Juliet Okafor Highlights Ways to Maintain Cyber Resiliency
The path towards business resiliency is clearer if you can see what lies ahead.
How can enterprises make sure that they reduce the impact of a cyberattack, or any other harm that would take down systems that enable business operations? What are the roles of security and IT stakeholders in making sure that active responses are helpful?
Though some familiar resilience challenges linger from year to year, others are brand new, but your company needs to be able to resist and recover from them all. While business resiliency has never been an easy exercise, at least the path forward is clearer if you can see what lies ahead.
In this archived keynote session, Juliet Okafor, CEO and founder of Revolution Cyber, highlights the biggest obstacles you’ll face this year and methods to overcome them. This segment was part of our live virtual event titled, “Cyber Resilience in 2024: Availability is Your Best Ability.” The event was presented by InformationWeek and ITPro Today on May 2, 2024.
A transcript of the video follows below. Minor edits have been made for clarity.
Juliet Okafor: Ultimately, with the way cybersecurity is set up today, you must spend an infinite amount of money to feel secure, and a lot of it is security theater. While I agree that there are several tools and technologies that work well, unfortunately, these tools and technologies are being built in silos.
One company has a problem that they think that they have the big answer to, and they go out to market and put it in environments. Another company has a small improvement over the last company, and they also go out to market and put it in environments, which then becomes a cobbling of different technology integrations.
You could spend years taking something out of the box and putting it in the system. We often find that there isn't a lack of willingness from CISOs, security leaders, or IT leaders to do the work required by security, but the challenges are often at multiple levels.
First, we have the technology challenge. There are too many tools to utilize when solving a niche set of problems. There are also too many tools available to solve our major problems, but no one seems to be consistently doing hygiene.
Because solving for hygiene is not a big revenue generator since it requires time and resources, it is often invested in the least, though it has the largest impact on an organization's ability to secure itself.
This approach is ironic, because you'd think that we would invest in the areas that deliver the most bang for our buck, but the answer is no. Unfortunately, due to psychological reasoning, if I can demonstrate and utilize a tool, we're able to show that I at least cared enough to put the system in because of regulation or auditor requirements.
However, how much of that is security? How can we even ensure that the tools and technologies we implement into our environment solve the common challenges we see repeatedly?
Think about Change Healthcare's recent breach, and I don't mean to undermine how much work the Change Healthcare crew must be going through to get operations up and running. But what we're finding out is that multifactor authentication (MFA) was never implemented.
MFA is a technology that insurers have determined is a basic control that all organizations must have in place to get basic coverage in cybersecurity. In this case, we're not finding a lack of willingness to implement the technology.
However, the issue that we're finding when looking at the attacks relates to someone in the organization outside of security, who can make decisions about security. In addition, they aren't providing security leaders with the authority, budget, or resources to get things done.
So, I will tell you that our issue and main challenge in cybersecurity today is not a technology problem, but in fact a human problem. Shifting conversations from resilience and moving them forward from divisive tools and tricks such as pen testing, towards processes is important.
What should we be doing on a consistent and sustained basis to get the desired result? Why aren't our actions working today? What is the breakdown? I have a very clear and consistent opinion about this. Now, some may argue that I suffer from confirmation bias, but I doubt it.
Since I began in the industry 10 years ago, I've repeatedly seen actions that seem counterintuitive. We've continued spending minimal amounts of money in the places that need it the most.
For instance, we rarely allocate sufficient budgeting to actual governance, which are practices, policies, and standards that allow the government to operate. We rarely spend adequately enough to ensure that cybersecurity is embedded in the design and operation of an organization.
In addition, we call what we do awareness, but we don't raise awareness beyond the hour-long video that we make people watch once a year. None of that will achieve the desired outcome. We can say that we're doing cybersecurity, but are we more resilient?
I think that is the question that we need to start asking ourselves. Are our actions merely performative, or are we really working to solve a problem? I ask this of myself all the time.
I spoke to some of the team members on this call about helping another client through a recent incident. Most of the work that my company does involves incident response. Let's just imagine that we won't be able to respond in time because that tends to be the issue.
How can we make sure that we reduce the impact of a cyberattack, or any other harm that would take down systems? This could be an electrical outage, snowstorm, or flood. How can we ensure that we are able to bring the systems up as quickly as possible?
That's the first question. The second question we want to ask in this conversation about resilience is also key. What are the roles of security and IT stakeholders in making sure that we can actively respond in a way that is helpful?
Our answers should be consistent and designed around reducing the politics and friction that often comes with disaster scenarios.
Read more about:
Business Continuity/Disaster RecoveryAbout the Author
You May Also Like