Dr Almerindo Graziano
There are three tough, yet important questions which every CISO should be able to answer when assessing and measuring the cyber resilience of their organisation.
These questions are: Are you prepared to respond to a cyber-attack? Will you be able to detect it in time? Will your response be quick and effective?
This was the word from Dr Almerindo Graziano, CEO of Silensec and CEO of Cyber Ranges, presenting an address titled: “Measuring national cyber resilience with TOAR”, at the ITWeb Security Summit 2022 this week.
Silensec, a multinational information security technology and consulting firm and Cyber Ranges offers organisations beginner-to-expert experiential learning paths in cyber security.
Graziano has over 20 years of experience in information and cyber security, ranging from developing one of the first university master programmes in the UK in 2005, to security consultancy and strategic advisory for private and government organisations across Europe, Africa, Middle East and Asia.
Effectiveness of controls, processes
According to Graziano, one of the key challenges faced by every organisation today is measuring the effectiveness of their security controls, processes and ultimately the abilities of their security staff in managing security incidents.
One way of detecting a CISO’s preparedness for any cyber attack is being able to answer these three pertinent questions proactively, he advised.
“The reality is that most companies have either already suffered a security incident or they will likely be attacked in future. So, can your organisation sustain an attack?
He says the second question, of whether an organisation will be able to detect a cyber-attack in time, is not a simple one. “This is because many organisations only detect a breach a long time after it has taken place, and by then, the theft and damage has already been done. Therefore timeous detection is paramount,” he explained.
Once the organisation has detected a breach or an attack, they should be able to respond effectively and quickly. It all boils down to how quickly it can be detected and how effectively they respond, he continued.
Validation and assessment
One of the many reasons that today’s CISOs may not be able to answer these questions, could be because the company’s validation and assessment processes do not come as frequently as they should. Oftentimes they only come through the compulsory audit compliance requirements and internal checks, which don’t happen regularly, he stated.
Another reason might be that the organisation lacks visibility of its controls and processes, which boils down to assessment and validation processes.
“This is exactly the same approach that a student would take when they study for an exam in university – they can study all they want and rehearse the content, but the only assurance that that they know the subject matter is when they pass the exam.
“When it comes to cyber security, you may have security training programmes for people, but what is equivalent to an exam within an organisation, is being able to adequately respond to a security incident or attack.”
As part of his presentation, Graziano introduced the audience to TOAR (training orchestration, automation and response), a vendor-agnostic platform based on next generation tools, to help organisations to regularly assess their cyber resilience, and validate incident response capabilities ahead of real attacks.
Cyber Ranges provides the TOAR-enabled app-built simulation platform that provides a fully-featured sandbox environment.
“Peoples abilities and experiences are recognised as key to competence development, beyond the supply and acquisition of mere knowledge and skills. Competence being the behavioural cornerstone of the ‘human firewall’ and the ‘human perimeter’ that underpin an organisation’s cyber resilience,” he concluded.