Editor’s note: The ISACA China Hong Kong Chapter was recently invited by The Hong Kong Police Force to deliver a panel discussion on “Cyber Commander’s Role in Enhancing Cyber Security Governance” as part of the five-day program of The INTERPOL’s “Cybersecurity Command Course 2024.” The ISACA panel consisted of Chapter President Eugene Ha (Deputy Managing Partner of Grant Thornton Limited), Freeman Ng (Chapter Director of Program; Co-founder & Principal Consultant of iSystems Security Limited), Maverick Tam (Chapter Director of Certification; Chief Risk Officer at Hong Kong Interbank Clearing Limited) and was moderated by Welland Chu (Chapter Secretary & Vice President of Certification; Alliance Director, APAC of Thales). The ISACA team enjoyed the exchange of thoughts with law enforcement agencies from various countries/jurisdictions, including Azerbaijan, Bahrain, China, Hong Kong, Korea, Macao, Morocco, The Netherlands, Singapore and Thailand. The following is a summary of the panel discussion:
Welland: Cybersecurity threats are prevalent in all societies. This poses a significant risk to the public and can have national security implication. Experts from the panel will share thoughts of how best to establish and continually enhance cyber security governance. Their insights will empower the audience to better prepare against cyberattacks, especially in the ever-evolving landscape of changing times.
What are the emerging threats?
Eugene: Organizations including INTERPOL and ISACA have been tracking the trend of cybersecurity risk. For example, back in 2019 when the world was disrupted with the COVID pandemic, the organizations predicted the rise of malicious activities including ransomware attacks, as more workloads were conducted remotely by organizations and individuals. While ransomware attacks will remain prominent, recent surveys from reputable organizations like the World Economic Forum, Gartner and Forrester have highlighted several cybersecurity risks that will impact our society.
Freeman: Rising geopolitical tensions and political competition may escalate attacks on critical infrastructure and supply chains. The increasing use of AI poses additional risk as it can be utilized by both security professionals and criminals. AI can aid in fraud detection but also enables social engineering with deep fakes and stealthy AI malware. Effectively, AI is accelerating the security arms race.
Maverick: As one of the critical infrastructure operators, we consciously monitor trends on cybersecurity. Other risks we observe include those associated with emerging technologies such as cloud, supply chain, regulatory compliance, etc.
As users of these technologies, it is important to note that while we rely on third party providers for use of their products and services, we assume the ultimate accountability for our own control and actions. In other words, responsibility cannot be outsourced.
What would be an effective way to convince the board and senior management to invest in cybersecurity?
Eugene: It is common to hear organizations both in public and private sectors say that they cannot afford cybersecurity – until they get hacked. To gain buy-in from the board, it’s crucial to consider cybersecurity from their perspectives. Most boards and senior management teams tend to prioritize the bottom line and reputations. Addressing cybersecurity concerns through these lenses can be effective:
Direct business impact: Consider financial, operational, legal and reputational consequences.
Company valuation: For instance, during Yahoo’s sale in 2017, Verizon reduced its bid price by US$350 million due to data breaches.
Stock value decline: A recent report shows publicly traded companies suffered an average decline of 7.5% in their stock values after a data breach, coupled with a mean market cap loss of $5.4 billion.
Damaged customer relationships: Another report shows that after a data breach, 21% of consumers may stop using the affected company.
Personal liability: In some jurisdictions, such as South Korea, Singapore and the US, management can be held liable for negligence in cybersecurity matters.
What are the common causes that contribute to lapses in security?
Freeman: Navigating the challenges posed by competing priorities, complexity and limited awareness and skillsets requires a strategic approach. Identifying the root cause is pivotal. Organizations can enhance their cybersecurity posture through targeted improvements:
- Governance and risk management: Strengthening policies, accountability and risk assessment frameworks
- Training and Certifications: Equipping personnel with the necessary knowledge and skills to tackle evolving threats
By addressing these foundational elements, businesses can proactively safeguard their digital assets and maintain resilience in an ever-changing landscape.
What is governance and how do the roles and responsibilities of cyber commanders contribute toward cybersecurity governance?
