Beyond prevention - The Bigger Picture of Cyber Security

Welcome to the KuppingerCole Analyst Chat. I will be your host. My name is Matthias Reinwarth. I'm an analyst and advisor at KuppingerCole analysts and in this Analyst Chat, we will focus on specific, interesting topics that we as analysts encounter in our daily work.

This work that we do is mainly focused on the topic areas of cyber security, identity and access management, artificial intelligence of much more here we do in-depth research, but also advisory work with vendors and end users as clients in each edition, I will have one guest joining me, often a fellow analyst or another interesting partner, and we will have a 15 minutes chat around current topics. So my guest today is Christopher Schütze. He is director practice, cyber security here at KuppingerCole.

So he has the full picture of cybersecurity as a whole welcome Christopher, Thank you, Matthias for the invitation for this podcast. Great to have you, if we are talking about the bigger picture of cyber security, many organizations consider cyber security as a purely preventative measure. We at KuppingerCole and U S director practice cybersecurity. You see that a bit different. What is your view over the overall picture of cybersecurity? That is really a good question.

Hopefully I'm not the only person who sees it a little bit more complex than talking about prevention and detection mechanisms. We had cooping a call. So in advisory we see at least five different phases. When talking about the overall cybersecurity topic, everything begins with the identification of something. So first of all, you need to be aware of risks. You need to know them, and maybe you need to rate them. And then for sure, you need some mechanisms to prevent them. This is classically stuff, which is part of the cert or the it security operations and configurations team.

You also might have some detection department here. We are really talking about the cyber defense centers or also called security operations centers. These are departments which actively fight against attacks. This is followed by some respondent, recover parts, and here it is becoming a little bit complex because in respondent, you are talking about incidents and incidents might happen right now, or might happen a few months ago till you realize that you have an internal incident. And on the other hand, so this is incident response, Ponce management called it.

On the other hand, you have the business continue to management. For instance, if you are an active victim of an a D dos attack and try to work your daily business. So create some kind of work arounds that enabled you to continue your business and last but not least. And this is also very essential part of most companies who are only talking about prevention and detection, forget that specific part.

It is called the improvement part, which means learn by previous attacks by a previous incidents, learn your process, knowledge, know your prevention, tactics, and all that stuff is needed really to have an end to end cybersecurity approach with your Yorker. That sounds interesting if you mentioned the improve and you started with the identifier, I think that actually, it really is a loop that is continuous improvements of the identification. Part of what is at stake, what is at risk. It's also something that needs to be improved and can be improved.

So to understand the next time you are trying to prevent and detect issues within your it, that the way of how you judge your risks and what is at stake might change over time. Sure.

The, the, the general risks we are, we have to deal with in cybersecurity are changing. They evolve, and some of them become much more important than some less important. And this is really, I'm just thinking about the classical risk management was in your organization. So the enterprise risk management that you have to deal with competitors with environmental issues, with hazards and things like that, and they become more important or less important. This also happens with it, risks, you get new risks, you get new attack, vectors attackers are using artificial intelligence.

They use modern approaches to get your credentials to access privileged accounts or things like that. And this is changing and also your company is changing in the way you are working. And so you need to rewrite the risk. You've identified in a regular process. Okay. When we talk about impact, I think it's also important to yeah. To involve other parts of the organization to involve. Usually we say involve the business. So really the parts of the organization that deal with end customers that do the actual work within, within an organization while it is typically it's the parting in that.

So maybe to, to make sure that their view of risks and what needs to be run even in the event of an incident is an important factor to take into consideration as well. Yeah, sure. I'm just having a look at the it, risks is not sufficient at the end, you should have some kind of corporate risk management. So all risks related to your company. And one part of this should be the it specific risk management, but some of them are integrating into each other. That's what you already said. For instance, the supply chain is supported by it.

It is supported by external partners and maybe on the financial health of the external partner and all these measures and metrics together, give you a good understanding of how risky it is to work with some external partner in that case. And this is for all types of risks. This is not only just a single thing, because it is supporting you and your everyday business. And depending on the type of product you offer to your customers might also be the core of your business, but usually it's, it's supporting and therefore it is integrating into the business processes.

And so you need some kind of corporate risk management or which integrates it, risk management into it. One other question, and you've mentioned that before, and I think that is closely related to that business aspect. You've mentioned instant response management and business continuity management as part of the respond and recover phase.

