The Critical Difference Between Cybersecurity and Cyber Resilience

With the recent news regarding the data breach at Equifax, senior level financial executives are beginning to question how much cybersecurity is enough in world full of threats. Financial Executives International Managing Editor Olivia Berkman spoke with Paul Nicholas, Senior Director of Global Security Strategy and Diplomacy at Microsoft regarding the burgeoning practice of cyber resilience. A transcript of the conversation is found below the podcast player.

Olivia Berkman: Paul, thanks so much for joining us today. I want to start out by asking you how you would describe cyber resilience versus cyber security.
Paul Nicholas: Thanks Olivia. When I talk to customers it's really interesting to me, they think that cyber security is an exclusive conversation, and cyber resilience is an inclusive conversation. What I mean by that is sometimes people opt out of cyber security conversations because they feel like they don't have enough of a technical background to be able to contribute or be part of the dialogue, or they just want to move it on to someone who they feel is more technical.
Cyber resilience is much more of an open conversation, if you will, because people are talking about the outcomes that they need from cyber, and they want to be able to participate and leverage those outcomes in different ways, and so I find it's much more of a broader community that is willing to engage and think about cyber resilience.
Berkman: Okay, that makes sense. Where do you see the biggest holes in corporate America when it comes to cyber resilience?
Nicholas: To me it feels like we're going through sort of a generational change in this space. You probably heard about people discussing digital transformation or this concept that essentially every enterprise today is really, in some way, a software company. There are banks that have as much code as Microsoft has, that they've built themselves, or transportation companies that literally don't think of themselves as a fleet of trucks and planes, but really an IT service that has outputs in trucks.
It's fascinating to close that gap between companies that made the digital transformation, but haven't really thought about the systemic risks they're going to have to think about and how to build sort of a resilient response to that. In some cases they still default back to IT security, am I compliant with A, B, C standards or regulatory compliance?
I think the biggest gap in my mind is how do you get from compliance to a much more broader assurance that you can operate in any type of circumstance. That's the gap that we're trying to close today, and it's significantly different than I would say the sort of business continuity challenges that we thought about in the 80's and 90's.
Berkman: You mentioned systemic risks. Can you give me some examples of what those might be?
Nicholas: Yeah, I had the opportunity to participate in a World Economic Forum report that came out last August that looked at trying to understand systemic cyber risks. It's a really challenging space. I think we kind of all landed on a definition that the International Monetary Fund had come up with for financial services. Essentially, systemic cyber risks are those things that go beyond your company in some ways. It could be a protocol that the entire industry relies on or common things that support the global economy, either in terms of a service or a piece of software or protocol that, if really exploited or attacked or degraded somehow, could suddenly really have a disruptive or destructive impact on people, and I think in certain sectors like finance, people understand systemic risk if they think about it in terms of capital markets.
When you get to something as distributed and as global as cyber, it's harder to measure it and therefore, harder to manage it.
Berkman: Given the recent media coverage regarding governments fighting cyber battles, how or can companies prevent themselves from getting caught in the crossfire?
Nicholas: That's a great question. We recently began talking about something we've referred to as the Digital Geneva Convention, and part of that is really based in the sense that in a time of peace, you could argue largely the world is in a time of peace. We don't have a global war going on of any sort. We do have regional conflicts, but generally, I would say most of the world is in a peaceful state. Governments really should exercise a bit of restraint in terms of attacking critical infrastructures like banking or energy or certain things that underpin the operation of the internet in terms of security and stability.
We actually put forth a proposal for a set of government security norms that look at how governments collect vulnerabilities on private sector products or making sure that if they build weapons in cyber, that those weapons can't be reused by criminals or terrorists to create greater damage or that governments don't create things that create mass effect.
In parallel to what we've asked governments to do, we are looking at developing a set of industry norms or a tech accord, if you will, that would actually talk about the things that we should do as an industry, being really clear that if you make a mass market information and communications technology, you can't be in offense. You can only do defense. You can't have an offensive business.
Being really clear that, no matter what happens, we’re going to patch all customers. We're not going to pick winners and losers because two sovereign states are engaged in a conflict and those types of things. I think part of what we're doing is trying to ask governments to restrain themselves from certain activities that could be damaging to the ecosystem. Governments are always going to mess with other governments. We can't stop that, but please stay out of the global economic space.
Then secondly, there are the things that we need to do as industry. A huge part of that is information sharing and collaboration so that we understand the threats and can kind of work to repel them.
Berkman: How can the private sector work more closely with governments around cyber resilience without compromising customer data?
Nicholas: That's been a really big concern, particularly post Snowden. When we've engaged in working with governments around the world, we really focus on two core things. One has been trying to think about risk management practices, and here you have governments who have one set of risk management practices because they tend to work for low probability, but high consequence events. The private sector tends to look for high probability events that could occur that might be a lower consequence, and so we have two different approaches to risk management. I think when we combine them, we get a shared understanding of how you would operate in certain circumstances.
The other part is really when you get down to dealing with a particular type of attack or a particular piece of malware or a campaign of incidence, the things that need to be shared in that case is really not about customer data. It's about what the industry often called indicators of compromise. That might be an observed set of tactics or techniques that we see being played out in the enterprise that helps other people go back to their enterprise and look at that and say ‘Have I seen that on my network? Am I experiencing these types of things in different operations?’ I actually find that in our collaboration, there really isn't customer data. It's about either high level practices and procedures that you need to build from a cultural perspective or they're very technical in terms of here are the signatures or here is the type of code or the tactics that you need to look for.
Berkman: How will the rise of automation in finance and new platforms such as Blockchain, impact cyber resilience efforts for corporate America?
Nicholas: I'm really excited about that. I think the emergence of things like machine learning and artificial intelligence, things like Blockchain, I think they really offer new opportunities for resilience that we haven't thought about. In some ways, machine learning and AI are going to help us better understand and react to threats at a much faster pace than we could as humans. I think learning how we leverage that and integrate it into our corporate security and response operations is going to be critically important.
Berkman: Any downside that you see?
Nicholas: Well the downside is that while we would be using them for good in protecting banks and financial services, it will also create innovation for the criminals who want to attack or exploit that. We're constantly in this balance of power, if you will, in cyber space and so I think the more that the financial services can look over the horizon and think outside the box and break off just the strict compliance regime that they have to deal with for regulators, they can really start to innovate in terms of how they think about security and proactive defensive measures.
Berkman: Paul, I want to thank you again for taking the time. It was a pleasure connecting on this, certainly a very important and timely topic.
Nicholas: Thanks Olivia, I really enjoyed the opportunity to chat with you about resilience. I really think it's our future, particularly as we move into a cloud centric world.
Berkman: Absolutely. Well, thanks again Paul.