Security
suryasree
Chapter-99.pdf
2 3 9
9 foRming a CybeR
seCuRiT y CulTuRe
Introduction
Much has been written regarding the importance of how companies deal with cyber threats. While most organizations have focused on the technical ramifications of how to avoid being compromised, few have invested in how senior management needs to make security a priority. This chapter discusses the salient issues that executives must address and how to develop a strategy to deal with the various types of cyber attack that could devastate the reputation and revenues of any business or organization. The response to the cyber dilemma requires evolving institutional behavior patterns using organizational learning concepts.
History
From a historical perspective we have seen an interesting evolution of the types and acceleration of attacks on business entities. Prior to 1990, few organizations were concerned with information security except for the government, military, banks and credit card companies. In 1994, with the birth of the commercial Internet, a higher volume of attacks occurred and in 2001 the first nation-state sponsored attacks emerged. These attacks resulted, in 1997, in the development of com- mercial firewalls and malware. By 2013, however, the increase in attacks reached greater complexity with the Target credit card breach, Home Depot’ s compromise of its payment system, and JP Morgan’ s exposure that affected 76 million customers and seven million busi- nesses. These events resulted in an escalation of fear, particularly in the areas of sabotage, theft of intellectual property, and stealing of money. Figure 9.1 shows the changing pace of cyber security
24 0 InForMAtIon teChnolo GY
Pr e-
19 90
19 94
19 97
20 00
20 01
20 14
B ir
th o
f co
m m
er ci
al
In te
rn et
Fi
re w
al ls
a nd
m
al w
ar e
Y 2K
In cr
ea se
d nu
m be
r of
a tt
ac ks
w
it h
gr ea
te r
co m
pl ex
it y
Fe ar
fa ct
or
es ca
la te
s. S
ab ot
ag e,
th
ef t o
f i nt
el le
ct ua
l pr
op er
ty a
nd m
on ey
be
co m
e a
co ns
ta nt
th
re at
. D ai
ly h
ea dl
in e
ri sk
is a
n ew
r ea
li ty
.
C om
m er
ci al
iz ed
c yb
er
se cu
ri ty
:
19 94
: N et
sc ap
e D
ev el
op s
se cu
re s
oc ke
ts
la ye
r en
cr yp
ti on
, co
m m
er ci
al ly
a va
ila bl
e se
cu ri
ty s
of tw
ar e,
to
se cu
re o
nl in
e tr
an sa
ct io
ns .
Fe w
g ro
up s
co nc
er ne
d w
it h
in fo
rm at
io n
se cu
ri ty
e xc
ep t
go ve
rn m
en t,
m ili
ta ry
, ba
nk s
an d
cr ed
it c
ar d
co m
pa ni
es .
9/ 11
Ev ol
ut io
n of
c yb
er a
tt ac
ks :
H ig
he r
vo lu
m e
of
at ta
ck s:
20 01
: N
at io
n st
at e-
sp on
so re
d at
ta ck
s em
er ge
in a
m
ea ni
ng fu
l w ay
.
20 13
– 20
14 : T
ar ge
t h as
7 0
m ill
io n
cu st
om er
s’ c
re di
t ca
rd s
br ea
ch ed
.
20 13
: B oo
z A
ll en
em
pl oy
ee a
nd c
on tr
ac to
r fo
r th
e N
SA , E
dw ar
d Sn
ow de
n st
ea ls
a nd
le ak
s de
ta ils
o f s
ev er
al to
p- se
cr et
U
.S . a
nd B
ri ti
sh g
ov er
nm en
t m
as s
su rv
ei lla
nc e
pr og
ra m
s to
th e
pr es
s.
T im
el in
e of
e ve
nt s
20 14
: H om
e D
ep ot
s uff
er s
a 6-
m on
th b
re ac
h of
it s
pa ym
en t s
ys te
m a
ffe ct
in g
m or
e th
an 5
3 m
ill io
n cr
ed it
an d
de bi
t c ar
ds .
20 14
: JP
M or
ga n
C ha
se s
uff er
s a
br ea
ch a
ffe ct
in g
76 m
ill io
n cu
st om
er s
an d
se ve
n m
ill io
n bu
si ne
ss es
.
Fi gu
re 9
.1
T he
c ha
ng in
g pa
ce o
f c yb
er s
ec ur
it y.
(F ro
m R
us se
ll Re
yn ol
ds A
ss oc
ia te
s 20
14 p
re se
nt at
io n.
