With the rise of the internet, one thing that became evident was the simultaneous exposure to an increase in risk. Slowly but surely, organisations looked at enterprise solution providers to protect their networks from hacking, cyber-attacks and data breaches. Now, years later, and with no sign of technology advancements halting, is cybersecurity enough to keep organisations protected and resilient?
Mark Brown, Global Managing Director Cybersecurity and Information Resilience, Consulting Services at BSI, talks about cybersecurity in a post COVID world. Mark addresses the imminence of Industry 4.0 and the transition to cyber-resilience as a growing frontier to technology enabling business transformation, rather than inhibiting it being solely focused on negative risk and compliance.
A managing director with almost 30 years’ industry experience, Mark has held a number of high-profile leadership positions in cyber-security. Notable places of work include organisations such as Ernst & Young, SABMiller and SunGard. Leading up to his current position in BSI’s Cybersecurity and Information Resilience team, Mark also worked with Wipro as Senior Partner and Global Practice Head, leading the Industry 4.0, Operational Technology (OT) and Internet of Things (IoT) Security practice. Having served in the Armed Forces up until 2005, Mark brings a level of discipline, commitment and fortitude to his role, and this reflects in his leadership style. Mark is a strong mentor and believes in trusted empowerment, adding “Leadership is an evolution, and whilst managers are appointed, this doesn’t naturally mean that they are recognized as leaders.” He is a strong advocate of the power of coaching.
When asked about some of his major influences, Mark says “Family is always a big influence in how you respond in business and you always look up to the success of your direct family. My father worked for the same company his entire life, so I have a blend of influences from my own professional and personal life that leads me to trust the empowerment and openness of management.” To date, Mark believes in having the metaphorical ‘open door’ policy for his people as he finds that being approachable is crucial to productivity, inspiration and retention within the team.
BSI (British Standards Institution) is at the cornerstone of shaping, sharing and embedding best practice for organizations. The Cybersecurity and Information Resilience division is specifically tasked with providing cyber risk advisory and security testing services to clients, looking at areas like data privacy, compliance and governance, as well as niche capabilities such as e-discovery, and e-forensics. In addition to these core services, a large number of new and enhanced services directed at overcoming the threat involved with emerging technologies such as Artificial Intelligence, Machine Learning, 5G, Blockchain, Industrial security are also offered by BSI, including but not limited to OT and IoT security, penetration testing technology arenas such as infrastructure, network ,application, attack simulation and red teaming exercises.
With the world moving towards a virtually digital space as a direct consequence of COVID-19, more and more organizations are now looking at transitioning to cloud-based systems. This opens up a significant number of vulnerabilities pertaining to cyber security and governance. Even with this acceleration, the burning question remains – why do organizations need cyber resilience?
To explain this in the simplest way possible, Mark draws a direct comparison between traditional IT structures and cloud-based systems. He says “Using traditional routes to manage your own IT would mean you were in control of your own destiny and the advantage of on-premises technology meant it was within your perimeter and within your control. With cloud-based systems, you are no longer in control, and you have to have a trade-off between the benefits of cloud with elasticity and the speed to deployment, the avoidance of capital costs on an ongoing basis, and the move to an evergreen IT, which is an opex cost. However, that trade off comes with the reality that you lose control and somebody else is now looking at managing that environment on your behalf.”
According to Mark, BSI is not just an end-of-the-line security service provider, adding “BSI is the business improvement and standards company – whilst standards are a big part of what we do, we also help to create excellence and business improvement within organizations. This means that we have to understand the journey our clients are going on, and we have to be able to be there to assist them on that journey.” Embracing that journey for clients would mean being ahead of these technologies, and one way to ensure that BSI continues to provide ancillary services is through an ecosystem of strategic partnerships. One such partner, McAfee provides BSI with the expertise to offer a full portfolio of services to their clients. However, this partnership goes beyond business solutions. Mark adds that there is a level of maturity and brand recognition that sharing an ecosystem with McAfee offers. Speaking of their shared synergies, Mark says that BSI and McAfee have employed a joint approach towards this partnership, creating a mutual benefit for both parties. Whether it's introducing accounts to each other or sharing the wealth of knowledge that both organizations have, a joint partnership with McAfee has created many business and thought leadership opportunities for BSI.
