Welcome to the KuppingerCole Analyst chat. I will be your host. My name is Matthias Reinwarth, I'm an analyst and advisor at KuppingerCole analysts. We will focus on specific and hopefully interesting topics that we as analysts encounter in our daily work. And this work that we do is mainly focused on the topic areas of cybersecurity, identity, and access management, AI, and much more here we do in-depth research, but also advisory work with vendors and end-users as clients like in each edition, I will have one guest joining me, often a fellow analyst or another interesting partner. And we will have a 15 minutes or so chat around current topics. Today, we will talk about setting your cybersecurity priorities, right? And my guest today is once again Martin Kuppinger, principal analyst at KuppingerCole. Hi Martin. Hi, great to have you here. The title for today is setting your cybersecurity priorities, right? That means that people sometimes do it wrong. What can we do wrong? What are they doing? Wrong?
Gain comes from a couple of conversations I had for CSOs over the past 18 to 24 months. And it's interesting to see that some of the CSOs started shifting their priorities with having a simple thing in mind, which is you are under attack. There are successful attacks, so you can't fully prevent being attacked. Which means the more important question is increasingly is what do I do if I have been successfully attacked, how can I mitigate the impact? How can I become a more resilient against the tax? And that, from my perspective, leads to a shift from the traditional focus of cybersecurity to prevent towards recover. How can I keep my business alive? That is basically the question. So if you take a bank, a bank, if the bank is really hard, if it can't work anymore because the data centers are down, which happened was consequences of heavy targets of attack. And a bank has a window of maybe two, maybe three days to recover the core systems to survive as a business. So recovery from my perspective is something which is not considered as being important enough and not enough prioritized yet for what we need to. We need to get better in recovery and resilience to be able to restart services, to keep our businesses alive.
So it's not giving into the reality, but it's really accepting that this breach or this incident will happen and to be prepared when it happens.
Yes. So, so when did you take a standard life-like little foot cyber defense, then it starts with identify. So what are your risks goes to prevent? This is the traditional part detecting. And then there's a lot of talk these days about defendant response. So stop the attacks. There's from my perspective, not enough emphasis on recovery and improvement, because we have to accept that as good as we are in preventative, we should not be, must not stop prevention. That's the first thing is strong layers, multiple layers of defense, but we must also assume breach. And that means that there is something we need to do when we are attacked, ensuring that the data is still there. The systems are broken, et cetera, et cetera. Notably, this also leads to an, it will use from an organizational perspective because D I T part of business, continuing team management must be far closer aligned with our cybersecurity initiatives because this in combination makes up resilience. So what I'm saying is, in fact, we even might need to rethink our it organization to shift everything which is about resilience and recovery into a one unit, instead of having security here and endpoint management there, and some backups for the server and stuff there, I think we need to change it.
I think it's really important because the business really understands what needs to be protected to make sure that business can continue. And that there's sometimes a disconnect between the business, understanding what the risks are and mapping that to the it systems, the services that have to continue running as, as the basis for implementing these business surfaces. So, as you've mentioned, if this is one common risk assessment and a common understanding what really needs to continue and what can be started next. So in the first step, that is, I think something that needs to be understood on a corporate level, including it and not separately.
Yes. And, and there there's a need for, for trying off, off areas. At least the Nike, such as keeping their data centers up, which are doing backups and stuff like that. And there's the need for, for linking business. And its, you said, because recovery also means that you need to understand not only how can you get a again up and running, but you need to understand how can you reconstruct data? So you might end up in a scenario, very say I have to restart the system from a backup fixtures, 24 hours old or something like that. That is the newest status of data for certain businesses after I've been hit really hard or it might be even a little longer. And then you might say, okay, I start continuing my business operations, but then I have to have a process for manually filling the gaps over time or maybe automatically or manually. But you have to build that half also some inconsistency in data, which you need to handle. And you need to understand which systems to bring up. If you need to have to communication is conversation between various areas of its and between it and business, which from my perspective also redefines the role of a CSO must be bigger than it is today
Because the CSO then is the it's bridging the gaps between otherwise really separate teams. So there there's really a, a also a communication aspect to the Caesar role that makes sure that these risks are well understood that inconsistency in data are well identified and that there are well-defined processes for, for restarting or for continuing operations, even in such a, in an incident case or in a crisis, or even if there has been data being been destroyed or deleted or modified so that these processes are so very different from each other, that they need to be processes also in place for the individual types and characteristics of attacks. So I think that is really an important role for the season
And, and that, that is why I believe we need to really change focus. So prevention is important, detect, defend response, all important, but we need to put far more emphasis on resilience and recovery beyond the pure technical perspective. So this is also bigger than what we do in the security operation center, because it's really a key initiative of the business being resilient against what happens in a worst case scenario for tax. And when you refer at the breast over the past years, we have seen a number of very severe attacks businesses at the risk of becoming bankrupt.
Exactly. And I think that is often underestimated aspects. So there is no no plan for, for just switching machines off and to make sure all let's, let's first secure the systems let's, let's secure the data. If you are out of business for today's and happily securing your machines, you're out of business afterwards. So that's really a shift in, in these modern today's online processes having to continue functioning. Otherwise you're, you're out
Your is bigger than trust. ITD stays. This is one of the attack vectors against the business, not only against a single machine, that's what we need to understand. And so we need to tackle it from a business perspective and take a bigger picture.
One important aspect. I think that is often underestimated as well. So once you have gone through this cycle from identify to prevent, to detect, to defend and respond and recover, that is actually the often forgotten improve aspects. So really understand what went wrong, what went well in the last crisis, what did we do exactly as required? And what did we miss out? I think this improve, that is something that needs to be more thoroughly implemented in the processes of an organization. Do you agree?
Learning esteem and improving is really important thing. If you don't learn from your mistakes, you need to learn something urgently, which is
So the overall improvement it's, it's also something that really feeds again into your day-to-day processes may make, makes it more efficient, more profitable and maybe quicker and more, more efficient in general. So I think this, this shift in focus of, of cybersecurity from just protecting, towards being able to recover quickly and safely is a lesson that needs to be learned very well. I think many organizations, again, with the look on the current crisis have learned that very hard just right now. So that's really something that they had to do immediately without any chance. And that will be something that hopefully they can benefit from in later phases. So to sum it up again, cyber security needs to be shifted from the traditional overall just protecting aspect towards a more generic, more overall focus, which includes, and it's mainly focused on recovery. So making sure that critical services are available even in the case of an incident that needs to be planned and maintained very well to keep the business up and running based on the risks identified and the crucial services required for yeah. For continuing operations. So that's again for today. Thank you very much, Martin, for joining me today for this shift in cybersecurity. Thank you very much. And I'm looking forward to having you in a further addition soon. Thank you very much for your time and for your listening to the audience.
Yeah. So thank you for everyone listening to this podcast. Thank you much. Yes, .