)
241ForMInG A CYber seCurIt Y Culture
The conventional wisdom among cyber experts is that no business can be compromise proof from attacks. Thus, leaders need to realize that there must be (1) other ways beyond just developing new anti- software to ward off attacks, and (2) internal and external strategies to deal with an attack when it occurs. These challenges in cyber security management can be categorized into three fundamental components:
• Learning how to educate and present to the board of directors • Creating new and evolving security cultures • Understanding what it means organizationally to be
compromised
Each of these components is summarized below
Talking to the Board
Board members need to understand the possible cyber attack expo- sures of the business. They certainly need regular communication from those executives responsible for protecting the organization. Seasoned security executives can articulate the positive processes that are in place, but without overstating too much confidence since there is always risk of being compromised. That is, while there may be expo- sures, C-level managers should not hit the panic button and scare the board. Typically, fear only instills a lack of confidence by the board in the organization’ s leadership. Most important is to always relate secu- rity to business objectives and, above all, avoid “ tech” terms during meetings. Another important topic of discussion is how third-party vendors are being managed. Indeed, so many breaches have been caused by a lack of oversight of legacy applications that are controlled by third-party vendors. Finally, managers should always compare the state of security with that of the company’ s competitors.
Establishing a Security Culture
The predominant exposure to a cyber attack often comes from care- less behaviors of the organization’ s employees. The first step to avoid poor employee cyber behaviors is to have regular communication with staff and establish a set of best practices that will clearly protect the business. However, mandating conformance is difficult and research
24 2 InForMAtIon teChnolo GY
has consistently supported that evolutionary culture change is best accomplished through relationship building, leadership by influence (as opposed to power-centralized management), and ultimately, a presence at most staff meetings. Individual leadership remains the most important variable when transforming the behaviors and prac- tices of any organization.
Understanding What It Means to Be Compromised
Every organization should have a plan of what to do when security is breached. The first step in the plan is to develop a “ risk” culture. What this simply means is that an organization cannot maximize protection of all parts of its systems equally. Therefore, some parts of a company’ s system might be more protected against cyber attacks than others. For example, organizations should maximize the protection of key company scientific and technical data first. Control of network access will likely vary depending on the type of exposure that might result from a breach. Another approach is to develop consistent best practices among all contractors and suppliers and to track the move- ment of these third parties (e.g., if they are merged/sold, disrupted in service, or even breached indirectly). Finally, technology execu- tives should pay close attention to Cloud computing alternatives and develop ongoing reviews of possible threat exposures in these third- party service architectures.
Cyber Security Dynamism and Responsive Organizational Dynamism
The new events and interactions brought about by cyber security threats can be related to the symptoms of the dynamism that has been the basis of ROD discussed earlier in this book. Here, however, the digital world manifests itself in a similar dynamism that I will call cyber dynamism .
Managing cyber dynamism, therefore, is a way of managing the negative effects of a particular technology threat. As in ROD, cyber strategic integration and cyber cultural assimilation remain as distinct categories, that present themselves in response to cyber dynamism. Figure 9.2 shows the components of cyber ROD.
24 3ForMInG A CYber seCurIt Y Culture
Cyber Strategic Integration
Cyber strategic integration is a process that firms need to use to address the business impact of cyber attacks on its organizational processes. Complications posed by cyber dynamism, via the process of strategic integration, occurs when several new cyber attacks overlap and create a myriad of problems in various phases of an organization’ s ability to oper- ate. Cyber attacks can also affect consumer confidence, which in turn hurts a business’s ability to attract new orders. Furthermore, the problem can be compounded by reductions in productivity, which are complicated to track and to represent to management. Thus, it is important that orga- nizations find ways to develop strategies to deal with cyber threats such as:
1. How to reduce occurrences by instituting aggressive organi- zation structures that review existing exposures in systems.
Cyber attacks as an independent
variable
Organizational dynamism
Requires
How to formulate risk- related strategies to deal
with cyber attacks
Symptoms and implications
Cyber cultural
assimilation
Requires
Cyber strategic
integration
Figure 9.2 Cyber responsive organizational dynamism. (From Langer, A., Information Technology and Organizational Learning: Managing Behavioral Change through Technology and Education , CRC Press, Boca Raton, FL, 2011.)