Having a cloud security strategy is crucial for organizations as it gives them a better understanding of the breadth of cloud services and in turn helps them navigate risks and enhance governance, especially those that rushed to Cloud without fully understanding its scope. Mark adds, “Although the cloud is more advanced today, data breaches do still occur. This is often due to a lack of understanding of Cloud architecture and awareness of responsibility for securing data.” For organisations to adopt an effective cloud security strategy they need to consider how they will integrate often disparate security solutions. This is necessary to maintain control over a dynamic infrastructure and technology landscape, but more importantly, it needs to strike a balance between security protection and compliance. Central to achieving this balance are two key actions. Firstly, organisations should ensure that they deploy automated discovery of new virtual machines extending the organisational cloud landscape. This first step is necessary to enable the secondary action, i.e. the deployment of consistent security policies across the hybrid cloud environment. However, as more and more organisations move towards a cyber-physical model and increase their dependence on IoT, the risk continues to grow.
So how long can organizations ignore these cybersecurity risks? Understandably, it is impossible to protect something if you’re not fully aware of what needs to be protected. For this reason, BSI provides clients and partners with the right tools to understand their cloud infrastructure and works in collaboration with them to help mitigate the risks. In recent years, many organizations have increased their cyber security measures to protect their enterprise technology, however that only covers one side of the resilience equation. is on the rise, and companies now need to also look aggressively at securing their operational technology (OT) – the manufacturing systems and software that control business processes, as well as the production of goods and services. Mark adds “The lifeblood of business, OT arguably faces security challenges even more grave than classic enterprise IT. You can't take all the best practices from enterprise IT and simply apply them to that industrial world; they simply won't work.” The advent of 5G wireless and other trends is starting to bring far more digital intelligence into business production processes. As the Internet of Things (IoT) meets legacy OT, an entirely new set of vulnerable targets emerge. Although many organizations are reviewing their practices in light of their pandemic experiences to recommit to digital transformation, these vulnerabilities could have a much greater impact. Mark further adds that when it comes to industrial IT, factors like confidentiality, integrity and availability flip on its head. The two key priorities in these machine-led environments is safety and availability, therefore much emphasis needs to be laid on ensuring that board level discussions consider these differences between enterprise and industrial IT, and safeguard them with the right security tools. From a strategic perspective, organizations should follow a phased approach – first, identifying the assets of their environment and detecting the risks they pose. Next, determining the response to failure and putting a framework in place for governance and recovery. The final step would be to actually implement that framework in a sustainable, rather than project-focused manner. Mark uses the example of when discussing the impact that IoT will have on the environment. He says that globally, over 50% of people buying new cars consider security as a key purchase decision, putting evidence out there which indicates that placing security into the process provides a continual assurance in the decision-making process.
Historically, an often underestimated arm of cyber resilience is testing. Whether it’s an automated vulnerability assessment or a simulated penetration testing, businesses need to employ offensive testing techniques to verify the full impact of identified vulnerabilities. However, this is not a one-time process. Organizations need to adopt a continued testing model as opposed to point-in-time testing, which doesn’t present a full picture of potential threats. This overall cyber resilience method should ideally run from initial concept to minimal viable product (or MVP) and through internal staging versions before being tested again in the live environment. Best practice aside, this model of testing also has proven benefits. Mark concludes by saying “If you wait to simply do testing as a final stage, you may reduce your costs up front but you'll actually increase your costs overall for the project, because the retrofit of security into a project which hasn't had security built in by design can often be as much as 30 to 40% of the total project cost.”