As the world continues to navigate the waters of the new normal, unprecedented accelerated digital transformation continues to be the need of the hour. However, as organisations increasingly migrate to virtual operations and transactions, there is an urgent need to protect against potential breaches and cyber intrusions. Cybersecurity threats are indeed on the rise. Ransomware and cyber incidents have multiplied, adding to the already complex crisis management morass for many organisations. Executives are now looking for the best and most sustainable critical event management strategy, while also saving time and cost.
In recent months, cybersecurity has been inextricably embedded into operations frameworks of organisations, in both the government and the private sector. Reports showed that companies’ budgets for these systems have spiked by more than 50% and towards the end of 2020, these security solutions were anticipated to form as much as half of the overall funding. Despite this, several agencies are uncertain as to how to adapt these tools and solutions. In the absence of adequate precaution, planning and programmes, many organisations are left stranded and exposed when hit by an unexpected critical event.
Such eventualities can be addressed by setting up a robust critical event management programme (CEM). This was the essence of the OpenGovLive! Virtual Breakfast Insight: Strengthening Cybersecurity and Emergency Preparedness: Enhancing Readiness, Response and Recovery.
On the 21 January, OpenGov Asia, in collaboration with Everbridge, hosted the OpenGov Live! Virtual Breakfast Insight for senior digital executives from both the public and the private sectors in the Philippines. The event focussed on establishing strong cyber resilience in organisations with effective risk management tools to be fully prepared for managing crises and cyber risks.
The role of critical event management in upgrading work systems
Mohit Sagar, OpenGov Asia’s Group Managing Director and Editor-in-Chief, opened the session with a short introduction of the participants and the topic. He highlighted the importance of having a reliable incident management programme to ward off potential data security risks.
The current scenario in many organisations in both the public and private sectors is a delicate balancing act. He painted a picture of a group of ballerinas in a difficult balancing pose. Like these ballerinas, organisations have to balance technology, customers, employees, regulations and stakeholders in the precarious new normal. If any one of these components fail or shift, the whole construction can crash.
This tightrope act works well when everything is in equilibrium. However, an imbalance, misstep or unmanaged tension can have catastrophic results.
Reflecting on how the world responded to the pandemic, Mohit then questioned the readiness of the organisations in dealing with cyber risks and their continuity plans. Lacunae were painfully evident last year with the onset of the COVID-19 pandemic. Technology did help manage the pandemic in terms of being able to work from home but was only a temporary solution.
Prior to the pandemic, the need to consider the impact of potentially critical events was more of a theoretical pursuit and organisations plodded along with traditional plans in place. However, when the crisis hit, organisations were floundering, ill-prepared for such a massive disruption. Significant changes were urgently required to just stay afloat.
Many organisations were able to turn things around and somewhat mitigate the impact of the pandemic. But the fact is, not all organisations were able to come out unscathed, and the reality is that there is still a lot to be done to upgrade work systems and processes to accommodate the new normal.
The solution, Mohit said, is not to hope for an auspicious year to get through 2021, but to learn from past mistakes. There is a need to find out what went wrong, develop a better understanding of organisational cyber risks and determine to set a robust resilience plan in place. From this, organisations can incorporate changes in their operation models, retrain employees and most importantly, invest in strategic tools like a critical event management system.
Technology is at our fingertips and it proved to be the saving grace last year. But resilience must not be equated with being able to keep the business running through remote methods.
Mohit emphasised that putting up event management systems must not be shouldered by organisation management alone. Operational resilience is tied to effective communication that is well-received on both ends – employers and employees, management and staff. To do this, ensuring seamless communication is key and becomes crucial in crises. It may come at a price, but in the end, it must be done.
According to Mohit, creating an operational resilience plan is not an easy task. It relies heavily on cybersecurity expertise and professional critical event management systems. Therefore, it is expedient for agencies to work with the right partners to ensure that they have the best strategy in managing upcoming cyber risks.
Setting up an adaptive event management programme suited for each organisation
Sonia Arista, Vice President and Chief Information Security Officer at Everbridge, furthered the discussion after Mohit. She briefly shared her background in information security management and introduced Everbridge.
Everbridge is a global critical events management company that strives to keep businesses running continuously through any events that affect the workforce and supply chain, such as IT disruptions, and to maintain visibility and communications between employees and leaders on events that might affect the business.
Working in information security program management means that half of the time, Sonia needs to oversee product development as well as operational areas. The other half of the time, she is responsible for maintaining the security of Everbridge’s employees’ information and environments and maintaining a standard of security.
This can be challenging for several reasons. First, full visibility in the context of what is happening is difficult to achieve. Second, determining the level of severity of the events and the parties is not straightforward. Thirdly, how to notify relevant people, what messaging is needed, it is a one-way communication or is feedback required can make response complicated.
In short, identifying the appropriate response plan to the event and putting it into action is the name of the game. She also felt that assessment post-crisis is important to determine areas of improvement and potentially developing guidelines for other members in the industry.
To address this, there must be an adaptive critical event management programme integrated within operations models. However, Sonia was quick to acknowledge that deploying a CEM programme is no walk in the park. None the less, the rationale is that the more time spent to impact-proof operations, assets and people the better the resilience during critical events.
Sonia went on to explain her take on simplifying and unifying critical event management. To streamline the whole process, Everbridge views 4 factors to be at the core:
- Assessing an incident
- Locating what is happening, identify stakeholders and assets impacted
- Acting and responding to the event – inform, notify, rally, collaborate, mitigate, fix, and recover.