24 4 InForMAtIon teChnolo GY
2. What new threats exist, which may require ongoing research and collaborations with third-party strategic alliances?
3. What new processes might be needed to combat new cyber dynamisms based on new threat capabilities?
4. Creating systems architectures that can recover when a cyber breach occurs.
In order to realize these objectives, executives must be able to
• Create dynamic internal processes that can function on a daily basis, to deal with understanding the potential fit of new cyber attacks and their overall impact to the local department within the business, that is, to provide for change at the grass- roots level of the organization.
• Monitor cyber risk investments and determine modifications to the current life cycle of idea-to-reality.
• Address the weaknesses in the organization in terms of how to deal with new threats, should they occur, and how to better protect the key business operations.
• Provide a mechanism that both enables the organization to deal with accelerated change caused by cyber threats and that integrates them into a new cycle of processing and handling change.
• Establish an integrated approach that ties cyber risk account- ability to other measurable outcomes integrating acceptable methods of the organization.
The combination of evolving cyber threats with accelerated and changing consumer demands has also created a business revolution that best defines the imperative of the strategic integration component of cyber ROD. Without action directed toward new strategic integration focused on cyber security, organizations will lose competitive advan- tage, which will ultimately affect profits. Most experts see the danger of breaches from cyber attacks as the mechanism that will ultimately require the integrated business processes to be realigned, thus provid- ing value to consumers and modifying the customer- vendor relation- ship. The driving force behind this realignment emanates from cyber dynamisms, which serve as the principle accelerator of the change in transactions across all businesses.
24 5ForMInG A CYber seCurIt Y Culture
Cyber Cultural Assimilation
Cyber cultural assimilation is a process that addresses the organiza- tional aspects of how the security department is internally organized, its relationship with IT, and how it is integrated within the organiza- tion as a whole. As with technology dynamism, cyber dynamism is not limited only to cyber strategic issues, but cultural ones as well. A cyber culture is one that can respond to emerging cyber attacks, in an optimally informed way, and one that understands the impact on business performance and reputation.
The acceleration factors of cyber attacks require more dynamic activity within and among departments, which cannot be accom- plished through discrete communications between groups. Instead, the need for diverse groups to engage in more integrated discourse and to share varying levels of cyber security knowledge, as well as business-end perspectives, requires new organizational structures that will give birth to a new and evolving business social culture.
In order to facilitate cyber cultural assimilation, organizations must have their staffs be more comfortable with a digital world that contin- ues to be compromised by outside threats. The first question becomes one of finding the best structure to support a broad assimilation of knowledge about any given cyber threat. The second is about how that knowledge can best be utilized by the organization to develop both risk efforts and attack resilience. Business managers therefore need to consider cyber security and include the cyber staff in all decision- making processes. Specifically, cyber assimilation must become fun- damental to the cultural evolution.
While many scholars and managers suggest the need to have a specific entity responsible for cyber security governance; one that is to be placed within the organization’ s operating structure, such an approach creates a fundamental problem. It does not allow staff and managers the opportunity to assimilate cyber security-driven change and understand how to design a culture that can operate under ROD. In other words, the issue of governance is misinterpreted as a problem of structural positioning or hierarchy when it is really one of cultural assimilation. As a result, many business solutions to cyber security issues often lean toward the prescriptive instead of the analytical in addressing the real problem.
24 6 InForMAtIon teChnolo GY
Summary
This section has made the argument that organizations need to excel in providing both strategic and cultural initiatives to reduce exposure to cyber threats and ultimate security breaches. Executives must design their workforce to meet the accelerated threats brought on by cyber dynamisms. Organizations today need to adapt their staff to operate under the auspices of ROD by creating processes that can determine the strategic exposure of new emerging cyber threats and by establish- ing a culture that is more “ defense ready.” Most executives across indus- tries recognize that cyber security has become one of the most powerful variables to maintaining and expanding company markets.
Organizational Learning and Application Development
Behavioral change, leading to a more resilient cyber culture, is just one of the challenges in maximizing protection in organizations. Another important factor is how to design more resilient applications that are better equipped to protect against threats; that is, a decision that needs to address exposure coupled with risk. The general con- sensus is that no system can be 100% protected and that this requires important decisions when analysts are designing applications and sys- tems. Indeed, security access is not just limited to getting into the sys- tem, but applies to the individual application level as well. How then do analysts participate in the process of designing secure applications through good design? We know that many cyber security architec- tures are designed from the office of the chief information security officer (CISO), a new and emerging role in organizations. The CISO role, often independent of the chief information officer (CIO), became significant as a result of the early threats from the Internet, the 9/11 attacks and most recently the abundant number of system compro- mises experienced by companies such as JP Morgan Chase, SONY, Home Depot, and Target, to name just a few.
