The Time Is Ready for Cyber Security Management

Regardless of its size and industry, any company can fall victim to a cyber attack. Although the risk is known, most companies act anything but adequately. But what is the reason for this? And what should companies do?

You read about spectacular cyberattacks again and again. "It can't happen to us," many think. But they are wrong. And this assumption can have fatal consequences.

But why is that? There is a lack of understanding about cyber security - from the risks to the consequences of a cyber attack to appropriate precautions and countermeasures. In 2016, Gartner found that 99 percent of vulnerabilities that lead to intrusions have been known for more than a year. Since then, technology has evolved rapidly. How we deal with the ubiquitous threat, however, has not.

So why is it not possible to get to grips with this problem? One reason is certainly that cyber security is an extremely complex field of activity. Many companies simply don't know where and with what they should start. The fact that there are a great many good references that companies could draw on exacerbates the situation rather than relieving it.

These are the most important references

• The MITRE ATT&CK Framework lists all known attack techniques on a daily basis and explains how to recognize them and defend against possible attacks. A heat map shows which technology is used particularly often in which industry. In this way, companies learn how they are most likely to be attacked and can specifically protect their most critical infrastructures, data and systems.
• The SANS Institute offers a comprehensive range of over 60 training courses and certifications for cyber security professionals.
• With CIS Control 1 and CIS Control 2, companies gain a holistic overview of their network, inventory their end devices and applications, and effectively control their inventory.
• The German Federal Office for Information Security (BSI) is the central point of contact for protecting companies with critical infrastructures (CRITIS) against external attacks.
• The National Institute of Standards and Technology's (NIST) cyber security programs aim to promote the development and application of security technologies and methodologies to address information security challenges.

Against this background, companies should know what to do. But translating theory into everyday practice - that's the real challenge.

However, this does not mean that there are no suitable tools. The opposite is true. There are a large number of robust security solutions. Accordingly, it is not the tooling that is acting as a brake. Instead, a rethink is needed in the companies. In this context, the Cloud Security Study 2021 by IDG Research, Arvato Systems, and other partners come to the following conclusions:

• Security by default is the exception in cloud projects - although companies know that subsequent adjustments in terms of IT security are costly.
• The cloud provider is the most critical cyber security partner: But to keep IT security high in the long term, additional support from an external Security Operations Center (SOC) is usually necessary.
• The majority of companies do not allocate an additional budget for cloud security. Many believe that the cloud provider takes care of the required IT security. This is a misconception. It only does so if it is commissioned to do so.
• Offices are considered more secure than remote workplaces. Even if this is the case - which is questionable - such an approach no longer corresponds to the company's reality. Instead, the complexity of the environment is increasing - to mobile work scenarios in which production processes must be secured from anywhere.

To counteract this, companies should take a number of measures:

• Establish proactive, continuous threat analysis with appropriate technologies and protective measures.
• Identify security-relevant devices and data sources by using CIS Control 1 and CIS Control 2.
• Operate the right sensors and coordinate resources in a targeted manner to protect devices and environments.
• Reliably detect intruders and react quickly and correctly in the event of an attack (assume-breach paradigm: every company must assume that it will fall victim to a cyber attack at some point).
• Define security objectives and manage them on an ongoing basis.

This means nothing less than managing cyber security operationally - just like any other business process. An example from vulnerability management: The security scan of an environment provides detailed results about the risks existing at the time of the survey (risk score metric). The measured value could initially be 20,000, two weeks later it could be 25,000. According to the scan, the overall risk has increased. Such individual observations do not allow any conclusions to be drawn about whether work has been done to rectify the problem in the meantime and whether vulnerability management is functioning reliably. After all, IT security is not a static issue.

In practice, many companies do not take such action. They have not initiated any measures to identify and close attack surfaces. The longer a vulnerability exists, the easier it is for the hacker - especially since the defender's dilemma comes into play here: The attacker must find ONE gap in order to be able to exploit it specifically. Companies, on the other hand, ideally have to close all gaps. However, since this is impossible according to the assume-breach paradigm, the motto is: keep the attack surface as small as possible.

Cyber security is the essential prerequisite for modern, digital business processes. To master the particular complexity of the entire field of action, adequate methods and suitable tools are needed. Adopting best practices from business process management and treating cyber security as a business process is the first step toward greater IT security.