‘Cybersecurity regained: preparing to face cyber attacks’ is the name of a recent EY Cybersecurity survey. 41 Cybersecurity consultants got together at to take part in the Oceans 99 business simulation workshop. The aim was to explore Cybersecurity best practices to help delegates prepare their clients to face cyber attacks.
As stated in this latest survey ‘…The World Economic Forum now rates a large-scale breach of cybersecurity as one of the five most serious risks facing the world today’. Yet many organizations are ill prepared.
At the start of the session we asked the team to describe the top Cybersecurity challenges or issues their customers tell them about. The list was:
Lack of knowledge, skills/resources
Lack of third party management
It was interesting to see that People’s behavior wasn’t mentioned nor was Board level commitment.
We explored the findings of the EY survey which clearly cited:
‘77% of survey respondents worry about poor user awareness and behavior’.
The survey also mention the number 1 in the list of the 5 basics to be covered is ‘Cybersecurity is not the sole responsibility of the IT department; it is the responsibility of every employee and even of all the people in the eco system of the organization’.
Incredibly the survey also revealed that only ‘4% of organizations are confident that they have fully considered the information security implications of their current strategy, and that their risk landscape incorporates and monitors relevant cyber threats, vulnerabilities and risks’.
Oceans99 – A Cybersecurity business simulation
The business simulation is a dynamic, interactive, case based workshop which can be used to raise awareness for Cybersecurity, particularly the people related aspects. The simulation can be used to gain business and board level awareness and commitment. In this business simulation game:
“The owner of the Bank of Tokyo has decided to exhibit three world renowned objects. The ‘Star of Africa’, the ‘Jewish Bride’ and a ‘Bugatti 59’. The challenge for the team is to bring the objects to Tokyo, on time, safely and securely, and to have them exhibited, however there are rumors that Oceans 99 a criminal organization wants to steal the objects… In the game the various stakeholders make use of Information systems for planning, for managing, for transporting, for monitoring the objects and for booking and selling tickets, there are many opportunities for Oceans99 to exploit vulnerabilities.”
Two teams too part in the simulation exercise. The teams were given the tasks of designing a Security Policy, Performing a Risk assessment and developing a Strategy for investing in security counter measures. Observers were given either ISO27001 or COBIT CSX checklists which they used to observe and assess the teams and give feedback. Two delegates played investors who wanted to invest $500 million in one of the teams. They would observe the two teams and decide at the end of the simulation which team they would invest in, based upon the teams demonstrated Cybersecurity approach.
In the initial exercise there was too little board level ownership or engagement and the teams were primarily focused on technical IT assets and risks rather than business information assets and risks. The investors were clearly worried about their investment. Finally at the end of the simulation a decision was made. The board and CISO of one team clearly demonstrated an understanding of critical information assets, appropriate risk management and mitigation investments and people focused cybersecurity practices.
At the end of the simulation delegates were asked ‘what were your key discoveries and takeaways’?
Communication with stakeholders. Chiefly to raise awareness for the fact that ‘Everyone is accountable for the protection of information within the enterprise’ (COBIT 5 Model behaviors in Cybersecurity).
Identification of the ‘Crown Jewels’ (critical information assets that need protecting). This is critical input for the risk management exercise and investing in appropriate measures. (The EY survey mentions ‘Prioritizing the crown jewels’ as one of the 4 stages in an ‘active defense’).
Prioritize investments based upon ‘business needs’ – this requires appropriate board-room engagement and commitment.
Create more commitment from the board (Use the language of the board, demonstrate an understanding of business drivers, crown jewels and risk appetite).
Coaching and educating clients. Coaching key stakeholders and ensuring ‘continual’ awareness and education. ‘(COBIT 5 model behaviors in cybersecurity: ‘All users understand the defined priorities in cybersecurity and how to apply them in their personal and business IT environment’).
Focus on cost efficient investments, related to business priorities and risk appetite – there are always budget limitations.
Involving all stakeholders in ongoing risk management. This is not a one-time activity. Critical input comes from monitoring and incident management which also provides input into on-going training and awareness about identified attacks and phishing mails.
Impacting the decision making of difficult stakeholders. Asking appropriate questions, probing critical information assets and risk appetite.
Security is a team working exercise, not a one-man show. (‘Ensure that information security is integrated into essential business processes’ is a key COBIT 5 Information security principle ‘Focus on the business’).
Why this type of session is important
Jasper Arbeel, Pink Elephant explains: ‘Cybersecurity is often associated with “boring” and “dull”. Not in OC99! Playing this business simulation exercise is a powerful and accommodating way to get groups think about Security and work together. By doing this, they’ll get to see the relevance of one of the most important issues on today’s corporate agendas. In the exercise delegates will experience first hand the fact that Cybersecurity isn’t just a CISO (Chief Information Security Officer) thing, but concerns everybody in the organization. It applies to everybody. Cyber criminals exploit human weaknesses and human behavior. Experience or position in the organization don’t matter.
Getting employees to realize that Cybercrime is real, out there, not going away and definitely something that also has an impact on them, is a major concern for all of our clients. That is why Pink Elephant uses simulations like Ocean’s 99 as part of our education and organizational change management offerings. Often these are supplemented with tailor-made, continuous online awareness programs to train employees. In our opinion continuous learning is the only way to alter people’s behavior and attitude on security. Getting insight on Security is the first important step in this process and if anything, this is what Ocean 99 provides’.