As the dust settles after the outage that affected approximately eight million computers running CrowdStrike Falcon software for Windows, one of the long-lasting effects will be a new level of scrutiny over the risks each piece of software poses to an organization’s operations. Together, IT and security leaders are tasked with helping leadership understand how to elevate risk management to a business priority, and the CrowdStrike outage has shone a spotlight on just how impactful that area can be.
When we look at the role CISOs will play in this, it will be to assess how cybersecurity fits into their business continuity plans and to demonstrate to their boards and executives what plans are in place for their own organization should something like this happen again. CISOs can help guide these conversations by focusing on the key areas that are likely to be impacted by leadership: availability, consolidation, and automatic updates.
Availability is still fundamental to cybersecurity
Many CISOs will remember learning about the old (in cybersecurity terms) initialism CIA — confidentiality, integrity, and availability. While some may dismiss it as an outdated standard in today’s complex environments, it’s clear from recent events that availability is still a fundamental aspect of your strategic plan.
Availability on a day-to-day basis is typically a focus of an organization’s IT team, but it’s the CISO’s job to turn the risk lens on it and help the organization manage those risks. This includes not only managing the availability of data for your organization, but also managing the availability of services you subscribe to from the various vendors and software that’s delivered. In essence, CISOs need to balance the focus on availability with the broader context of the organization’s risk profile.
While availability is not a new area of risk, the CrowdStrike incident has raised important questions, such as “how available do we need these services to be? How much risk are we willing to take here? What are our plans if a major vendor or provider in the supply chain has an event like this?” The role of the CISO is to think systematically about the risk tradeoffs an organization is willing to make, and then work with the operations team to understand those risks and tradeoffs so they can respond effectively if a disruption occurs. The CISO must work with the risk team, executive management, the board of directors, and business leaders to understand those risks and create a unified response.
A recommended first step is to review your business continuity plan and ensure that you have a disaster recovery plan in place for a major outage or other Black Swan type event. These plans should include “boots on the ground” responses for critical systems, as remote access is not always guaranteed. The plan should answer questions such as how would you handle having to manually address every device in your organization to provide a fix? What would you do first, second, third? Do you have the staff to fix the problem or the budget (and authority) to hire people to expedite the process? How would you communicate the plan if everything is offline? CISOs should review this plan with senior management and the board of directors to help everyone understand the plan and their role during and after an event.
Weighing the Pros and Cons of Consolidation
Vendor consolidation is a hot topic and there are many good reasons for it, but it is not without risk. Remember that risk management involves carefully balancing necessity, efficiency, and cost without concentrating resources too heavily in one area. When CISOs look at their key technology vendors, they need to think about how much risk is acceptable, both from a design and implementation perspective?
Therefore, a lot of effort is put into the design portion of architectures, as CISOs need to think through the risk and response plan if a major software vendor in their supply chain were to cause an outage. For example, is that risk more manageable in a Linux environment? Organizations can be constrained by budget, expertise, and historical investments in what technologies can be deployed and operated. CISOs need to be aware of these constraints and need to communicate and manage the risks that come with them.
For redundancy and to reduce single points of failure, CISOs may choose to use more than one vendor for the same service. Others may seek to deploy multiple layers of defense or diversify their solution portfolio through a more open, integrated architecture.
When an organization’s revenue is tied to availability and cost is not an obstacle, it can make sense to have some level of redundancy in vendor solutions. But for many organizations, there will be secondary costs and concerns to deal with. Diversification isn’t just about one piece of software, it’s about how one change affects everything in your technology stack. The risk tradeoff for the added complexity may not be worth it for many organizations, not to mention the costs associated with having two sets of software delivering the same service — that’s two different licenses, two sets of developers, and two systems to manage. Are decisions like doubling one’s infrastructure costs as a risk strategy something that most companies can make?
View automatic updates
How organizations choose to handle automatic updates is likely to be one of the biggest debates we see in the future. Vulnerabilities are still a primary attack vector for cybercriminals, and organizations still need to keep their software up to date. We can expect to see different strategies for how an organization implements software updates based on their risk profile. This could be phased rollouts, delayed rollouts, or a combination of both based on the software and risks.
As with all major events, it will take time for lessons learned to emerge, but CISOs can expect the topics of availability, consolidation, and automatic update policies to take center stage in the near future. It’s important to remember that even during unprecedented events, the fundamentals of risk management don’t change. Take this moment to help leadership understand how cybersecurity relates to overall business risk and the need to align efforts to improve the organization’s overall risk management posture.
We have listed the best network monitoring tools.
This article was produced as part of Ny BreakingPro’s Expert Insights channel, where we showcase the best and brightest minds in the technology sector today. The views expressed here are those of the author and do not necessarily represent those of Ny BreakingPro or Future plc. If you’re interested in contributing, you can read more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