So once an incident has been detected, once it has been analyzed, once it has been fully understood or at least partially understood because sometimes speed matters at that point, there needs to be communication that might be to be done by senior officials of an organization. So the C level management, when it comes to responding to an incident, how do you, what do you recommend when it comes to making that right first communication towards the public, towards your employees, towards your customers, towards the press? What is the first step when it comes to understanding such an incident?

So the first step should honestly not be to tell the press about that you've become the victim of an attack, or you have an internal incident really, in the worst case you realize, or you might realize that Twitter or the press is already reporting about you and that you have, for instance, on data breach, this is really the case. And here we have really, to be careful what you say to the press. Usually an incident response management process starts with the handover from, from the part who detected some strange behavior or something.

And then you start to, to rate if it's, if it is a big incident or only a smaller thing. And if it's an important thing, part of the incident response management is to set up and crisis team to set up and define the communication strategy and to set up and define what you do to respond, to recover, to prevent further harm to your organization. Wait one more minute more and think about what you say to the press. And it should usually not be in the C level. It should be an expert for communicating to the press.

Okay, understood. So it's really a combined effort that that really focuses on, first of all, analyzing and understanding the actual threat, understanding the criticality and the impact of what has happened. Also containing the outcome and the effect of this incident and having communication to be defined in parallel when getting closer to a full understanding of the incident. Another interesting aspect of course, is the whole aspect of business continuity.

So while there is an incident happening, and it is currently being contained to make sure that the organization, the business, all business processes can continue running as required as expected by the customers. Can you explain that a bit more in detail? Yeah. First of all, maybe it is important to understand the difference between incident response management and business continue to management. The incident response management is more, you know, that you are probably the victim of an attack or you have an incident and you try everything to fix it.

And to recover back to the normal business business, continuity management is on the other hand, you are currently under attack your services. Your processes are not working and you need some new process or a workaround to keep your business alive. So this is really the core of business. Continue to management, no matter what is going on within your company, you are still able to produce your product or to offer your service or to contact your clients.

It is, it has not the goal to recover. It is really more keep the business alive, as good as possible. A good example for a business continue to management might also be the current pandemic crisis. We have people or organizations try to do the best that they can offer their services. Also in a specific case with limitations. For instance, if you go for shopping and you need to keep distance from other customers, there's only a limited amount of people who are allowed to enter the store.

So it just to see the other hand of business continuity when you're not talking about it, but it is porting here. So for instance, the, it supports you in that case was counting how many people are allowed to enter the store itself and therefore processes and work around needs to be defined to keep your company alive in case of an attack or an incident.

Okay, thank you also for explaining this, this difference. So it's also about really finding alternative ways in case of an incident to continue work, maybe even at a reduced level of, of service, but to make sure that the organization, as a whole continues to, to, to work as desired. So we're getting close to our 15 minutes chat. So are there any concrete, tangible recommendations that you would like to give to the audience when it comes to thinking of this bigger picture of cybersecurity that goes beyond just prevent and detect?

What, what would be your first recommendations to keep in mind? So the first recommendation is for sure prepare for becoming the victim of an attack, because the chances that you become victim of under tech is pretty high.

But to, to understand that you can become a victim, you also know why you become a victim, and this is more or less start with the analyzers of your company, of your processes to identify the risks for your company. So create some kind of risk management for the most important things. And having this implemented, you know, what you need to do to have something like an incident response management, you can set up your team, some basic processes, some information or communication plans who is responsible in case of an incident and who is responsible to communicate to externals in that case.

And if you have prepared, something like that, and the bad thing happened, and you become victim, you have saved time because you know what to do next and just helps a lot. And same as for business continued to management, what, during the identification of the core risk to your company, and if it's related to processes and software or services, you can think about a plan B for those processes. And at the end, if it's not an CRM tool, maybe it's an excellence sheet printed out and sent by as an attachment was an encrypted email, something like this. You need to be resilient in such case.

Okay, great. Thank you. So we really need to make this one step back to look at risk management and cyber security and the way to, how to deal with it as a bigger picture, too, to get the bigger picture and to really consider cybersecurity as one important part of maintaining the health of an organization. Thank you very much, Christopher. I am sure that we will have further podcasts like this in further additions of the KuppingerCole Analyst Chat.

I would like to mention quickly that you have planned and to execute a masterclass incident response management, which digs much deeper into this incident response process. If anybody's interested in that, just join us in this masterclass or get in touch with us as advisors and as analysts. Thank you again, Christopher, any final words you want to share with the audience? Not so far.

Thank you, Mathias for inviting me for this very interesting chat and I'm looking forward for another edition in the next month or weeks. Thank you.