Mirosław Maj Says Effective Incident Management Response Is Key
Security is an ongoing process, not a one-time setup
Like all things, cyber security too is dependent on the cultural and social environment.
The strategies, tools and techniques to deal with cyber security issues or to ensure adequate protection are as different as the people who use and implement them.
In spite of industry best practices and repetitive warnings, there’s still a lot of work to be done in terms of fighting cyber threats and mitigating cyber attacks.
If we’d say that it’s an ongoing process, we wouldn’t be wrong.
That’s why we’re on a constant quest to find the best ways to approach the major cyber security challenges that companies big or small are dealing with.
One way to do this is to learn from experience professionals, who have experiences various business environments and can make encompassing, pertinent observations.
We interviewed Mr. Maj on the specifics of the European cyber security context, but also on the security measures that sometimes go overlooked, in spite of their effectiveness (or necessity).
Mirosław Maj emphasized one thing in particular: that we should all be prepared to handle a cyber attack. Not be prepared for the possibility of one, but for the very palpable reality of a security breach.
Let’s see what his thoughts are on the subject.
How is the cyber security sector in Europe different from the US one or the Asian one?
Are there any obvious differences?
Why do you think such differences exist/don’t exist?
Mirosław Maj: I think Europe’s market is something between what we observe in the US and Asia.
In Asia there is a quite wide openness for various products and services from all around the world. On the opposite side – the US market is quite hermetic, and it is based on local product and services. US companies are very active in offering their products all around the world.
In my opinion it is a simple consequence of the strength of the US cyber security companies. This was noticed in Europe, and some countries started to actively invest and promote their solutions. The UK is probably one of the best examples. Hopefully Poland will join this trend soon as we have great potential in this field.
A cyber security strategy is not independent of the general business or technological environment. What do companies overlook – in terms of external influences – when planning their defenses against cyber criminal actions?
Mirosław Maj: I think that the most important thing is to think about the process of the future incident handling.
For years we have all understood more or less the preventive side, but mature and effective incident response activities is the area for improvement.
In planning defenses against cyber crime, companies should understand and plan how they will react. Are they able to manage all things which are related to the types of incidents that are the most characteristic for them?
For example – if a company is a bank – how effective can they deal with a phishing incident, what can they do in terms of taking down a drop zone server, etc.
In fact – in most such cases, the analysis will show that companies need support from external parties. It means they should start to develop their relationships with relevant parties like hosting providers or ISPs and maybe sometimes get regular support from advanced incident management organizations like CERTs.
While cyber security awareness has increased, there is still a lot of work to be done in this area. How have you seen European companies and organizations evolve in terms of cyber security over the past 5 years, since you’ve founded the Cybersecurity Foundation in Poland?
Mirosław Maj: Cyber security awareness is growing but it does not mean the work is done.
The need for it is also growing as more and more risks are around us and all of them should be managed. Five years ago we decided to establish the Cybersecurity Foundation and work with both sectors – private and public – to increase awareness.
After working for 20 years in this business, I understood that there is no better way of building awareness than supporting this process with practical activities.
A good example of it is cyber exercises on a national level,which we started in 2012 – Cyber-EXE Poland. So far we have organized them in three important sectors like energy, banking and telecommunications.
These exercises were great awareness-building experiences, and I can honestly encourage everybody to use this concept for creating awareness in targeted communities. By the way, in our case the exercises were successfully used in reaching media and getting their interest in cybersecurity.
Recently we also heard that maybe the experiences from Cyber-EXE Poland will be used in the preparations for the Olympic Games 2020 in Tokyo.
From your experience, what is one security challenge that companies consistently fail to address?
Mirosław Maj: Let’s try to answer this question on two levels – the challenge for the companies individually and for companies all together.
In the first case, it is what I mentioned earlier – lack of strategy and skills for an effective incident management response. Everybody understands the truism “you cannot be 100% secure“, but only few understand its consequences. The consequences are – you should prepare your organization for a response to a successful breach.
It will happen sooner or later.
If we think about the challenge for companies all together, then the challenge is effective operational information sharing. I know – it is kind of a buzzword in the security world, but I truly believe it is possible.
Why are we not successful with it?
In my opinion, we believe too much that it will happen by itself. It will not. It needs some support. From my experience, the only working concepts of information sharing are those which have an owner for the process of the information sharing. Somebody responsible for facilitating the information sharing. Somebody who knows how to do it organizationally and technically. The concepts of ISAC (Information Sharing and Analysis Center) and sectoral CERT-s (e.g. for banking or critical infrastructure sectors) are definitely worth studying regarding information sharing.
In your expert opinion, what is a class of cyber threats that will most likely become dominant in the next few years and what can companies do to protect themselves against them?
Mirosław Maj: The history shows that we, as the security experts community, fail with successful predictions of the future.
We can not predict what will come, e.g. a real threat for critical infrastructure like Stuxnet. Sometimes we over-predict some things which are attractive and probably some of us would like to work with them – this was the case for almost a decade at the beginning of this century when everybody was predicting a tsunami of mobile platforms threats. For a long time these threats were sporadic.
It does not mean we should not play with predictions – at the end of the day it is quite an attractive awareness tool. So let’s play – I think that the dominant threats will be related to the professionalization of cyber criminals – in both governmental and private ecosystems. This will produce more and more tensions between states and more and more losses, also financial.
The answer to the question how to protect ourselves against them is not easy to answer. Giving specific advice on it will not work. It is more important to understand the process of how it should be managed. If we agree with this approach, then there is nothing new – the solution is good old risk management.
What is important in terms of actors – we have two communities – public and private sectors should meet in this process and work together.
Finally, we should not bury our head in the sand – this action needs money.
Look at the cybersecurity budgets of the US, the UK or a few other countries. They have already understood it.
Actually, these aspects will be one of the main topics of the CYBERSEC Forum organized in Krakow, Poland this year. The place were policy makers and security experts will meet and try to find how to manage all these things. Representatives from various sectors and many countries will bring their knowledge. The organizers have declared the goal of finding conclusions and proposing practical next steps.
What security issues do you think the increasing complexity of software will bring about?
Mirosław Maj: I am not a software security expert, but I always remember the simple correlation between the number of code lines and the number of bugs in it. Of course the proportions between these numbers can change, but it very much depends on how much developers care about quality and security of course.
Everything around us is becoming programmed, so it is more and more important to remember about best practices and standards for developing secure code. A good example of these is SEI CERT Coding Standards developed at Carnegie Mellon University in Pittsburgh.
What is one piece of advice you’d like to give CEOs that would be instrumental to protecting their companies and their employees from cyber criminal actions?
Mirosław Maj: I can advise them to talk to their CIO, who in their company should really understand what DDoS and APT attacks are.
If they are happy to have such people, they should ask them what they do to avoid data leakage from the critical computers, including CEO’s cellphone, or availability of online services.
DDoS and APT are good enough to successfully attack all main security attributes – confidentiality, integrity and availability of information. Loosing one of them could be deadly for a company.
There’s no better asset to have nowadays, in the face of cyber threats, than being prepared for most foreseeable situations.
It goes without saying that you can’t anticipate every potential scenario, but you can train your employees and even yourself to reduce response time and act swiftly in case something does happen.
Looking forward to sharing more similar interview with you. If you have a cyber security specialist in mind you’d like to learn more from, don’t hesitate to share your proposal!