Given the technological evolution that industries and operational technology (OT) infrastructure have undergone in recent years, many companies today find themselves exposed to new technological risks, subject to stringent regulatory requirements (NERC CIP) and new requirements from insurers. This is forcing organizations to invest more in improving their cybersecurity.
The implementation of a security program then becomes necessary to ensure the long-term viability of organizations. Some undertake to tackle this challenge on their own, but quickly realize the scale and complexity of all that needs to be accomplished. They may also lose sight of the main objective, which is to manage cybersecurity risks.
This can also be a very anxiety-provoking process, as you are often dealing with an unknown, unpredictable and highly skilled adversary with far superior resources. Doing this alone in this complex world, without the appropriate expertise, can become even more costly, or even become an obstacle to business success.
To understand the many facets of cybersecurity, it is useful to compare it to a game of chess.
Cybersecurity governance is the function that helps organizations gain a continuous overview of all issues and risks, set targets and exercise greater control over the approach to achieving them. Here’s how cybersecurity resembles a game of chess:
- It includes a multitude of pieces with specific functions, such as the company’s security functions: technologies, processes and people.
- Each piece has a value in the game, but the king is considered the most vulnerable and must be protected first. If the king falls, the game is over. In the corporate world, the king represents critical assets - your clients’ data, the integrity of the water treatment process, and so on.
- To win, the player must use all their pieces while strategically planning their progression on the chessboard to stay one step ahead of their opponent.
- The player has no choice but to move their pieces, exposing their game and becoming vulnerable to attack. They also have no idea of their opponent’s game. They must therefore remain vigilant, ensure that every piece is protected at all times and be ready to react to any situation.
- Finally, the more the player practices, the more formidable an opponent they become!
Implementing a cybersecurity program
The implementation of a cybersecurity program begins with the establishment of the security functions that make up the strategy. This makes it possible to break down cybersecurity as a whole into simple modules, responsibility for which can be delegated internally or to third parties.
Each of these functions generally has the following characteristics:
- It plays a specific role within the program, for example, detecting intrusions, responding to incidents, etc.
- Responsibilities are assigned to internal and external resources to ensure proper operation, for example, through a roles and responsibilities matrix (RACI).
- It is supported by official documents that define its operating rules, for example, the company’s cybersecurity policies.
- Its maturity and performance can be measured, as part of a continuous improvement process, by means of maturity assessments, cybersecurity audits, vulnerability tests, etc.
To make the exercise easier, there are models commonly referred to as governance frameworks that can be used to define this breakdown. The NIST Cybersecurity Framework and the ISO 27000 standard are well known in the area of information technology (IT), while the ISA/IEC 62443, NERC CIP and NIST 800-82 standards apply to operational technology (OT). Depending on the business sector, it is up to the company to choose the model that best suits its needs, and to adapt it as required.
Identifying the risks of threatening the king
Just as in chess, a security program needs to identify the risks that could jeopardize something of great value to the company. In chess, the king is the most important piece, because if it is threatened, the game can quickly be lost. You must therefore orchestrate your defence in such a way as to limit the king’s exposure to your opponent’s attacks. In business, the same importance must be granted to critical assets, commonly referred to as “the crown jewels”. These are the assets that enable the company to operate and achieve its objectives.
For example, in IT, an unexpected shutdown of a production line’s control systems could result in astronomical financial losses for the company. In the OT field, this could involve risks to public safety or the environment. A risk analysis must therefore be carried out in the early stages of program implementation to identify the scenarios to be avoided, in order of priority. This exercise will then enable a risk mitigation plan to be drawn up. You must also accept the possibility of a scenario occurring, and be prepared to respond to it.
Being fully aware of the rules of the game, the pieces on the board and the conditions of victory or defeat, every good player must define a strategy that will lead them to plan their movements on the board. They must keep their objectives in mind, without forgetting to protect the pieces that will help them achieve their goals. In cybersecurity, the rules of the game fall into three distinct categories: strategic, tactical and operational. They generally include the following elements:
- A security policy: This forms the core of the cybersecurity strategy, and is generally approved by the company’s senior management, but championed by the security officer. The fact that it is approved at the highest hierarchical level ensures the company’s strong commitment to the strategy and its success.
