The companies’ current cyber approach is too static, and measures are often of a purely technical nature.
Criminals also innovate. Especially cybercriminals who are constantly coming up with new types of ransomware, malware and other digital weapons of destruction. But where attackers are constantly evolving, companies are still doing far too little, says expert Sander Zeijlemaker (Disem Institute, MIT). His solution: a flexible approach based on system dynamics.
In the case of the largest Dutch companies and governments alone, cybercrime leads to an estimated loss of around ten billion euros a year. Business processes can stall with enormous financial damage in the short and long term. Think of the Petya ransomware that paralyzed the Maersk container terminal in Rotterdam a few years ago, with a direct loss of around 250 million euros. Another catastrophic consequence of cybercrime could be a loss to your company’s reputation, which the later bankrupt DigiNotar experienced when this security company was hacked. And then there are the fines that the government can impose if it turns out that your cybersecurity has fallen short. Since the introduction of the General Data Protection Regulation (GDPR), these can amount to millions of euros. Even if criminals have not abused the situation.
Or rather: have not yet abused the situation. Because if the security measures are not tightened up again and again, the chance of that will definitely increase. In fact, cybersecurity is a continuous arms race, with security guards and criminals as warring factions. The criminals are always in front. They can act quickly without being hindered by all kinds of laws, rules and codes of conduct. And work undisturbed on new, even more powerful methods of hijacking, damaging, copying or otherwise misusing data. With innovative and easy-to-use tools, from USB sticks that provide access to computer networks to software with dozens of useful hacking applications. To offset all these digital weapons of destruction, companies need to be constantly on the lookout and adapt again and again to new threats.
They do, but not always in the right way. That’s what Sander Zeijlemaker, director of the cyber security consulting firm Disem Institute, says. He has also recently become a research partner at the acclaimed MIT in Boston, where he will continue the cybersecurity research that he received his PhD. earlier this year. In addition, a book by him, the management book, will be published soon Grip on digital security: A future-proof strategy, that’s how you do it† based on his dissertation. And then he is also a valued teacher of NBA courses. He made a name for himself with the Dynamics in Cybersecurity education, which is aimed at financial professionals, but he will soon also be training with risk managers as a target group.
Central to his thinking – the title of his dissertation Unraveling the dynamic complexity of cybersecurity already betrays it – is the significance of the dynamics for cybersecurity. Dynamics in the environment, firstly: dynamics in the threats that may arise, dynamics in cybercrime attacks, dynamics in security holes – just because people come and go, new suppliers are brought in and equipment is purchased.
For economics, the importance of ‘dynamics’ should not be news. Finally, the financial sector is generally well aware that the world – and the corona crisis shows it once again – is ‘volatile, uncertain, complex and ambiguous’ or VUCA, according to the acronym used since the 9/11 attacks in New York. 2001 is used. And they see that since the environment seems to be so ‘VUCA’, it’s hard to prepare for what’s to come. At the same time, they are still striving to use tools to look ‘outwards’ and take a good look at the environment and make an estimate of future developments. In addition, they strive for maximum resilience and agility in their organization so that it can adapt to all kinds of change.
Yet this approach to cybersecurity is also unique among the financial sector, Zeijlemaker says. “Administrators who have to make choices in cybersecurity are supported by all sorts of standards, frameworks and comparisons with other organizations. After each incident, internally or at other companies, new measures are devised to prevent the next incident. Is quite a static approach, a bit like driving a car just by looking in the rearview mirror. “
Moreover, these measures are often of a purely technical nature, and in the arms race with cybercriminals, only the hardware and software are adjusted to bring security up to the required level, such as the purchase of new servers and new detection software. And what is the effectiveness of all these retrospective measures and of all the heavy technologically advanced artillery? It is also questionable as people have a hard time figuring out the consequences of their choices.
Zeijlemaker argues for an alternative approach. He advocates an approach based on systems dynamics, an approach that has been used for some time in various other worlds, from medical research to sustainability. “Look at your whole organization, for security is the whole business: the management, the processes, the people who work there, how they work together, on the threats that can arise and – it goes without saying – on technology and security policy.”
In addition, he is in favor of the use of computer-aided simulation models, because it is a good way to grasp the development of the future – at least better than when the human brain has to make decisions on its own. In short, map all the factors involved in making strategic cybersecurity decisions. And use simulations to show how successful future decisions are likely to be. In this way, you can support strategic security decision-making. Better than with the usual static approach . “
All of this immediately explains why he focuses so strongly on finance in his call for a flexible approach based on system dynamics: “The economy is a ‘spider in the web’. He plays a key role in the organization, can look over fences and see what initiatives reinforce each other. “
According to Zeijlemaker, therefore, it is also the best person to decide which investments to improve security make the most sense – at least if he uses that system approach. And if he uses simulations to support his decisions. “The use of simulations supports decision-makers in prioritizing activities and investment plans, providing insight into future budget requirements and drawing up substantiated plans for the future. A simulation shows the effectiveness of an intended strategy before making the necessary investments.” Since strategic goals cannot be achieved, simulation of the adjusted strategy is desirable, given the damage that a cyber attack can cause, the cost of simulation is negligible. “
Grip on digital security: A future-proof strategy, that’s how you do it may be available from July on Boekenbestellen.nl, bol.com and in bookstores.
Today’s society is also referred to as a digital society. It is highly technologically interconnected and is increasingly dealing with new digital concepts such as e-health, smart city and Industry 4.0. Adequate digital security plays an indispensable role in this.
Following an incident, ad hoc responses to attacked organizations are often seriously discussed, and in a confrontational reality, it appears that a solid digital security strategy is needed. It is high time that decision makers see digital security in its dynamics and complexity as a normal field of management.
dr. Sander Zeijlemaker RA RE CISA CISM SCF is a strategist, consultant and writer who focuses on the predictability of complex, strategic issues. He specializes and promoted in digital security and investment issues.
In plain language: ‘Grip on digital security’ provides a solid, handy guideline that successfully assists administrators and decision makers using dynamic modeling:
• Definition of effective security strategies.
• Make predictive long-term analyzes for critical indicators that are relevant to the security strategy.
• Realization of management information for ongoing monitoring.