Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth, I'm the director of the Practice Identity and Access Management here at KuppingerCole Analysts. This is a very special episode of the KuppingerCole Analyst Chat. This is already an anticipation of the upcoming Cybersecurity Leadership Summit in Berlin in November 2022, and therefore we have planned to have a panel together with three guests today. So let me please introduce you to our three panelists. Starting in the UK, we have Mike Small, who is a Senior Analyst with KuppingerCole Analysts out of Stockport. Hi, Mike, good to see you.
Hi, Matthias.
Great to have you. Over to the West Coast, to Seattle, to John Tolbert. He is the director, the Research Director for the area of Cybersecurity. Hi, John. Good to see you.
Hello again, Matthias. Thanks for having us.
Yeah, great to have you as well. And back to Germany, to Swabia, to Stuttgart where we have Martin Kuppinger. He is one of the founders of KuppingerCole Analysts and the Principal Analyst. Hi, Martin, good to see you as well.
Hi, welcome.
So the topic for today also resonates with the Cybersecurity Leadership Summit, because this is a theme that we will cover extensively at this event. And this is the topic of cyber resilience. And if we talk about cyber resilience, I have three experts here in the room, can we agree on a common definition? What cyber resilience is? Do we have a common notion of what that means? Maybe starting with you, Mike, what is cyber resilience from your perspective?
Okay. So this notion of cyber resilience has arisen because of the increasing dependance of all organizations upon the Internet and cyber based technology. And it was recognized through, for example, in Europe, the NIS directive, which was put out by the EU in around 2016, which recognized the need for critical infrastructure to be resistant to and resilient to cyber attacks. So cyber resilience is about being resistant to and able to recover from cyber attacks. So, John, what have you got to say?
Yeah, I think that's a pretty good definition. I guess I would just add maybe that, you know, being able to withstand cyber attacks and other sort of unexpected consequences, you know, network outages that may, you know, compromise availability of applications as well.
Okay. And when we're talking about this topic of cyber resilience at CSLS, why are we doing that right now? Why is it getting so important so that it really is an important track within the overall event? Maybe you, Martin, why is it gaining that traction right now?
Yeah, you know, I think it's just looking at numbers. Look at the numbers, the number of cyber attacks, the number of cyber incidents, all that is going up and up and up. And there are so many samples of major incidents, like Colonial Pipeline in the U.S. a couple of months ago, which means we all learn that you need to be resilient because at the end of the day, your organization can get out of business due to a cyber attack. And so resilience is important. And knowing that we will be attacked, that we are continuously, constantly under attack, means we need to focus on what happens if one of these attacks leads to major issues, to major damage. How can we get back to normal business operations as quickly as possible? That is the reason why it's important, why it plays a central role in the agenda of the CSLS.
Okay. Understood. Any other aspects, maybe John, do you have any thoughts about why it's such an important topic right now?
You know, following up on what Martin said, I think there are the numbers of attacks have just been increasing year over year. And you know, we hear a lot, we talk a lot about ransomware and the effects that it has. I really think we still need to get the message out that there are ways that you can make your organization more resilient against things like ransomware. Ransomware has had some really pernicious effects, have been many companies, nonprofits, government agencies around the world, including small government agencies, cities, townships, states, not just federal governments have been subjected to ransomware attacks. And it's, like Martin said, it's kind of put many of them out of business for a while, and if you're a for profit business, you can't really withstand not being able to conduct business for months on end, unless you have massive cash reserves. And there have been companies that have, come to the brink of folding just due to the severity of ransomware attacks and some of the things that we'd like to cover at CSLS are about how to help attendees in their organizations be able to withstand these kinds of attacks and make them so that they do not cause that kind of damage.
It isn't just what you would think is e-businesses depend upon their IT systems now. You know, the classic example of that takes us back to Norsk Hydro, which was an aluminum smelter that as more and more businesses have become more and more dependent upon their IT to do things more efficiently, to get closer to their customers, to improve their supply chains, they have made themselves more and more vulnerable to any kind of attack. And certainly this is one of the critical things.