The challenge of cyber security reaches well beyond just archi- tecture. It must address third-party vendor products that are part of the supply chain of automation used by firms, not to mention access to legacy applications that likely do not have the necessary securities built into the architecture of these older, less resilient technologies. This
247ForMInG A CYber seCurIt Y Culture
challenge has established the need for an enterprise cyber security solu- tion that addresses the need of the entire organization. This approach would then target third- party vendor design and compliance. Thus, cyber security architecture requires integration with a firm’ s Software Development Life Cycle (SDLC), particularly within steps that include strategic design, engineering, and operations. The objective is to use a framework that works with all of these components.
Cyber Security Risk
When designing against cyber security attacks, as stated above, there is no 100% protection assurance. Thus, risks must be factored into the decision-making process. A number of security experts often ask business executives the question, “ How much security do you want, and what are you willing to spend to achieve that security?”
Certainly, we see a much higher tolerance for increased cost given the recent significance of companies that have been compromised. This sec- tion provides guidance on how to determine appropriate security risks.
Security risk is typically discussed in the form of threats. Threats can be categorized as presented by Schoenfield (2015):
1. Threat agent: Where is the threat coming from, and who is making the attack?
2. Threat goals: What does the agent hope to gain? 3. Threat capability: What threat methodology, or type of
approach is the agent possibly going to use? 4. Threat work factor: How much effort is the agent willing to
put in to get into the system? 5. Threat risk tolerance: What legal chances is the agent willing
to take to achieve his or her goals?
Table 9.1 is shown as a guideline. Depending on the threat and its associated risks and work factors,
it will provide important input to the security design, especially at the application design level. Such application securities in design typically include:
1. The user interface (sign in screen, access to specific parts of the application).
24 8 InForMAtIon teChnolo GY
2. Command-line interface (interactivity) in online systems. 3. Inter-application communications. How data and password
information are passed, and stored, among applications across systems.
Risk Responsibility
Schoenfield (2015) suggests that someone in the organization is assigned the role of the “ risk owner.” There may be many risk owners and, as a result, this role could have complex effects on the way sys- tems are designed. For example, the top risk owner in most organiza- tions today is associated with the CISO. However, many firms also employ a chief risk officer (CRO). This role’ s responsibilities vary.
But risk analysis at the application design level requires different governance. Application security risk needs involvement from the business and the consumer and needs to be integrated within the risk standards of the firm. Specifically, multiple levels of security often require users to reenter secure information. While this may maximize safety, it can negatively impact the user experience and the robust- ness of the system interface in general. Performance can obviously also be sacrificed, given the multiple layers of validation. There is no quick answer to this dilemma other than the reality that more secu- rity checkpoints will reduce user and consumer satisfaction unless cyber security algorithms become more invisible and sophisticated. However, even this approach would likely reduce protection. As with all analyst design challenges, the IT team, business users, and now the consumer must all be part of the decisions on how much security is required.
As my colleague at Columbia University, Steven Bellovin, states in his new book, Thinking Security , security is about a mindset. This mindset to me relates to how we establish security cultures that can
Table 9.1: Threat Analysis
THREAT AGENT GOALS RISK TOLERANCE WORK FACTOR METHODS
Cyber criminals Financial Low Low to medium Known and proven
Source : Schoenfield, B.S.E., Securing Systems: Applied Security Architecture and Threat Models , CRC Press, Boca Raton, FL, 2015.
24 9ForMInG A CYber seCurIt Y Culture
enable the analyst to define organizational security as it relates to new and existing systems. If we get the analyst position to participate in setting security goals in our applications, some key questions accord- ing to Bellovin (2015) are:
1. What are the economics to protect systems? 2. What is the best protection you can get for the amount of
money you want to spend? 3. Can you save more lives by spending that money? 4. What should you protect? 5. Can you estimate what it will take to protect your assets? 6. Should you protect the network or the host? 7. Is your Cloud secure enough? 8. Do you guess at the likelihood and cost of a penetration? 9. How do you evaluate your assets? 10. Are you thinking like the enemy?