- Analysing the performance on the course of the incident, and to offer possible improvements on the processes
According to Sonia, there are instances where organisations need to manage multiple crises. Events can happen in tandem and are often caused by multiple factors such as supply chain disruption, disease outbreaks, severe weather, etc. All of these elements together contribute information to the events, and by applying the four core factors mentioned above, an organisation can fully mitigate and resolved any event.
Different business models will have different focus areas and critical event management takes different forms for organisations across various sectors. For example, companies with multiple factories will want to focus on physical access control to maintain standards in their facility, weather services for health systems to predict patient influx caused by natural disasters and threat intel engines in cybersecurity. She underscored this point by showing a list of partners that collaborated with systems such as Everbridge to bring comprehensive intel and context in remediation planning.
Sonia summarised her presentation by acknowledging that there are various programmes that an organisation can utilise. It all depends on which key areas that a specific agency would want to focus on so that the proper critical incident management can be deployed.
Enhancing cybersecurity measures through critical events management
Following Sonia’s presentation, Charlotte Wood, Director of Policy and Awareness of Cybersecurity at New South Wales Government shared her experience with the participants. Her department is responsible for setting standards and providing leadership in cybersecurity and affects all 120 entities in the NSW Government that consist of approximately 400,000 employees.
According to Charlotte, there are 3 pillars of cybersecurity: 1) Confidentiality of digital information held, 2) Availability of the information accessed digitally by people whenever it’s needed and 3) Maintaining the integrity of the digital system and services – data must not be modified improperly, whether maliciously or accidentally
Charlotte explained that the initial question to be answered is: what is an agency trying to protect when integrating cybersecurity measures. As with most, if not all workplaces, protecting the confidentiality of data is paramount, as well as keeping such information intact and readily available. In and of themselves, these two components are not sufficient. There must be workplace safeguards to ensure the integrity of data and that malicious activities do not compromise it.
One way to balance these three key components is by applying a risk-based approach and the NSW Government uses this methodology. With their standard, they address the level of risk in 3 main areas: 1) Technology and Infrastructure – in protecting their digital system and services, 2) Procession and Organisation – the standards set and 3) People and Culture – the employees’ understanding of cybersecurity
However, more critical than these 3 areas is the risk and impact of the events to the people of NSW. The risk level dictates how they prepare for the attacks, and how they prioritise the different attacks. The risk-based approach has allowed the NSW government to have a standard framework that will work in different agencies with different needs.
Mitigating the impact of critical events does not end with a cyber risk approach. It is a holistic process that improves on key aspects of the workforce including retraining employees. She added that while the notion that cyber threats can be prevented is a myth, agencies can mitigate impacts by training people and by putting up a solid cybersecurity framework.
Charlotte concluded her talk by reiterating that investment in a cybersecurity programme is a continuous cycle. As data breaches become more sophisticated, systems must be improved and defences against these threats must be fortified. Organisations can do this through prevention and simulation of potential threats.
Polling questions
After the engaging discussion by the speakers, participants participated in polling questions and discussions regarding their risk management and cybersecurity protocols, as well as the challenges that they see in this area.
When asked about their key concerns around cybersecurity in their organisations, nearly half (49%) of the attendees voted for employee education in IT security.
A delegate from the Department of Energy said that educating employees is one of the major hurdles that his agency is experiencing. The reason is that most employees fail to grasp the importance of cybersecurity and because of this, the responsibility is left in the hands of IT professionals.
An executive from the Department of National Defense shared the same sentiment. She noted that with their current remote work programme, educating employees and enforcing security policies has become more difficult.
When it comes to measuring the effectiveness of cybersecurity architecture, two thirds (66%) of the participants said that they do this by looking at the ability of the organisation to respond effectively to impending cyber threats. Data protection, threats response and effective mitigation are their main measurements.
Interestingly, 20% of the participants stated they did not have any measurement and wanted to learn from the others. One participant from the government said they are interested to find ways to measure this area in their cybersecurity policies.
The third question was on how the participants rate the level of preparedness of their organisation to cyber threats. Few were unsure and some admitted that they are not well prepared. 45% of the participants felt that they are prepared but they have doubts if it can withstand infiltration.
The fourth question asked the participants on their biggest challenge for accelerating their response to IT incidents, a large portion, mostly government officials, voted it to be the lack of skilled Cybersecurity or IT professionals. They experienced budget constraints and felt policies in hiring these professionals were difficult to follow.
For well over half of the delegates (60%), the lack of skilled Cybersecurity/ IT Professionals is the biggest challenge they see in boosting their cybersecurity protocols. Others felt information overload and alert fatigue to be challenging since IT incidents involved not only cybersecurity but also operations.
The last question was on how participants’ security operations are currently driven. For the most part, delegates said they were compliance and incident driven but now realise the importance of risk-based or intelligence-driven parameters and were working towards it.
Conclusion
The session came to a close with Sonia stressing the need to establish a critical incident management programme in order to ramp up cybersecurity in the overall organisational framework.
She re-emphasised how different elements contribute to an incident and that it is important to look beyond the confines of technology. Keep educating and spreading awareness, pick up intelligence from suppliers and partners that are helpful for the organisation in responding rapidly to events in an automated consistent fashion.
Sonia thanked the participants for their wonderful insights and contributions and encouraged them to reach out to her team and her on their CEM journey.
