Six Degrees CISO Paul Rose assesses risk and risk tolerance following the pandemic and how to build a resilient organisation in a world of evolving security threats.
Operational resilience is now a top priority for business leaders and since the pandemic Six Degrees’ tolerance level has had to change ‘drastically’. “As with many other companies we moved quickly to remote working and had to rely heavily on cloud solutions,” stated Rose. “This raised the risks that came with redefining where our perimeter started and ended, who had access to the data we retained and controlling the supply chain around that. Our biggest risks have been the expansion of our borders and data handling.”
Risk tolerance during the pandemic highlighted several areas that companies had not considered. For example, many company perimeters were extended to home users’ infrastructures, exposing them to shared Wi-Fi networks, shared laptops or PCs and unfiltered Internet access. If remote access into corporate systems wasn’t set up correctly the possibility of malware traversing these networks and infecting centralised systems increased. The pandemic also brought data handling issues to the fore, where users access sensitive data from locations where it would not have been opened before.
Rose commented: “I find myself being asked the same questions from many customers – how do we reduce our level of risk in this new world? And how can companies best leverage new technologies and new ways of working? I want our customer base to sleep easy at night knowing that we are using innovative methods alongside changes in policy and procedure to combat threats.”
Our biggest risks have been the expansion of our borders and data handling
The pandemic has prompted Rose to consider risk in more of a strategic context that includes the organisation’s wider aims and objectives. “With the change in the way companies now operate strategically you have to think about the change in people and policies on new rules for staff,” he explained. “You need to consider technology and the tools needed to control the new boundaries of your estate, and new processes that ensure adherence to these controls and how you react in the event of an incident.”
Six Degrees has addressed the expansion of its borders and data handling risks by changing its policies to reflect more in-depth controls. “This includes a heightened level of audit, not accepting self-certification and requiring much more evidence as proof of cyber security controls,” said Rose. “We have implemented new technologies (such as Microsoft Defender for Cloud and Defender for Endpoint) that provide us with a much more detailed, holistic view of end users’ activities. We have also implemented playbooks and procedures to ensure that our incident management is up to date and tested regularly.
“Where possible these areas have been addressed by ensuring that people experience little change in the way they do things and solutions are implemented sensibly and seamlessly. For instance, multi-factor authentication is used throughout the business. This has been in place for several years and using it significantly reduces the risk of unauthorised access. Tools such as Defender for Endpoint are deployed automatically and as far as the end user is concerned they can go about their daily operations with minimal, if any, disruption.”
Rose now has telemetry on each user’s laptop or phone and he can make informed decisions about actions that may need to be taken. “We have automated playbooks that have reduced time to remediate issues and minimised (where appropriate) the human element of incident management,” he added. “This means that in the event of an incident decisions are made much quicker.
“The areas that we need to focus on now is the move to a zero-trust strategy, which we are beginning to do. We have implemented some areas of this with respect to policies in our cloud solutions but not across the board. This is the future and it will eradicate many of the issues that networks face.”
Rose enjoys 100 per cent support from the entire Six degrees C-suite. They understand that its strategy of ‘secure by design’ is first and foremost. “I can count on their support, their sign-off and ultimately if required the finances to support our strategy,” added Rose. “If I can give one piece of advice to any C-suite individual it would be to understand the risks fully. Having a workforce that is fully aware of their responsibilities, adheres to policy and knows that the business takes cyber security seriously is key.”