biju Hameed, director of technology infrastructure and operations at Dubai Airports, said his resilience planning is based on numbers and scientific assessment.
"It's very important to define quantitative metrics in order to define resilience targets and capabilities," Hameed said. "Often there are a lot of perceptions and assumptions of what we need to do."
Abeer Khedr, information security director at the National Bank of Egypt, said the quest to determine which risks are most relevant is a constantly evolving process. With so much happening in digital banking and finance services, "There are no borders anymore, and the attack surface is constantly widening," Khedr says,
With nation-states, hacktivists, and criminals also looking for ways to exploit financial weaknesses, the bank is always evolving its cyber-resilience program.
"When we talk about cyber-resilience, it's always a journey. It's never just a project," added panelist Dr. Reem Al-Shammari, digital transformation leader of corporate solutions and digital oil fields at Kuwait Oil Co.
At Saudi Arabia telecom provider stc, resilience is based on three tenets, according to Arwa Alhamad, cybersecurity enablement director:
- Having the mindset of a hacker: You have to think like an adversary and understand the battlefield.
- Make it expensive and difficult: Invest the most in protecting the crown jewels of the organization.
- Be well-prepared: Know how long it will take to detect and respond to an incident.
In addition to considering risks specific to the business, often some of the best ways to build resilience is to deploy some of the most basic technologies, McAfee's Grobman said.
"If you are an organization that hasn't implemented multifactor authentication, for example, turn on MFA," he said. "Often it is a very boring but important place to start. Sometimes the most important things for an organization are the most boring or least exciting."