So in terms of the five steps that I think organizations should be taking, I would say that the first thing is most organizations don't realize just how much IT they have. And unless you understand and you are able to catalog the resources and the assets that you depend upon, the chances are you're not going to be able to secure it. And this doesn't just depend upon the resources that you're using. One of the problems and one of the major problems is in fact, those resources that you've forgotten about but are still connected. And it has lots of vulnerabilities that people have patched. The second thing and the major platform, which has taken a new life under the name of Zero Trust, is identity and access management. The whole of control, the most powerful and fundamental control is who can access what. And unless you control that properly, then the wrong people are going to get into your systems and they will then be able to use that access to do bad things. So the vulnerabilities that exist, the technical vulnerabilities that exist in your systems, all the next most important priority to look at. Most of the major breaches basically stemmed from an exploit, usually of a vulnerability that was well known 10 or 15 years ago, which was easy to patch, but which people hadn't taken the trouble or bother to patch. So remove vulnerabilities where you can. And that is a problem which is made more difficult by the dynamic nature of today's IT. When in fact servers were things that were physical and tangible, that you were able to get hold of, you could actually sort of secure the server itself. Now, what is happening is every IT infrastructure in an environment is virtualized. The cloud is an example of that. Resources are created as and when they are needed. And so in this dynamic environment, the only way you can manage it is to do it by policies that say that when something happens, it has to enforce a policy rather than doing it retrospectively when you've discovered it. And the most difficult and final thing is that the third line, your users are in fact the most important defense against cyber attack and ensuring cyber resilience. And this is the most difficult thing because creating and changing culture is always difficult. And this is where creating a security culture is going to be fundamental. So those are my five points.
And there's a lot to digest here because it goes from organization, from, as you said, from culture to technology to even trying to identify which resources are in place and how they can be protected. So this is a wide range of aspects to look at. Are there any aspects within what Mike said that you, John and Martin want to highlight, especially before we continue to other suggestions, where to look at what is of importance for you, especially from what Mike said, maybe Martin
Okay. Then first, I think what Mike said, all is in part because we are living in an environment with a lot IT, with a lot of shadow IT, with a high level of volatility or continuous change and this is something we need to do. But yes, we need to do ground work, cyber hygiene, so to speak, basic things, patching, etcetera. We need to do it well. The two things I'd like to add are, what an important element of cyber resilience is really focusing on recovery, on how to restore, how to get back to operations, maybe not even normal distance, but at least being capable of reducing the potential damage by having the most important and most critical systems working again, the ones where failure really costs your organization the most money which causes the biggest damage. So understanding how to recover is very important and all this goes into something. And this is also part of the organization. So cultural change is one part. The other is linking everything we do here to the business continuity management, the incident response processes and organization so that we are able to react quickly because we must be prepared when things go wrong. We can't just start thinking about, Oh, who do we need to inform? How does the board communication look? Which people are responsible for what? Which external partners do we need? All that stuff must be prepared. John, do you have additional points?
You know, I would agree in order to have the ability to restore and get going again, I think it's really important to emphasize the need for backups. I mean, backups aren't exactly the most fun thing that we can talk about. But, you know, backing up both your data and your configurations for all your devices and keeping...
And... let me jump in real quick, not only to have backups but to have multiple backups, multiple versions of backups that are offline because the backups that are just online, are always potential subject to attacks.
People take backups, but they don't check that they can recover it.
I think we need, everyone needs not only to have backups and like Martin said, multiple backups, but yeah Mike, I think you're right on that, too. These procedures need to be tested regularly. Can you actually take one of your offline backups that you have and put it into place in a relatively short period of time so that you have business continuity? It's great to have the backups, but if you're not sure that the entire process surrounding that works, then it's... that's not good.
A common situation that I've come across is you say to an organization, You have a backup? They say, Yes, - Have you tested it? And they say yes. And you don't say, Well, what happened when you tested it? - It failed. - And what did you do about it? - Oh, well... And this is the problem. It's not just that you've tested it. You've got to test it to make sure it works.
And that it works fast because every minute you're losing with recovery costs you a ton of money.
Are there other steps that you would suggest, John, that are important for showing the full picture of what cyber resilience might mean for an organization?
Yeah, I would say start with the basics. You know, every computing device that's in your organization needs at least a basic endpoint security software installed. I know a lot of organizations will buy computing devices in bulk and they kind of assume, well, there's some antivirus on there or something. Well, that may be the case, but you need to actively manage that. You need to make sure that the antivirus endpoint security solutions are up to date. Are they receiving updates? And the same thing with patching. You know, their automated patching has been in place for many operating systems for years, but some organizations do not enable that. I think it's by default now. It should be enabled everywhere so that when patches are released, your machines are updated.
