One of the worst feelings for any CIO or CEO is finding out your firm has suffered a cybersecurity breach. Customer, employee, and other sensitive data could have been leaked. Your entire business could be at stake.
It’s certainly not the time to uncover gaps in your cybersecurity processes. Yet many investment firms discover that despite their best efforts implementing cyber policy and controls, they’re not prepared for a serious cyber incident.
One issue is that firms often view cybersecurity through the lens of regulatory compliance. That makes sense, given that regulators such as the SEC continually ratchet up cybersecurity requirements.
But cybersecurity is about more than regulations. To be effective, cyber preparedness and response need to be managed along an end-to-end lifecycle.
UNDERSTANDING THE 4 DRIVERS OF CYBERSECURITY
Beyond regulatory requirements, investment firms must respond to four cybersecurity drivers:
1. Proliferating threats – From malware to spear-phishing to advanced persistent threats, enterprises have never faced more cyberattacks. A cyber incident is no longer a matter of if, but when.
2. Cloud and hybrid workforce – More firms have moved operations outside the data center to the cloud. While the cloud is highly secure, it introduces new cyber requirements. For one thing, you can’t assume your cloud provider has configured controls to meet your unique needs.
The atomization of your network perimeter presents a similar issue. At most firms, at least some employees work remotely at least some of the time. That compounds your cyber risk.
3. Technical talent – Cybersecurity has grown more complex, and demand for cyber experts has increased. Firms have a harder time attracting and retaining the technical talent to manage security internally.
4. Cyber budget – Cybersecurity is now a larger portion of the budget, and it’s likely to grow over time. Think carefully about whether you want to spend more budget on in-house cyber management or invest in help from a trusted partner.
OPTIMIZING THE 4 PHASES OF CYBERSECURITY OPERATIONS
From an operational perspective, the goal of cybersecurity is to detect risky activity, home in on actual threats, and prevent those threats from becoming a breach. To achieve those goals, you need to manage cyber operations along four phases of an end-to-end lifecycle:
1. Discovery and assessment – Before you can protect your IT assets, you need to know what you have. Discovery is at least as important as cyber safeguards, and it’s the phase most often overlooked. It’s not something you want to begin in the middle of a cyberattack.
Start by taking detailed inventory of all servers, databases, network and storage devices, and endpoints in your firm. Document whether they’re configured properly and whether security patches are up to date.
Then, identify all your data. Know where it resides – in databases, on remote devices, in email threads. Understand what’s most sensitive and in need of protection. Determine who has access to what data, and where data is being shared.
2. Controls and mitigations – Once you know what you’re protecting, you can determine the cyber controls you need. At minimum your firm requires security information and event management (SIEM). Effective SIEM provides real-time analysis of data to proactively determine security risks. Machine learning (ML) and statistical analysis can identify anomalies, patterns, and trends that indicate problems.
Consider additional layers of controls. Dark-web monitoring brings to light stolen user credentials to head off account takeovers. Phishing testing, training, and reporting can reduce risks from social-engineering schemes. Endpoint detection and response can reduce threats to user devices.
For all these solutions, consider whether you want to develop capabilities internally or rely on a managed security service provider (MSSP). An MSSP can provide you with a security operations center (SOC) that oversees your protections 24x7.
3. Framework and processes – Many firms have protections in place but haven’t thought through what they’ll do if a safeguard fails. If you detect malware on an endpoint, can you isolate it? If you sense suspicious lateral movement in your network, should you shut the network down?
You need a runbook that spells out which actions to take and who will take them. You should have a workflow for handing off from the security analyst who discovers the breach to the operations engineer who will mitigate or rebuild systems. Specify escalations depending on the severity of the breach, with alerts for stakeholders in the C-suite, legal, communications and other relevant functions.
4. Audits and readiness – On an ongoing basis, collect historic cybersecurity data you can use as a baseline and to track your security posture over time. Among those datapoints should be number of security events, how many were actionable, their severity level, and which mitigation actions you took.
Conduct regular vulnerability assessments and penetration testing to gauge your effectiveness. Subscribe to intelligence services that track malware targeting your industry. The goal is to keep your finger on the pulse of your cyber health and continually adapt to changes in technology, cyber threats, and business priorities.
Most investment firms have committed budget to cybersecurity protections. But many fall short when it comes to the harder work of managing the end-to-end cybersecurity operations lifecycle. Investing the time and effort in operationalizing cybersecurity can avoid the financial, legal, and reputational impacts of a cyber breach. It can also transform cybersecurity from a budget line item to an enabler of your business.
