Building a resilient mindset

Zscaler is a Business Reporter client

To have the best chance of minimising the impact of any cyber-attack, organisations must proactively gain visibility into where they are vulnerable.

Resilience is becoming an increasingly important part of how organisations approach cyber-security, as businesses realise the inevitability of attacks and the limitations in only focusing on attempting to stop these.

A Gartner study finds organisations that leverage the principles of resilience outperform their less resilient peers, and build stronger, more adaptable cyber-security programs.

Central to this is the concept of creating a truly Zero Trust mentality, which provides the bedrock for any organisation’s cyber-strategy. “Zero Trust is not a product but a concept,” explains Tony Fergusson, CISO in Residence at cloud-based cyber-security platform Zscaler, who helped develop the theory.

Building a resilient mindset is a core element of Zero Trust, encouraging individuals to take responsibility for cyber-security rather than leaving it to IT teams. This means, says Fergusson, actively involving employees in planning exercises to test the impact of a cyber-attack, so they can see at first hand just how serious an incident can be. “I’ve been inside the war room and people react very differently,” he says. “Some completely freeze and just don’t know what to do. Others step up and take charge.”

Tabletop exercises, where teams of people meet up to tackle fictitious but plausible scenarios to test how they would respond and take away key lessons for future events, can be an excellent way of helping people understand their role and responsibilities. “We need to sit with the people who are going to be in the crisis room and make sure that we have a plan,” says Fergusson. “Often it can get very mixed up in terms of who is doing what, and the result is that not a lot happens.”

Such exercises can then be used to develop specific roles for individuals in a crisis. “One of the other things I’ve found that is we tend to overreact,” he adds. “Sometimes the reaction is to shut everything down. But that can cause even more damage, because maybe some things were still working. Once you’ve turned everything off, it can be difficult to get systems back up and running. That’s not a nice place to be.”

As well as working with employees, organisations need to develop a wider culture of resilience. This means taking a more proactive approach to identifying potential risks rather than relying on more reactive techniques. “Endpoint detection and response and other tools are very much about trying to detect something and respond to it,” says Fergusson. “That time to respond is coming down so much that we need to think about what controls we can put in place. If we can look for where we have risk, then we can mitigate it before something happens.”

A central tenet of the Zero Trust concept is removing the attack surface. “You can’t attack what you can’t see,” says Fergusson. “If I remove my attack surface as an organisation, that is a proactive measure I can take to prevent an attacker compromising my infrastructure.”

Existing technology can also help organisations take more proactive steps, he adds, including a sandbox, which can run an application in a controlled environment to test it, before delivering it to the user. “There’s also now technology such as browser isolation,” says Fergusson. “This means we can isolate the browser in the cloud and only send the pixels to the user, so if there’s a malicious piece of code, it’s not able to run on the endpoint. It removes the attack surface for the user.”

Breach attack simulation tools and even artificial intelligence can also identify where the biggest risks lie, and how these can be mitigated. “We need to find out what is the most important part of the technology that needs to run and make sure we build resilience around it,” Fergusson says, adding that industry standards often only provide a basic minimum in terms of resilience. Once the biggest risks have been identified and mapped, organisations can deploy a risk register and use key performance indicators to drive teams to resolve those.

A resilient mindset also means reviewing how organisations use the technology they do have at their disposal. “Sometimes the problem is the way the technology is used or configured,” Fergusson points out. “If I have a firewall, but I don’t configure policy in it, how resilient am I going to be against attack? That’s where we have a lot of work to do.”

Underpinning all of this is the need for visibility. “That is a superpower,” concludes Fergusson. “If we’re able to mitigate risk before that attacker comes after us, before that network fails or before that person makes a human error, that’s true resilience.”

To find out more about how Zscaler can help your business build a resilient mindset, visit zscaler.com.