Human Resources 

Let’s start with the relatively easy part.

• Develops and maintains staff identity(full, part-time, contracted, partner) within the system for use with IT systems including roles and access authority, least privilege, etc.
• Establishes policy-based identityfor each user based on role, organization, authorization (privilege level, clearance, position), status (approval and expiry), access (system and admin level, device network, location, application and data stored, moved, copied and created) such that the identity Management System functions effectively.
• Policing: Penalties and Incentives
  1. Sets AND applies contractual penalties for breach of policy without which such policies and agreements have no value.
  2. Conversely – and to lighten this up somewhat and get away from the secret police effect – it would be good to reward good practices, reporting of questionable behavior, etc.
• Implements and requires signing of Acceptable Use Policy(AUP) authored by IT/CSO/CEO.
  1. The AUP must cover several areas that apply to all user categories with access to corporate data, e-mail, corporate social media or otherwise represent the organization.
  2. It specifies constraints and limitations, especially on access to and response to incoming e-mail, external links, external software applications.

• It includes properly enforced accesscontrol to company data, networks and systems dependent role and need to access, etc., use of corporate compute resources. Note: HR is likely already cognizant of and tracking Privacy regulations that may be applicable [16]

1. Includes agreement to distributed work force policies covered later.
2. Includes agreement to have access monitored and controlled by management systems, etc.
3. Physical accessincluding unattended compute resources, etc. is certainly desirable.

• Use tools to track AUP signatures and even test knowledge of what is signed.

• Supervises, Tracks and Manages Staff/Contractor Security Training
• These policies are intended to be dynamic. HR/CSOto communicate to the parties as policies evolve. Repeat training etc., if needed. Get feedback.

Insider Risk Management – Attacks from Within

Now let’s look at the highly sensitive topic of Cyberattacks being deliberately or accidentally triggered by or with the active participation of staff members, contracted staff, contractors or outside companies who had access to systems etc. This unfortunate situation is on the increase. Such attacks might be for financial gain with the crimes of bribery, extortion or blackmail coming to mind.

The higher the level of administrative privilege the more damage is likely. These can range from deliberately flaunting Business E-mail Compromise (“BEC”) policies to respond to phishing attacks, etc. The rationale is equally wide. Since this is really a people not a technical problem then it’s important to understand the “whys.” Careless use and deliberate use are the first separation – then looking at the reasons is less important. Next is to examine what is being attacked. It’s one thing to disrupt software and another when medical, utility or city disruption breaches are attacked by insiders.

When you catch the insider, your evidence must be watertight before going public. If not, then you are in for a legal and expensive fight. If you plan to remove someone then they must be disempowered before they are removed. It’s important to plan out the chain of command and the other aspects of holistic security. Then it’s also important to make it clear that you have a policy so that it’s evident that you have protection on accidental as well as deliberate breaches.

Big Data Is Protecting the Organization

It’s critical that it does not default into some kind of “big brother is watching you” that will disaffect all employees – the last thing you need. In particular, the most common incidents are personal information, health information, authentication credentials, client data and intellectual property but there are many more. Therefore, what’s important is not only to log employee access but also to shift it so it’s known that access to the corporate network is being logged for the organization’s and client/customer protection, no matter where that access is from (including from home or outside locations). Monitoring access is a key part of automation and Zero Trust networking as we show later.

The reasons are less important than what, if anything, can be done to prevent them. There are reports on how to instigate “Insider Threat Programs” including hiring dedicated staff and paying staff to rat out a colleague’s suspicious behavior. Let’s start with a few simple ideas.

Risks Aimed at Insiders

The most vulnerable to the threats of inadvertent insider attacks are unfortunately and unsurprisingly the executive team itself. They are attacked when working in unsupervised situations at home, even in hotels or Starbucks. The earlier section: “The Home is a Dangerous Place to Work” lists vulnerabilities where the executive team is especially targeted – not just randomly but deliberately. This is serious stuff. It underlines the importance of applying the principal of Least Privilege (covered a little later) to ensure that rank in the organization does not imply an access right. This means the Attack Surface is the executive team and there are specialty companies providing such protection.

