CyberGamechangers in Resilience: Best Laid Plans

In the fast-paced world of modern business, adaptability stands as the cornerstone of a company’s success. Through the ‘Gamechangers in Resilience’ interview series, we celebrate influential leaders who excel in flexibility and resilience, both in their workplaces and within their communities.

These remarkable individuals not only empower their teams and communities to thrive during challenging times but also serve as inspirational role models themselves. iluminr acknowledges their achievements, shares their experiences, and pays tribute to their unwavering dedication to success, even when confronted with formidable challenges.

October is Cybersecurity Awareness Month, a time when we focus on the critical importance of safeguarding our digital world. At iluminr, we are proud to support this initiative by highlighting the exceptional stories of cybersecurity leaders. These individuals have not only protected their organizations and communities but have also fostered an environment where innovation and growth thrive in the midst of cybersecurity challenges. Their inspiring journeys serve as a testament to the power of resilience in the realm of cybersecurity.

Aaron Sanders has spent nearly 20 years helping to secure organizations large and small across many industries. When not working, you can usually find him behind a telescope practicing astrophotography.

 

Q: Can you share your background and experience in the field of risk, cybersecurity and resilience? What drew you to this field, and what key lessons have you learned along the way?

Aaron: I have nearly 20 years of experience in information security. When I started, information security as a formal discipline was in its infancy, and not many organizations had dedicated security staff. The novelty and excitement drew me to the field. The only constant is change, and it takes a lot of patience, adaptability, and energy to last in this field. I’ve had to secure mainframe telnet connections, containers, and everything in between. The learning never stops.

 

Q: What does cyber resilience mean in today’s ever-evolving threat landscape, and why it’s crucial for organizations?

Aaron: Cyber resilience encompasses key tenants of incident management – prevention, detection, response, recovery. It’s how an organization weathers the cyber storms, and how they maximize service availability in alignment with their risk appetite. Our world is increasingly interconnected, and we are highly dependent on so many electronic services. The pandemic was an extreme example of that, but there are smaller issues that occur on a daily basis that can have snowballing downstream implications.

 

Q: Cyberattacks are becoming increasingly sophisticated. What are some of the most common vulnerabilities or attack vectors that organizations should be particularly vigilant about in their cyber resilience efforts?

Aaron: Applications are a common attack vector, and as an industry, we have a good understanding of how to prevent and mitigate those through secure coding, application firewalls, and other relevant controls.

People are another common attack vector, and the security industry is still understanding how to reduce the risk from the human element. There is interesting research on how people struggle to apply training scenarios to real life situations, regardless of the content. We need to continue to focus on training users on the correct things, and improving the training effectiveness.

Q: When developing a cyber risk and resilience strategy, how should organizations strike a balance between prevention, detection, and response? What role does each of these components play in an effective cybersecurity posture?

Aaron: When I first started in information security, I placed high priority on preventative controls.

As I’ve progressed in my career, I’ve learned the importance of detective and responsive controls. Every company experiences security incidents and many experience breaches. Organizations can spend large slices of their budget on preventative controls and still be impacted.

Severity management is a large goal in information security – reduce the number of incidents that turn into breaches, and reduce the number of breaches that turn into material breaches. Effective detection and response are critical components of that goal and key to service availability during an incident.

 

  

Q: Cyber risk and resilience often involves people, processes, and technology. Can you share some best practices for ensuring that these three elements are aligned and integrated seamlessly to enhance an organization’s ability to withstand cyber threats?

Aaron: We often say people and processes fail, not technology. It’s an overstatement to say that technology doesn’t fail, but certainly people are a primary source of risk through social engineering, misconfigurations, and other elements of human error. Improving user training, assuring users know how to identify and report potential incidents, and having trained responders are key to being able to maintain services and recover during and after an incident.

 

Q: Third-party vendors and supply chain partners are often sources of cybersecurity risk. What strategies can organizations employ to assess and mitigate these risks while maintaining strong working relationships with their partners?

Aaron: I’ve been involved in third-party risk since the beginning of my career, long before it was its own specialized subset of information security. Third Party Risk Management is so hard to get right, but it starts with developing a third-party criticality rating system to identify your key third parties.

Most companies can’t adequately assess all third-parties and need to implement a tiered assessment approach, so knowing which ones are critical assures assessments are properly focused. The assessments are difficult, because many companies will not accept right to audit contract language, and the third-party assessment platforms often find risks that aren’t material or don’t impact the services the vendor provides to a particular customer.

Audit reports are helpful, but they’re generally point in time, and I have yet to have a vendor provide me with a failing audit report.

I can see the industry trending more toward contract language to manage liability, and organizations focusing on mitigating controls to reduce and isolate third-party risk as much as possible.

 

Q: Cyber resilience is an ongoing process that requires constant adaptation. What are some emerging trends or technologies in cybersecurity that organizations should be aware of and consider integrating into their cyber resilience strategies to stay ahead of threats?

Aaron: Liability management and risk transference are interesting trends to watch.

Creating financially viable cyber insurance products is difficult given the rate of impactful incidents. It’s possible insurers will walk away from the cyber insurance market, much as some have stopped offering home owners insurance in Texas and California. Organizations may need to be manage liability across the contract portfolio, which is unwieldy.

On the technical side, ransomware continues to be a surging threat. When attackers were focused on exfiltrating data for use or sale, they had to work with a certain amount of caution. But when they’re willing to burn the place down, there can be some reckless abandon.

You can financially settle breaches, but if all of your systems and backups are destroyed, it can mean the end of your business. Staying on top of emerging best practices (redundant providers, immutable backups, etc.) is critical.

Q: What is the leadership playbook you are writing for yourself in real time?

Aaron: I’m naturally an introvert, so I have been reading books on how introverts can lead and be heard. My playbook is better understanding myself and others so I can be a more effective leader and communicator. There is no single correct way to lead, and leaders need to understand what approaches work best for their personality and style.

 

Q: How do you apply the lessons of resilience in your own life?

Aaron: Resilience and adaptability are keys to human success and survival. Bad things happen to everyone, how you prepare and respond is what is important. An example now is the rise of AI posing a threat to jobs.

Take time to detail multiple plans of action – primary and failsafe plans, long- and short-term plans. Continue to refine plans as the landscape changes.

And remember that despite the best laid plans, bad outcomes happen. Know how to dust yourself off and get back up again.