Maverick: With reference to the COBIT framework, good governance helps align corporations’ actions with their objectives, manages risk and improves operations in effectiveness and efficiency. Cyber commanders play a pivotal role in safeguarding a nation’s critical infrastructure. They set, agree upon and share objectives to ensure all actions are aligned for the desired outcome, with periodic reviews for realignment. They are tasked with developing, implementing, and updating security policies to prevent unauthorized access, theft and damage. The organizational structure is fortified by three lines of defense.
Risk management is crucial; cyber commanders identify risks and develop mitigation strategies while adhering to international standards like PCI-DSS and IEC 62443, and local cybersecurity laws and regulations.
Security operations management involves monitoring, incident response and vulnerability management to enforce security policies effectively. Human factors are noted as a significant source of cybersecurity incidents. Collaboration with stakeholders across different sectors ensures that security protocols are comprehensive and adaptive.
Cyber commanders also lead security awareness training programs to educate employees of critical infrastructure operators and the general public on best practices for protecting sensitive information against cyber threats. Operations’ effectiveness is assured by aligning the right people, technology and processes while continuously reviewing budgets to optimize resources efficiently.
In terms of budget, recent studies show security occupies 5%-25% of IT budget. This is quite a wide range, higher during the startup phase and for regulated industries and lower when organizations stabilize and attain better cybersecurity postures.
What are the practical ways to enhance cybersecurity governance?
Freeman: Cybersecurity governance can be enhanced by focusing on several critical areas:
Culture: Emphasis is placed on creating elite teams for defense and protection. They are operating within legal boundaries and privacy ordinances.
Risk management: Identifying and managing risks to the country’s IT/OT infrastructure are critical components, as well as relevant regulations and standards.
Structure: Organizational setup includes roles like cyber commander, team leaders, cybercrime analysts, intelligence analysts, investigators and digital forensic examiners. Use talent metrics to ensure a robust talent pipeline.
Capacity building: Technology convergence and global partnership are key focus areas. Make use of standards – for example, USCYBERCOM sets joint cyber kit standards (e.g., Deployable Mission Support System DMSS). Public/private collaboration enhances collective resilience.
Specialization and innovation: Combine AI, big data and dark web keyword searches. Threat Intelligence graphs (AI-driven Maltego-like tools) are leveraged to aid actions/task forces. Adaptive Honeypot attracts and analyzes malware.
Education and training: Leverage university and education institutions as talent pipelines. Persistent Cyber Training Environment (PCTE) offers flexible online training. Competitions and challenges can foster inter-team collaboration.
How does ISACA help?
Maverick: ISACA offers a range of certifications and cybersecurity courses such as digital forensics, penetration testing, threat hunting, vulnerability identification and analysis, and auditing. These certifications and courses can help law enforcement agencies and critical infrastructures develop a deep understanding and proficiency for cybersecurity. By completing the relevant certification programs, officers in law enforcement agencies and critical infrastructures can gain insight into the principles of data and technologies that frame and define cybersecurity, its language, and the integral role of cybersecurity professionals in protecting enterprise data and infrastructure. This knowledge can help organizations better understand the threat landscape and develop more effective security strategies.
Final thoughts?
Eugene: We should always remember that we are humans, and we have more wisdom and creativity than any technology. However, we should also leverage the technology to assist us in the domains that were inaccessible to us before. By reducing the cybersecurity risk, we hope that the community can benefit from both the advanced technology and the human potential to create a more peaceful world.
Freeman: Cybersecurity governance shapes the future of cyber defense. The cyber command team’s culture, risk management, legal adherence and structure form the backbone of your cybersecurity efforts. Innovation, capacity building, and global partnerships guide cybersecurity’s dynamic world. Utilize AI, big data and advanced tools, while prioritizing continuous education and training. Cyber command is the vanguard in this complex, evolving cyber space, moving forward with courage and innovation.
Maverick: Close collaboration between cyber command and industry, such as threat intelligence and information sharing, and joint cyber response drills, are critical in improving the overall preparedness for cyberthreats.