When Omar F. Khawaja compiled his priority list for 2018, he didn’t include which security technologies he wanted or how many IT staff he hoped to hire.
Instead, the CISO at Highmark Health — a healthcare management and insurance provider whose portfolio includes Allegheny Health Network, United Concordia Dental and Visionworks, among others — articulated an overarching strategy on how the cybersecurity plan should fit within the national organization’s business strategy.
“While I do realize that I will need technology to enable many of the things I’m trying to do [this] year and going into 2019, my goal isn’t to deploy technology, but to realize certain outcomes,” said Khawaja, who works out of Highmark’s Pittsburgh headquarters.
Khawaja broke his cybersecurity plan down into five key areas of focus.
First, he wants to look at how his team makes decisions. “There are always more opportunities to make more impact and add more controls than there are the resources and time to do so,” he said. “So how do we create a decision-making framework so we get [our priorities in order]? And we’re not doing things because it’s a shiny object, but instead because it [has] real business impact?”
Second is organizational change management. The corporate security team needs to be confident that staff throughout Highmark Health, and its subsidiaries, adapt practices and processes to maximize the value of the implemented security protocols and technologies.
Next, Khawaja wants to ensure his team’s cybersecurity plan is aligned with the top business risks, so that the cybersecurity program “isn’t a security program but a risk-management program.”
The healthcare organization also wants to focus on operational excellence and customer satisfaction. “We absolutely have to understand what objectives we’re trying to achieve and who our key stakeholders are,” Khawaja said. “It’s not that we just simply secure the place, but we do it in a way that’s excellent. We have to do it at 100%, and we’ve got to be at 100% every single time.”
While Khawaja’s plans may sound ambitious, he is not alone. Studies show that executives increasingly recognize that a cyberattack could cripple their operations and mean millions in lost business and reputational damage as well as in cleanup costs. The National Association of Corporate Directors’ 2017-2018 Public Company Governance Survey found that cybersecurity threats ranked among the top five trends expected to have the greatest effect on business in the upcoming year.
More than technology
Leadership security concerns correspond with significant growth in security spending. Gartner Inc. estimated worldwide spending on information security products and services will hit $98 billion in 2018, up from an expected $86.4 billion for 2017 — a 7% increase over 2016.
Yet CISOs, security advisors and researchers agreed that implementing a successful cybersecurity plan in 2018 isn’t about increased spending for the latest, greatest technologies. Instead, a strong cybersecurity program today has to be strategic.
“Certainly we’re not going to see any reduction in the threat landscape,” said Eddie Schwartz, chair of the Cybersecurity Advisory Council at ISACA and executive vice president of cyber services at DarkMatter, a consultancy based in the United Arab Emirates.
Schwartz and others said they expect increases in the number of attacks, the sophistication of those attacks and the types of devices targeted as mobile and the internet of things (IoT) continue to expand.
“All that will make defending the network even [more] difficult,” Schwartz said, adding that bad actors will continue to use attacks both for monetary gain and to cause havoc and destruction, a particularly potent motive for the nation-states that sponsor a fair and growing number of attacks.
“This cyberweapon environment makes it close to impossible for small companies to protect themselves, and it makes it extremely expensive and complex for large companies,” he said.
In addition to phishing attempts and ransomware, organizations must continue to be vigilant against malicious code of all kinds coming in from a variety of places, including trusted third parties who can unknowingly act as conduits for attacks to a target organization.
Not all challenges to cybersecurity come from external sources, however, said Rob Clyde, vice chair of ISACA and executive chair of the board of directors of White Cloud Security Inc. of Austin.
Organizations are adding more devices, particularly in the IoT space, and they’re connecting with higher numbers of business partners and customers to create even larger vectors for possible attacks. They’re also deploying new technologies at a faster clip than ever before, often faster than they’re implementing adequate measures to secure them.
“CISOs are now charged with defending this digital infrastructure, and that includes software everywhere and data as a resource, and that’s a massive change at a time when the attack surface keeps expanding,” said Jeff Pollard, an analyst at Forrester Research.