Hiring Polices

The days when recruiting companies would vet potential employees are long gone in the wake of privacy laws and successful lawsuits when things went wrong. So good luck with asking or digging into the past. If you think you are adept at knowing when a candidate is being truthful, you probably are. Malcom Gladwell’s entertaining 2019 book “Talking to Strangers” [18] confirms that but the main point of the book describes that knowing when a candidate is deliberately lying is quite a challenge.

In section 7 we look in detail at the issues of Identity and Access Management but next we look at how HR must deal with access and least privilege when staff access systems.

Access Policies

It can be obvious to colleagues when something doesn’t feel right but the most practical approach is not to trust but validate and measure:

• Deploy Zero Trustprinciples to automate the management of identity, authentication, access control. Then monitor, report and possibly quarantine abnormal requests or access to systems that are out of scope or request access outside of normal hours, or for longer than defined by policies. Identity and Access Management is the number one priority.
• Deploy Business E-mail Compromise software to monitor and filter out incoming phishingattacks known to contain malware. This can make an enormous difference.
• Deploy BEC software to monitor outgoing e-mail or website access that is known to contain malware, etc. Constantly monitor incoming AND outgoing mail and internet access.
• Be vigilant and determined that security policies are followed by all. Only work with contractors with similar standards.

Least Privilege

Limiting all staff, contractors, and anyone having access to the organizations resources, having the least privilege required to perform their functions is a big step forward especially when combined with access and identity management, policy and role-based processes that implement Zero Trust- based principles. This daunting, manual task can be largely avoided by using, where possible, automated tools to create Least Privilege by class of user.

The principle of least privilege is the idea that any user, program, or process should have only the minimum privileges necessary to perform its function being governed by confidentiality, integrity, and availability. An example might be that only certain individuals have the right to reply to emails or that data can only be accessed at certain times.

As part of any risk assessment, policy and authentication process – all of which may well be subject to auditing – it’s important to track the privileges that are made available across the board. As with many other topics in this book, the idea is to strengthen the weakest links in the system and deflect criminals to softer targets. Taking on a military style positive vetting approach to the above may be the best practical advice. Least Privilege is discussed again under Identity & Access Management.

Distributed Workforce

Working from home became distributed workforce and then became hybrid workforce as the distinctions blurred. By then it had to encompass branch office working, hotel and coffee shop and contractor or “Staff on-demand” scenarios. Bearing all of this in mind, the key is the separation of work-related computing from everything else, so that business can be conducted with corporate security separated from consumer and IoT devices. What goes on beyond the “sliced” connections is certainly out of scope for this work. To keep it relatively simple the diagram below shows how two compute devices are kept separate from what they connect to and from each other.

Either the devices are separated from each other (physically or virtually), or the network connections are sliced via different services or there is encryption over one or more virtual connections and/or a VPN is present for all or some of the connections. End of long sentence. The main point is to ensure that the separation occurs sensibly and is not just left open.

Outsourcing/delegating. If you outsource your HR, then it’s critical that they understand everything covered here and that their systems are properly vetted too in terms of protecting your data to avoid creating a weak link.

A return to the office is inevitable for most but the likelihood of working from home several days a month seems a likely and permanent legacy post Covid. Hence the cautions and precautions of the hybrid workforce will need to persist or weak links will develop.

Legal/Admin/Finance/Governance

Legal Counsel

Accountability and responsibility for the integrity of the organization’s compliance with its legal requirements falls upon the legal department, assuming it has one. The protection of client customer and third-party data is critical with exposure leading to terminal financial consequences for the company, and the employment of its leadership. For this reason, the legal team must take responsibility for the actual compliance to GDPR/CCPA regulations and not just pay lip service.

• Critical is ensuring that all policies are legally secure, conform to legal requirements and are defensible.
• Responsible with the CSOfor auditing the implementation of public or implied GDPR/CCPA privacy statements ensuring actual compliance.
• Responsible with the CSOfor auditing policy implementation and compliance to NDA and other HR requirements.
• Responsible with the CSOfor tracking legal attacks observed resulting from ransomware attacks and adapt processes accordingly.
• Primarily legal involvement is called upon to deal with exploits of data breaches.
• Often any insurance will limit risks.
• Ensure that there is clarity on who and what is transmitted.
• Bring in expertise when data breaches occur.
• Consider even making payments if data loss has been mitigated, as nuisance payments.
• Regulatory changes: compliance drive, increased compliance reporting to the government.

