Let’s start with the two of the controls that really do require partnerships to be successful: Assessing Risk and Information Sharing (exchanging threat intelligence with others). Both controls rely upon a having a strong knowledge base around how attackers are attacking. The industry terminology for this knowledge is what we call Tactics, Techniques, and Procedures, or TTP for short. Knowing the methods and motivations of real-world attacks requires having a pulse on the global threat landscape and how it impacts individual organizations. Working with vendors who offer security-first products and proactive guidance is a great way to gain direct access to this knowledge. Ask your vendors to share insights, and look for vendors who offer regular touchpoints to stay connected with what’s happening from one quarter to quarter. Threats can change rapidly, and based on the uptick water facilities are seeing in cyber attacks, a regular cadence is important to understanding the size and shape of your threats in real time. Additionally, participating in organizations such as WaterISAC will also give you a great avenue to understanding the threat landscape within the water sector.
Assess Your Risks (#2)
AWWA’s fundamental guidance describes the Assess Risk component as “daunting to measure” and goes on to recommend that “consulting firms also provide these services.” Assessing risk is one area that can really benefit from an outside perspective. It’s easy to get tunnel vision inside an organization, thinking, No one would bother to attack us, so we have no real cybersecurity risk.
Participate in Information Sharing and Collaboration (#15)
Partnering with a trusted advisor or outside firm can bring a fresh perspective and will give you direct access to lessons learned by other organizations. The fact is, many of the same risks that you may or may not have considered yet have likely already impacted other organizations similar to yours. Learning from their experience with those attacks will strengthen everyone. So, when you are facing new attacks, it’s key for you to also share that information in the right industry-based cybersecurity forums.
Embrace Vulnerability Management (#7), Implement Threat Detection and Monitoring (#10), Secure the Supply Chain (#13)
Consistent vulnerability management, proactive threat monitoring and tackling complex security challenges like securing the supply chain are all types of security program controls that can be done more efficiently by strategic partnerships with vendors and MSSPs who specialize in security-first services. Offloading these duties are great ways to free up internal resources to focus on your own strategic efforts. For example, leaving around-the-clock monitoring to a dedicated team that can perform this service much more efficiently, expertly, and cost effectively will keep you from having to hire additional full-time staff, purchase a whole stack of enterprise security tools, find experts who can manage the tools, and keep your people up-to-date with security and tool-based certifications.
The monitoring team you work with will be your front-line defense, whether you choose to keep it in-house or work with a partner. This team will need to operate 24x7x365 to keep a watchful eye on your infrastructure and respond within a few minutes when needed. Our experience has been that the most dangerous cyber criminals generally level their attacks during your team’s off hours or holidays, so you can’t really afford to just leave alerts to wait until the next business day. Having a team who can respond to vulnerabilities and alerts in the middle of the night 24/7 is expensive and costly to do on your own, however. Forming strategic partnership with a security operations center (SOC) gives you the best of both worlds: around-the-clock monitoring, but at a fraction of the cost. Going back to our Security is a Team Sport motto, working with a dedicated SOC partner means benefiting from all the insights a partner like TRUE gathers from defending attacks across all their other customers. A good SOC will always know what attacks are currently ongoing elsewhere, as well as what steps it takes to stop them. Then, if signs of the same attack are seen in your environment, experts will know from experience exactly what to expect, where to hunt for additional compromises in your environment, a what needs to be done about it. These are elements that you would miss out on by maintaining an internal-only program.
Create a Cybersecurity Culture (#8)
I wanted to end on one fundamental that should not be outsourced, and one that can’t rely upon a partner: creating a culture of cybersecurity. Developing a culture of awareness requires dedication, willingness, openness to new information, and a strong commitment from leadership. The best way to engage with leadership is to get them involved in the process everywhere you can.
- Doing an incident response tabletop exercise? Invite your leadership to attend and give them a role to play, like assigning them to engage as Middle Management.
- Assessing the cybersecurity risk from a critical vendor for supply chain concerns? Invite your legal council to get their perspective.
The best cultures of cybersecurity I’ve seen are not ones where leadership is just simply informed about cyber threat and the status of the security program, but ones where leadership was engaged in the process, guiding strategic direction, and pushing the organization to prioritize security. Involving them to the greatest degree possible will ensure long term success when building and growing your program, because the focus on secure practices will start at the top.
If you would like to talk about decisions your organization is facing with technology, you can request a consultation with us any time. We are here to help!