That's a good point, John. I like that because I still have every now and then communication with someone who says, Oh, we have this 30 day testing period before we push out a patch in in the age of zero day attacks, I think the risk equation has fundamentally changed and the risk of a patch causing problems is so much lower than the risk of leaving systems 30 days unpatched that we need to change that thinking. This thinking is really 1990.
Exactly. Yeah, you know, maybe back then months could pass between the discovery of vulnerability and an active exploit. Now, often active exploits can be found in conjunction with vulnerability to discoveries. So it's imperative that as soon as patches are available, they are put in place everywhere. So endpoint security patching, don't forget about the network side. And the network includes cloud. You know, the network can often be the last place to discover a security breach.
Yeah. And I think one of the problems is that the attackers can get in to your cloud service and through the network can work there, way back into your on premises or edge systems. And so the cloud network can be something that is forgotten.
Yeah, and I think the point is, generally speaking, we need to understand the risk of any type of supply chain risks and there are various things, which affects cyber risks and which affect cyber resilience. So there's the software supply chain stuff. So everything which may be injected into code or where someone attacks the DevOps chain. But there's also this risk of things coming in from your suppliers, more on the office side or on the technology side. So I think there are quite a number of things. And the point is we are connected in so many different manners and so many different ways that we need to understand our cyber risk is affected by this and we need to be aware of that so that we can take measures and also that we can contain things that go wrong. So that they don't affect the other side of the supply chain. Because I think it's interesting to see when you look at what happens today, many of the larger organizations like automotive vendors or so, are reaching out very actively to all their suppliers and asking them for certifications and for proof of their cyber security because they see their cyber risk increasing. And they see even the risk that even while the attack might not get through the networks to them, it might be that an important supplier is just out for a couple of days or weeks, and that would then affect their physical supply chain. And that causes a lot of problems as we know from the past years when a lot of ships are stuck, etcetera. And so I think we need to think very broad about this entire topic to understand cyber risk and to improve our cyber resilience.
Yeah, a couple of last points I wanted to make is on keeping with the basics. You know, email is still a leading vector for like business email compromise, getting malware into organizations, phishing. And this is something that will continue to be the case. So email security, web security, these are the sources of many externally launched attacks and everyone needs to be vigilant to prevent email and web security threats. So the specialized products out there that can help that specialized services for those that are using, say, SaaS based email and those things need to be considered and put into place as well.
Yeah, it is interesting, by the way, and maybe a hint, Matthias can also add the number of this podcast, but I just really did a podcast with Mathias about that I really don't like that sentence of the users are the weakest link in security. Mike, you already said, they are your first line of defense. And the point is, you know, we frequently say, Hey, why did you give away your password? But the problem is, why is there a password still or why didn't you understand that this is a dangerous and malicious attachment to an email? The question, the real question is why didn't you do your basics and have an email security system in place that mitigates that risk? And I think this is something which I believe is very spot on in this discussion.
Absolutely.
Yes, I completely agree. I think the users do need to be trained. Mike's right. You know, we need to have a culture of security. I think that culture of security needs to come from the top, too. This is not something that can just be put into place by IT security people at organizations. It has to be bought into from the executive level on down and that's really important because we see so many attacks that are targeting executives these days. So they need to understand and push security from that level as well.
Absolutely. And to answer Martin's question, it's episode 140. So that is the one about, is it really the human being that is the the key attack vector. So this is the episode that Martin mentioned. When we're talking about Cybersecurity Leadership Summit, we are talking about addressing thought leaders and creating awareness also for that topic of cyber resilience. From what I've heard now and I've asked initially for five key steps to make when to integrate cyber resilience into an organization. And we are far beyond the number of five who would be the one person, the one position within the organization to actually drive adding cyber resilience into an organization, is it only cybersecurity? Is it the management? Who do you consider to be the people responsible for acting upon what you just said? Maybe starting with Mike?
Yeah, so that's an interesting question because I'm giving a talk on the NIS 2.0, the updated NIS directive at Cybersecurity Leadership Summit. And one of the interesting things about that particular directive is that it requires the board of the organization shall have cybersecurity training and it places the book, that is to say, the responsibility for cybersecurity squarely with the board of directors.
Great. And any other opinions? Maybe, John, maybe Martin.