Outsourcing.

Except for very large organizations, Legal and Tax Services are typically outsourced and can also access critical privacy related data. Therefore, it’s critical that they understand everything covered here and their systems are properly vetted and audited in terms of protecting your data to avoid creating another weak link.

Finance

• Work with CFO and executive team on financial model required to implement security.
• Work with CFO to present & track the resulting business case.

Procurement: Checking out the Vendors & Providers

Work with the IT department to ensure that vendor selection is made with Cybersecurity in mind such that they show they had no breaches. Check that they have a good reputation, they have minimal touch with sensitive data. Check that they can work with your current systems and do not abuse privacy policy and they have good references. Guarantees for incident response and all related materials. Key is asserting risks & responsibilities should incidents occur. It just means you need to think it through so that you are prepared.

Governance and the Impact of GDPR

Policy Enforcement: Do you comply? General Data Protection Regulation (GDPR) [8] sets out 7 key principles:

1. Lawfulness, fairness and transparency.
2. Purpose limitation.
3. Data minimization.
4.  
5. Storage limitation.
6. Integrity and confidentiality (security)
7.  

Governance and the Impact of CCPA

Absent a federal protocol, the California Consumer Privacy Act (CCPA) has become the de facto standard in the US. It has similarities but lacks some of GDPR’s accountability features. A comparison may be found here [9]

Sales, Customer/Client Support

The nature of these will determine how and where customer data is held. Where possible the question should be, can the identity of my customer/clients be managed anonymously or via a trusted third-party company using this work to verify that trust? OK, so Sales doesn’t have much responsibility for Cybersecurity, right?
Unfortunately, it does. Sales, Management, Customer Support and Marketing are all users of Customer Relationship Management Systems (CRMs). There are at least 10 such systems used with SalesForce.com being a typical popular choice. Rather like web sites users can add in plugins from other outside companies often commonly using middleware software such as Zapier. Either integrated or via additional outside market research and vertical marketing communication systems for the distribution of marketing communications. It’s unusual for these to be under control or security oversite by the organization’s IT system. If you read this carefully you’ll really get that considerable care is required to avoid vulnerabilities.

 Information Technology

Information technology was not buried in the middle of this section for any reason other than to get across that it’s one element of the holistic approach required. IT’s time will come later.

Scope

IT includes many aspects. I put this list together to get across how all of these responsibilities need security oversight. I’m sure you have more.

It includes systems, workflow and applications and application development. It covers user management, compute and network connectivity, selection and management of Internet Service Providers, or managed service providers, data center and Cloud migration. There’s more: data, web and social media management, physical/virtual operations and software supply chains. A long list, some in-house, some via consultants, some outsourced.

Each has areas of vulnerabilities & responsibilities:

• Establishes appropriate DevSecOps. This concerns all kinds of business organizations that provide a product or a service that has any data or software content or application.
• Creates secure cloud migration plan and all vetting of third- party providers and integrators for compliance.
• Creates policies for collaborative use of partner systems, AI/ML outsource integrators, multiple Cloud and other external resources access via third party applications either directly or via Application Program Interfaces.
• Establishes and protects intellectual property, company & client data/information using best practices as reasonably possible.
• Establishes policy-based Identityfor each actor (application, system and device) based on function, approved user, management software required privilege level), status (revision, development), access (system and admin level, device network, location, application) such that the Identity Management System functions effectively.
• Establishes implementation policy for migration and testing of new and updated systems for vulnerabilities.
• Responsible with the CSOfor developing, testing Business Continuity systems for Incident Management and Disaster Recovery. Although almost certainly involves IT, could be invoked from any source.

Outsourcing and Delegating Information Technology

• How much of this is handled in-house and how much is dedicated is down to budget and organization size. For small organizations oversite and auditing is key.
• My experience is that outsourced IT is great at managing data and email systems desktops, remote support. but has very limited knowledge of security. It’s a well-known fact that there is a huge shortage of Cybersecurity expertise. Hence books and “security” companies springing up everywhere.
• At a minimum, selection of any of these resources must be accompanied by a vetting process to understand how much is understood regarding Cybersecurity. Hopefully, this work will help with that. Please don’t fall into the trap of settling for the “Don’t worry, we have all of that handled” answers from your service providers. It’s probably a sure sign that they are clueless. Get a proper understanding of the process handled here including their use of automated approaches and vetting of any third parties they might have used. This implies some level of trusted resource that’s in house.
• To go back to our initial thoughts on misunderstandings, there is no “one-and-done” and auditing is essential. The implication is that some level of inhouse expertise is needed since most outsourced IT is naïve when it comes to Cybersecurity. Not the answer you were hoping for, no doubt.

