There is something inherently wrong with the current culture surrounding cybersecurity incident response.
Business leaders almost invariably approach incident response in two steps: prevention, then pain. Buy a Band-Aid and hope your cut does not get infected. Paint over the water spots on your ceiling and pray the house inspector won't find mold when you sell.
It's almost human nature to fall into the magnetism of procrastination. And when the inevitable happens, and organizations get breached, they go directly to crisis management mode — how do I minimize the impact of an attacker already within my network? How can I effectively and quickly address any events that could damage our reputation?
The critical and often overlooked step in the equation is preparedness.
As a business leader, you have to be prepared for anything (including, apparently, a global pandemic). Your ability to adapt is as important as your ability to lead. Prepared leaders plan for just about every scenario, from business disruptions and outages to employee misbehavior and natural disasters. But while most executives are tied up preparing for the "worst case" on the broader business landscape, a lot of the onus for safeguarding customer and partner data falls to the chief information security officer (CISO).
A Dangerous Disconnect
Vectra recently surveyed 1,112 security professionals working in mid- to large-sized organizations that use Microsoft Office 365. A key finding:
[A] high level of confidence was revealed amongst security teams in the effectiveness of their own company's security measures: nearly 4 in 5 claim to have good or very good visibility into attacks that bypass perimeter defenses like firewalls.
However, management-level respondents and practitioners such as security operations center (SOC) analysts had strikingly more pessimistic impressions of their organizations' overall ability to defend against an attack. This disconnect is dangerous. If there is a false impression about your team's ability to combat hackers, they are likely not armed with the necessary tools to succeed. Going one step further, if your SOC team is not prepared to act at the first sign of a breach, they may be far more likely to grow complacent about the evolving threat landscape.
Another component to bolstering your SOC team's preparedness level is empowering them to be constantly vigilant of new types of attacks. With knowledge comes power, and with the abrupt shift of many organizations to the cloud and the adoption of mass remote work, the threat of cyberattacks has heightened; new methods are uncovered every day. The recent Microsoft Exchange breach is another potent reminder that no application, network, or data center is invulnerable. This incident will trigger migration discussions in more IT departments, but they should be measured and strategic. If organizations recoil from on-premises solutions and jump blindly into Microsoft 365 or something like it, they might simply trade one set of threat factors for another.
The Growing Risk of Not Preparing
Attackers increasingly work laterally through a succession of infected devices en route to their goal or establish footholds throughout the network to exploit whenever they choose. Enter SolarWinds.
The SolarWinds incident is the starkest reminder yet that complacency can exact a terrible price. Too many organizations remain overinvested in old-school perimeter defense solutions despite mounting evidence of their deficiencies. And, as companies become more reliant on data storage and software-as-a-service (SaaS) solutions outsourced to the cloud, vulnerabilities may grow.
We still don't know the full scope of damage done by the SolarWinds incident and may never know. It's safe to say some remnants of the malware remain at work today, still undetected. To most users, the SolarWinds incident is of greater concern than your average credit card or health record heist. A critical infrastructure attack of this nature has far broader implications for everyday life. It could conceivably paralyze your train system or airport, compromise your energy grid, or affect your bank's transaction networks. President Biden has called for new spending on cybersecurity, which is a good start, but we truly need a national action plan to prioritize better detection of SolarWinds-class attacks.
I urge business leaders worldwide to use this moment in history to rewrite the conventional wisdom and hasten large-scale change to a more effective cybersecurity strategy. We've known for years about the virtues of robust network monitoring and rapid detection of inevitable breaches. SolarWinds should be remembered as a trigger for a better security posture, not the first in a series of cyber calamities that could have been prevented if we had only been prepared.