Yeah, I think I agree, I think there needs to be accountability and responsibility, which the latter which can be delegated at the board level. And I think then to really make this effective, we need, so to speak, the modern CISO, which is really more on this entire procedural and conceptual and organizational side of things. And really, it enables and it drives the organization and maybe the best solution is really to have the CISO at the board level then.
John, any thoughts?
I think these are good ideas and I know we've been talking about this for years, that we need cybersecurity awareness at the board. And I think that the regulatory approach that they will be talking about at CSLS is probably the only realistic way to make that happen.
Absolutely. And now that we have so many aspects to look at from getting an inventory of your systems to training and changing culture and having training for the board, which I really like that idea. What would be if I asked the three of you consecutively, what would be the really important first step to take to get cyber resilience into the organization? Maybe starting with you, John.
The first step. Well, I think getting the board level by and getting the culture changed from the top down, having management understand the priority, what the what the consequences are. You know, we've talked about things like ransomware. We've mentioned manufacturing and shipping. Those are large industries with many examples of things like ransomware attacks and without the direction from the top to help prevent those. We will continue to see many more such attacks across those kinds of industries. So I think it really has to come from the top down in conjunction with technical expertize within IT departments.
Okay, great, agreed. Martin?
I fully agree with John. Board level buy in and board level conviction that this is an essential topic for every organization.
Interested to see if Mike contradicts. Any other thoughts what to do first?
Well my view about all of this is and I hope we will be talking about this at CSLS is cyber hygiene, that you have to implement a continuous process of looking after all of the little details that matter and make your cyber systems secure and resilient. So it is: implement cyber hygiene.
Okay, great. So now that we've mentioned Cyber Security Leadership Summit for so many times, I just want to highlight the main aspects of that. So the Cyber Security Leadership Summit aims at connecting a globally growing community of data security experts. And that's what we're doing. And we're doing that in November in Berlin and online. That will take place from November 8th to November 10th in Berlin. And we have great speakers, including my guests that are here in this panel today. But on top of this, we have CISOs and security experts from many organizations, including Lufthansa, Deutsche Börse, Deutsche Telekom, MasterCard, Siemens and the German Federal Parliament, and many more, including Martin, John and Mike. And if you're interested in joining us, there will be an online version that can be consumed from your home, from your desk, from your iPad on your couch. And you can join us in Berlin for the full event in-person in Berlin. If you're interested, go to the KuppingerCole website. And if you just go to kuppingercole.com, there will be a banner on the start page where you can click and find more information, including the freshly released agenda with opening keynotes and with all the interesting workshops and sessions that will be run, including the one on cyber resilience. Before we close down, a round of final thoughts, why should we join Cybersecurity Leadership Summit? Maybe starting with Martin.
Meeting people in person, discussing topics, thought leadership and a lot of experience and really a perfect place to exchange with experts at a very high level, not in the sense of flying high, but the depth and breadth of exchange and informational learning you can have there. So looking forward to meeting you in person in Berlin.
Perfect. Mike, additional thoughts?
Okay, me. So it's meet your peers and it is here what the organizations that your peers are working for are doing to solve the problems that you have.
Great and final words before we close down, John.
You know, one of the things I really like about CSLS is, it's a bit of a different kind of conference plus you know, in general the conferences that we have here at KuppingerCole, we do have presentations but we have lots of panel discussions and those panel discussions are a way for the audience to participate as well. You can see unscripted debate on important cybersecurity topics and then follow up and interact with not only the presenters and the panelists, but the other attendees. It's a great opportunity to meet peers, to learn about what's current in cybersecurity and develop relationships with those people that, you know, you can see them in following years and events as well.
Perfect and fully agree that the CSLS is an event, it's a one of a kind event and I really look forward to being there in November in Berlin and to meeting you and to meeting all the participants. So we close down if you have any questions regarding Cybersecurity Leadership Summit, please reach out to us or leave a comment below this video on YouTube or reach out to us via our email addresses or the contact form that is available on the website. Looking forward to meeting you in person or virtually in Berlin or online for the CSLS and for the time being, thank you very much, Martin, John and Mike, for being my panelists today for this unusual episode of the Analyst Chat and looking forward to having all three of you in upcoming episodes very soon. Thank you very much.
And bye bye, Martin, bye bye, Mike. And bye bye, John.
Thank you. Bye.