- Guidelines and plans: These are the operating rules for the various safety functions that the company must comply with. This is often referred to as the tactical component. These documents are normally approved by the security officer, but their implementation may be delegated to an internal corporate unit.
- Identity and access management guideline
- Cybersecurity incident response plan
- Vulnerability management guideline
- Processes and procedures: Provide a framework for implementing guidelines and plans. These documents are intended to support the company’s activities and ensure that they comply with the requirements set out in the policy and guideline specific to the sector involved. For example:
- Escalation process for cybersecurity incidents
- Security patch prioritization process
In a mature security program, the strategic, tactical and operational components are aligned, coordinated and measured in order to mitigate risks without compromising the company’s success. It can then be said that the company is investing sufficient resources to manage its risks based on its objectives.
Planning and orchestrating your moves on the chessboard
From the very start of a game of chess, you need to plan your moves according to your strategy. In general, you should have an idea of how you want to protect your king. Each move must implement this strategy. In cybersecurity, this is done by establishing objectives that will enable you to mitigate major risks as a priority, and then achieve a maturity target for the entire security program. These objectives are then broken down into initiatives, which may extend over a period of two to five years. To keep track of these initiatives, they are grouped together in a dashboard clearly indicating when the major objectives and maturity targets will be achieved.
Even with the best technology, the fact remains that humans represent the key stakeholder in the program, as well as the greatest vulnerability. Neglecting this weak link could render all technological investments in cybersecurity ineffective. You must therefore ensure that all those involved are trained in their responsibilities within the program. Employees must also be made aware of and trained on topics such as phishing or corporate security policy, and their knowledge tested from time to time.
Monitor game and respond to “Check” or king vulnerability situations
Since you don’t know your opponent’s strategy, you have to constantly adjust your own strategy and sometimes take risks to regain the upper hand. In the context of cybersecurity, planning is the key to staying in control. However, the execution of the plan can be disrupted by a variety of external factors: new risks, geopolitical threats, major vulnerabilities, an incident on the premises of a business partner, a new regulatory requirement, new business objectives, and so on. The security ecosystem will constantly change, and its risks will evolve. Some unforeseen risks may also force the company to make difficult choices. So, it is important to keep an overview of the security ecosystem as the program unfolds, and to adjust as necessary. There are several sources of information that can be used to continuously feed governance, direct efforts towards new priorities and implement the appropriate means to ensure the program’s success.
Incident management is another important point to consider. When the king is put in check, the only option is to change its position, otherwise the game ends. In cybersecurity, even with a solid security program, unexpected incidents can occur. A well-prepared company will be able to reduce the impact of such incidents. Any cyber security program must therefore include a response plan, backed up by available, trained and competent resources.
Continuously improving your game
You don’t become a chess expert overnight. You have to practice, explore all the facets of the game and learn as much as you can about your opponent. In cybersecurity, the concepts of monitoring, testing, auditing and continuous improvement are omnipresent. You can’t guarantee that your program is working properly unless you understand its current state and how it is evolving. A good security program must therefore take the following elements into consideration:
- Compliance management: are we compliant and do we have what it takes to demonstrate it?
- Do we have the performance indicators to show how well our internal processes are working?
- Are we testing our defences and response plans?
- Do we have a good understanding of our technological environment, and are we monitoring it adequately to be able to quickly detect abnormal situations?
To ensure alignment with strategy, governance should provide an overview and measurement of each security function. This monitoring is generally carried out by the Chief Information Security Officer, who requests reports and performance indicators from each cybersecurity function owner. These reports can then be used to draw up action plans, which are prioritized and monitored over time.
CIMA+ expert team
The comparison with a chess game allows us to see the many facets of cybersecurity, and to better understand the role of each of the different components and the interactions between them.
CIMA+ can support you at every stage of the implementation of a cybersecurity program, specifically adapted to operational technologies.
- Cybersecurity maturity assessment for IT and OT
- NERC CIP compliance (energy sector)
- Security governance based on the appropriate framework
- Cybersecurity threat and risk assessment
- Vulnerability audits
- Intrusion testing