Jeff Pollardanalyst at Forrester Research
At the same time, organizations are facing more security and privacy regulations. Clyde pointed to the European Union’s incoming General Data Protection Regulation (GDPR) as a case in point.
Cyberdefenses have also expanded in both their numbers and their sophistication. Some organizations are automating parts of their security operations and implementing analytics, machine learning and AI technologies that can exponentially identify and isolate malicious activities.
“I don’t think any of these will be the end-all and be-all for 2018, but they’re steps in the right direction,” said Loyce Pailen, director of the Center for Security Studies at University of Maryland University College.
Pollard said these trends, taken together, have shifted the CISO’s role within organizations — a shift that started in past years and will continue through 2018 and beyond. “You have to understand where your business is going and what your business is doing.”
CISOs must be strategic with cybersecurity planning by concentrating more on governance than on simply properly administering specific security technologies.
“When you look at security leaders of the past, they focused on security infrastructure,” Pollard explained. “They secured the inside of the business — they wanted to secure the network.
“What’s really happening now is that we’re forcing leaders to think of an outside-in approach,” he added. “To think, ‘What are the most important things in the next 12 to 24 months that generate revenue?’ And use that to dictate what [their] priorities are.”
No irreparable harm
The Wellforce health system in Burlington, Mass., developed out of a collaborative partnership with Tufts Medical Center and Floating Hospital for Children, Hallmark Health System and Circle Health.
As CISO of Wellforce, Taylor Lehmann said he has his eye on emerging threats that could do irreparable harm. Imagine, he said, a hacker who gets into a defibrillator or medication pump.
Lehmann’s taking a multipronged approach to the health system’s cybersecurity plan, but his job is to ready the organization for even those extreme scenarios.
“What’s top of mind for me is what I call security hygiene. It’s doing the basics really well, getting operationally awesome and executing the basics of security control at a 99% success rate,” Lehmann said, noting that some of the largest hacks have happened because IT failed to do the groundwork, like keep up with patches.
As part of that, he said he’s focusing, too, on “an outstanding training and awareness program, getting situational awareness of everything in my network [by] making people my first line of defense.” Lehmann said he’s also concentrating on resiliency, so that if a ransomware attack does happen, “I have something I can plug in” to keep going.
Like many companies, Wellforce is exploring how artificial intelligence, automation and orchestration can be used to create a more secure environment. But Lehmann said he’s working to ensure his security strategy isn’t just a collection of technologies but rather a cybersecurity program that’s aligned with business risk.
Patrick Norton — who oversees cybersecurity as senior IT manager for Tampa Bay Water, the public water authority for the region of Tampa, Fla. — has a similar approach for 2018.
Like Lehmann and others, Norton is considering the potential for an extreme attack. Norton said he has to worry about the typical malware getting through as well as the possibility that a hostile nation-state or an activist group tries to hack the computer systems to gain control of the water supply.
To counter those potential threats, Norton is strengthening his security hygiene practices and working to ensure that his team can flawlessly manage both devices and software systems. He’s requiring everyone on his team to have two weeks of cybersecurity training, a requirement put in place in 2016.
“That’s on my priority list, that we have that process in place and that it’s working well,” he said.
Norton said he is implementing new technologies as well, to further beef up his security posture. Those new technologies include tooling to continually monitor his IT infrastructure and dual-factor authentication across the organization’s IT environment. And he’s exploring how AI might aid security work within his IT stack.
Stephen E. Lipka, the former global CISO at real estate company Cushman & Wakefield, who is now a consultant, had a similar list of priorities for security leaders for 2018.
He, too, said it’s important for CISOs to continue training both business and security workers about the current and evolving threats as well as effective countermeasures. He also advised CISOs to consolidate, simplify and standardize — moves that pay off in efficiencies and in increased effectiveness. And he said they should use emerging technologies such as AI to bolster their security profiles.
But Lipka, like others, said CISOs must make strengthening their governance and maturity a top priority in 2018 if they want to keep pace with the growing sophistication of hackers.
“Get the maturity up on those processes because that’s what’s going to make your work repeatable. That’s the kind of work that will get you in a good place,” he said, “because the best technology doesn’t work well if you don’t have the processes around it.”