The key to analysis and design in cyber security is recognizing that it is dynamic; the attackers are adaptive and somewhat unpredictable. This dynamism requires constant architectural change, accompanied with increased complexity of how systems become compromised. Thus, analysts must be involved at the conceptual model, which includes business definitions, business processes and enterprise stan- dards. However, the analysts must also be engaged with the logical design, which comprises two sub-models:
1. Logical architecture : Depicts the relationships of different data domains and functionalities required to manage each type of information in the system.
2. Component model : Reflects each of the sub-models and appli- cations that provide various functions in the system. The component model may also include third-part vendor prod- ucts that interface with the system. The component model coincides, in many ways, with the process of decomposition.
In summary, the ROD interface with cyber security is more com- plex than many managers believe. Security is relative, not absolute, and thus leaders must be closely aligned with how internal cultures must evolve with changes environments.
2 5 0 InForMAtIon teChnolo GY
Driver /Supporter Implications
Security has traditionally been viewed as a support function in most organizations, particularly when it is managed by IT staff. However, the recent developments in cyber threats suggest, as with other aspects of technology, that security too has a driver side.
To excel in the role of security driver, leaders must:
• Have capabilities, budgets and staffing levels, using benchmarks.
• Align even closer with users and business partners. • Have close relationships with third parties. • Extend responsibilities to include the growing challenges in
the mobile workforce. • Manage virtualized environments and third-party ecosystems. • Find and/or develop cyber security talent and human capital. • Have a strategy to integrate millennials with baby boomer
and Gen X managers.
2 51
10 Dig iTal TRansfoRmaTion
anD Chang es in ConsumeR behavioR
Introduction
Digital transformation is one of the most significant activities of the early twenty-first century. Digital transformation is defined as “ the changes associated with the applications of digital technology in all aspects of human society” (Stolterman & Fors, 2004, p. 689). From a business perspective, digital transformation enables organizations to implement new types of innovations and to rethink business processes that can take advantage of technology. From this perspective, digital transformation involves a type of reengineering, but one that is not limited to rethinking just how systems work together, but rather, that extends to the entire business itself. Some see digital transformation as the elimination of paper in organizations. Others see it as revamp- ing a business to meet the demands of a digital economy. This chapter provides a link between digital transformation and what I call “ digital reengineering.” To explain this better, think of process reengineering as the generation that brought together systems in the way that they talked to one another— that is, the integration of legacy systems with new application that used more robust software applications.
The advent of digital transformation requires the entire organization to meet the digital demands of their consumers. For some companies, the consumer is another company (B2B, or business-to-business), that is, the consumer is a provider to another company that inevitably supports a con- sumer. For other businesses, their consumer is indeed the ultimate buyer. I will discuss the differences in these two types of consumer concepts later in this chapter. What is important from an IT perspective is that reengi- neering is no longer limited to just the needs of the internal user, but rather the needs of the businesses consumer as well. So, systems must change,
2 5 2 InForMAtIon teChnolo GY
as necessary, with the changes in consumer behavior. The challenge with doing this, of course, is that consumer needs are harder to obtain and understand, and can differ significantly among groups, depending on variables, such as ethnicity, age, and gender, to name just a few.
As a result, IT managers need to interact with the consumer more directly and in partnership with their business colleagues. The con- sumer represents a new type of user for IT staff. The consumer, in effect, is the buyer of the organization’ s products and services. The challenge becomes how to get IT more engaged with the buyer com- munity, which could require IT to be engaged in multiple parts of the business that deals with the consumer. Below are six approaches, which are not mutually exclusive of each other:
1. Sales/Marketing : These individuals sell to the company’ s buy- ers. Thus, they have a good sense of what customers are look- ing for, what things they like about the business, and what they dislike. The power of the sales and marketing team is their ability to drive realistic requirements that directly impact revenue opportunities. The limitation of this resource is that it still relies on an internal perspective of the consumer; that is, how the sales and marketing staff perceive the consumer’ s needs.
2. Thirdparty market analysis/reporting : There are outside resources available that examine and report on market trends within various industry sectors. Such organizations typically have massive databases of information and, using various search and analysis tools, can provide a better understand- ing of the behavior patterns of an organization’ s consumers. These third parties can also provide reports that show how the organization stacks up against its competition and why con- sumers may be choosing alternative products. Unfortunately, if the data is inaccurate it likely will result in false generaliza- tions about consumer behavior, so it is critical that IT digital leaders ensure proper review of the data integrity.
3. Predictive analytics : This is a hot topic in today’ s competitive landscape for businesses. Predictive analytics is the process of feeding off large data sets (big data) and predicting future