Policies for Remaining Areas of the Organization:

Product Marketing 

The implementation of DevSecOps begins here. This means a change to the product marketing approach:

1. Does the product meet the minimum functionality required for the market?
2. Is the product’s quality good enough?

• Ship it before competitors to get the lead in the market.

1. Add additional functions in subsequent versions.

To (i) and (ii) above we must now add: “Was it developed to meet the security requirements?” Plus “Do not ship until it key security requirements are met.” More on this topic in section 8.

Physical Security

There are many unseen and unnoticed actors within the realm and it’s important that they have access only to what they need to have access to. The question is always “Is it being properly and automatically monitored?”

All but the largest organizations outsource physical security, especially when there are branch offices. The management of physical security, especially in a multi-tenant is another potential risk since it may be part of a bundled service that is out of your control but should be subject to vetting. If you have a managed service provider, the same vetting should be applied to avoid abdicating responsibility. If you don’t get sensible answers then switch service providers.

Marketing and Corporate Communications

What has security got to do with marketing. The answer is plenty.

It’s a prime example of vulnerabilities outside of IT not being handled carefully. We touched on this earlier. Whether web presence is delegated/outsourced or handled in-house, the use of third-party software. such as standard off-the shelf WordPress plug-ins, renders the organization’s website vulnerable to attack. The same applies to other popular web platforms such as Drupal and Joomla, and possibly Squarespace, etc., though it’s a while since I used them.

The website and its server platform must be protected with Firewall software and automatic updates. For those of you who don’t know how this works, WordPress (easily the most popular content management system) has more than 59,000 free plugins!!! (“Good grief, does that mean here are 59,000+ opportunities to inadvertently add malware to my web site and grab customer data?” Duh. Yes). Even THE most popular plug-in (Elementor) with millions of users, was hacked in April 2022.

So, even though they may all be well-intentioned, make sure you have the latest version running on the latest version of WordPress and the latest version of PHP, etc. Get rid of plug-ins that are no longer in use – even the ones that are inactive. (Yes, I have been the victim of these problems, so please learn from my mistakes.) I can’t speak to the other platforms such as Joomla and Drupal etc., but they are likely the same.

Next, it’s critical that any stored data relating to customers be kept up to date, separately annotated as being time sensitive and containing outdated information. This will be an element of asset assessment.

Manufacturing Management, Operational Technology and Use of IoT Devices

This is a major topic that can’t be done justice in this work – mainly because it’s such a diverse subject. It’s been plagued by lack of a single secure standard but as we cover later, there has been a recent breakthrough here.

In a purely manufacturing environment, the main problem is the exposure and update of critical IoT devices to third parties and to remote management (e.g., remote operation of medical systems) via the internet. The use of the software supply chain (covered in the next section) is also a factor. The best advice is to use Zero Trust principles to deflect possible attacks and to use network slicing techniques.

For these Operational Technology systems, the problem is a little different in that the term “IoT” is being used to cover legacy devices that often have little or no control intelligence and have little possible protection. Examples are badge readers, remote camera systems, remote pollution monitoring, rail systems, entry systems of various kinds, many in remote or unsupervised locations. All have been classified as (or in reality have been rebranded as) “IIoT” devices when they have no Internet connectivity, purely as a way for the companies selling or connecting to such products to look good/cool and smart as was already “noted” earlier.

The bottom line is, then, connections between source systems and IIoT devices can be protected using MACsec or other protocols, but this does not prevent the data being sent through the network from being unprotected even if it’s inside a trusted domain.

The answer to all these issues is to separate and fragment the network access as much as possible to limit the impact of externally generated threats. Not perfect but better than none.

Supply Chain Management, Attacks and Prevention

Much of the data held either by manufacturing, by outside third parties or by subcontractors must be scrutinized to avoid unnecessary disturbance to company data. It must be subject to the same scrutiny as if they were inside by giving least privileged access to corporate data, etc.

