Ever heard of Captain Richard de Crespigny? He may not be a household name like Captain Cook but he is no less of a hero. de Crespigny was the pilot who successfully steered an Airbus A380 to safety after it suffered engine failure over Singapore in 2010. His actions saved 469 lives.
I recently read his tell-all book, which reflects on his time in the cockpit, his beliefs on the hallmarks of a modern leader, and how to build resilience in the face of adversity. “You must protect your team. You have to enable your team. A good leader will give the team the skills, roles and tasks so they can’t fail,” de Cresipgny warns.
These words are abundantly true when it comes to cybersecurity in the organisation. Whether it’s investing in next-gen solutions, rolling out cyber training for employees or adopting advanced architectures, management must give the wider business — not just the security team — the tools they need to defend themselves in the fight against cybercrime.
The cybersecurity industry is locked in an arms race. The relentless evolution of the threat landscape has placed an onus on organisations to innovate faster than their adversaries. On one side, cybercriminals are wielding sophisticated attack techniques, creating new types of malware daily. On the other side, enterprises are educating employees on cybersecurity best practice and turning to new models to protect against evolving threats.
One of the emerging models is Zero Trust: that IT teams must adopt a mindset of “we don’t trust anybody”. This means verifying the identity of anyone or anything in or outside of your networks, rendering the perimeter mentality redundant. Trust must be entirely removed from the equation. When I talk to CEOs and boards I tell them that it’s not only the hooded cyber-bandit that can hack your business. A disgruntled employee is just as grave a risk. With internal threats being difficult to detect, they can cause more lasting and significant harm. Faced with an ever expanding attack surface, the adoption of a Zero Trust model requires the complete support from management and for them to provide the wider business with the resources required to keep attackers at bay.
A top-down approach
The Zero Trust model promotes a more holistic approach to information security and puts a special focus on people, processes and technologies. Adopting the model successfully requires a shift in organisational mindset and this must start from the top.
It is here that the learnings from de Cresipgny come to the fore. Historically, organisations have dealt with cybersecurity through varied means. The most common method that I have seen is a bottom-up approach, in which security teams initiate the process then propagate their findings upward to management. This approach has not always been the most effective. If management aren’t interested in the details such as what is the latest strain of ransomware and how best to protect against it, then you get disengaged and ineffective management.
A reverse look at the entire issue, the top-down approach, has proven to be highly successful. Here, management become the true leaders and understand the seriousness of the threat landscape and initiate the process, which then systematically percolates down to the wider business. Just as de Crespigny did in his moment of crisis, it is up to management to lead by example and inspire cooperation with the wider business. Leaders who can’t create teams will not survive. Teamwork is an essential part of resilience.
Secure by design
When developing a Zero Trust model, all best principles for design must be factored in from day dot. However, this is easier said than done. With workforces on the go, employees are accessing applications from multiple devices and from multiple locations. For organisations to remain competitive, they need to ensure that applications are working seamlessly and quickly.
However, speed-to-market pressures within the software development pipeline means security considerations often get overlooked. Malicious actors will detect any vulnerabilities and exploit them. DevOps and security operations teams need to work more closely – as a DevSecOps team – creating the tools that enable secure digital transformation. Security can’t be an afterthought or ‘tagged on at the end’. Organisations need to understand that everyone is responsible for security; from front-line staff, to the CEO and right up to board level.
There are many learnings from de Crespigny that management can apply to how best to approach cyber security. Just as pilots are responsible for controlling the aircraft and dealing with crisis, management are responsible for navigating their organisation through the changing landscape of security. As de Crespigny preaches, leaders need to protect and enable their team. Management needs to equip the organisation with the resources required to build resilience and defend against the constant barrage of cyberattacks.