It would have been simpler to just reference the many policy templates from SANS [19] and other organizations. However, while you may want to check these as a useful base, they seemed dated in the areas covered in this work or belong to previous decades.

Supply chain attacks: either attacks on the supply chain or more likely the use of supply chain to impact your software. Bear in mind that malicious attacks in this area may not be ransomware but are entirely destructive of your data. So again, ensure your data is backed up and verified as valid.

Do check with vendors in your software supply chain that:

1. They have a software bill of materials (SBOM).
2. They do code reviews to ensure there is nothing untoward (i.e., malware) has been inserted into the code.
3. They perform monitoring in compliance with NIST800-53 rev 5 [20] (or possibly ISO 27001 [21] .
4. They do perform similar tests on their own supply chain.

Do not expect it to be foolproof – especially the 4^th point. Remember it’s all about deflection and protecting the weakest link.

ExO Methodology: Accelerating Holistic Cybersecurity

The Exponential Organization (ExO) Methodology is a way of accelerating the adoption of disruptive technologies such as Holistic Cybersecurity. [22]

As anyone who has attempted to have an innovative approach adopted to anything in business knows, this is no easy task. The larger the organization the more resistant the “immune system” is: “We’ve heard it all before” is often the resigned listening to new ideas. This is driven by any idea that increases costs or disrupts or even threatens planned profitable revenue growth. The ExO methodology is designed to introduce new ideas that are either (1) add-on incremental and self-contained business models that do not impact core business or (2) adjuncts to core business that generate new revenue.

Fortunately for the timing of this publication there is “Exponential Organizations” a methodology to help introduce disruptive technological approaches such as those recommended in this work. This requires separate reading so don’t worry if this seems like a foreign language [22].

Version 2 of the book is available to members of the ExO community as of February 2023, prior to general availability. This work is fascinating and to the extent that I became a certified ExO Sprint Consultant and Coach and included it as part of my consulting work. A brief description is included here.

This strongly recommended approach will help usher in new Cybersecurity approaches. In fact, the introduction of any new technical or management change benefits from this new approach! It’s especially included since it will help get across the concepts of the book (and all other new ideas) to all departments in a short time frame.

Exponential Organizational work begins with having a Massive Transformative Purpose – different from Vision or Mission as it covers why the organization exists for the world.

The implementation methodology covers ten attributes covering the external and internal aspects as shown below.

Of the ten attributes of Exponential Organizations all require special attention from a Cybersecurity perspective and is part of the reason it’s covered here.

ExO External Attributes

Attribute	Cybersecurity Considerations.
Staff on Demand	This euphemism for contractors, etc.: several distributed workforces may be in play at one location. Separation of user roles is essential.
Community	While key to rapid growth, caution needs to be applied so as not to disclose confidential information or open source abuse. Use of blockchain is a possible fit here.
Algorithms	Deep learning and automation require special control as they can become targets.
Leveraged Assets	Software supply chain, partner relationships requires validation.
Engagement	Game-based approaches may be subject to special consideration.

 

ExO Internal Attributes

Attribute	Cybersecurity Considerations.
Interfaces	APIs, platforms and user interfaces all must be secured as we cover in a later section.
Dashboards	Systems need vetting for risk.
Experimentation	Ensure that fast time to market does not prevent DevSecOps considerations.
Autonomy	Ensure Cybersecurity is taken into consideration – some things can’t be left to chance.
Social Technology	Often overlooked but, by definition, Social Technologies such as Google Docs, Slack and Atlassian’s Confluence can expose personal and sensitive information.

Final word. Exponential Organizations are shown to grow dramatically faster, be more profitable and provide a much higher market cap.

Section Epilogue

This pivotal section covered the impact of Cybersecurity across the organization. We covered:

• Executive team, CSO, F&A, and legal
• Human resourcesand insider threat management
• Marketingcommunications
• Product and service marketingand development
• Information and networking technologies
• Production, manufacturing and supply chain
• Exponential organizations

Later, in Section 11, we return to the actions needed to be taken by each department.

The Business and technical approaches recommended to build a successful Cybersecure organization have been covered. The place to begin is the organization – its commitment, policy creation and execution.