Former CTO of Singapore Press Holdings on securing an organisation’s IT environment
Words of wisdom from Glen Francis, Former Chief Technology Officer at Singapore Press Holdings, on building a roadmap to secure the IT environment of organisations from end-to-end.
Covering three key areas of an organisation’s IT environment can help to mitigate 80 per cent of cyber risk, according to Glen Francis, former Chief Technology Officer of media and broadcasting enterprise Singapore Press Holdings. Image: Glen Francis/LinkedIn
In the pacific island of Vanuatu, public servants are finding themselves having to go old school with pen and paper after a cyber attack took out the government’s network, official sites and online services. This is just one of the hundreds of cyber attacks that have made headlines in recent years, all of which have driven home the importance of cybersecurity for organisations.
“The good thing in this day and age is that most boards in listed companies understand the importance of cyber security,” said Glen Francis, the former Chief Technology Officer (CTO) at mass media firm Singapore Press Holdings (SPH), in an interview with GovInsider.
As a result, leaders are now looking to bolster the cybersecurity of their organisations. The responsibility then falls to IT leaders like CTOs, CIOs and CISOs to assess the security posture of their organisation, and create a roadmap to strengthen it.
The 80-20 rule
“There’s no such thing as perfection, don’t make perfect security the enemy of good security ,” Francis says, highlighting that cyber is an ever-changing game. Rather than achieving perfection, the role of IT leaders is to achieve a posture which they believe is good enough for the organisation, he explains.
To do so, Francis recommends the 80-20 rule to get an organisation’s security posture started quickly. Putting in place three key protocols; web isolation, email security, and managing external devices (like USB drives) will mitigate about 80 per cent of cyber risk, he explains.
The remaining 20 per cent is then made up of other aspects including (but not limited to) firewalls, network security, and cybersecurity awareness. While these areas are still crucial, Francis highlights that they tend to take more time to get right as compared to the 80 per cent.
The first step of implementing the 80-20 rule is to ensure that the organisation’s board is aware of the risks posed if the three protocols are not implemented, he says. When in SPH, Francis did so through red teaming, a process where a group simulates a cyber attack to identify potential gaps in an organisation’s cyber posture.
The red teaming exercise helped Francis surface various problems within the organisation’s cyber posture, which he was then able to consolidate into a report that was presented to the board.
Once they are aware, then begins the process of rolling out initiatives to plug the gaps. While there is no hard and fast rule for how to implement these programmes, Francis cautions that it can be a long drawn and challenging process. Companies will need a strong project manager to see through such programme implementations.
Implementing the 80-20
“One of the biggest issue most companies face today is actually the issue of patch management,” he says. Organisations simply cannot patch fast enough. To address this, many organisations will first seek to understand the assets within their IT environment to identify the areas of potential updates for a patch. They do so by scanning their entire IT environment, but this can take weeks, or even months.
While the cyber security programme rollout is happening, organisations need to be aware that they are not yet at the end stage. There is still a period of time when the organisation is vulnerable to risks, he says.
This is where the ‘shift left’ principle comes into play, Francis highlights. This is a term commonly used in the IT world to describe the process of bringing cybersecurity implementation earlier in the development cycle of new applications and software.
Tabletop exercises are another important component, says Francis. These exercises help organisations plan for the “what-ifs” ahead of time, allowing staff in the organisation to prepare for potential attack scenarios, he explains.
“The more we train, the better it is, as the people on the ground are aware of what they need to do and how to react,” he says. Francis explains how in his own organisation, he had spoken with the CEO ahead of time to gather the CEO’s thoughts on how to handle ransomware situations.
Francis was then able to plan tabletop exercises such that the staff can practise based on that specific scenario. This ensures that when the situation does occur, the IT team need not waste time consulting with the CEO and figuring out their next steps.
Importance of web isolation
Of the three key areas that help to cover 80 per cent of an organisation’s security, Francis highlights web isolation as a common pain point. This is because web isolation is a relatively new concept as compared to email security or the management of external devices.
As such, IT leaders will first need to help the management team understand the risks involved in the web. “All of us are surfing [the web] every day,” he says. “We surf all sorts of sites, and you cannot control your users…it’s very easy for files to come in, and if it comes in, you have a problem.”
In the past, organisations protected themselves from the web by means of physical isolation, such as through the intranet. However, this often compromised the productivity of staff as they were only able to work on devices and in premises that had access to the intranet.
But today, software exists that can allow organisations to protect against threats on the web without isolating it altogether. For instance, cybersecurity provider Menlo’s Security Isolation-powered Cloud Platform sits within an organisation’s network, acting as an air gap to isolate web traffic a distance away from users’ devices and preventing the entry of potential threats.
Addressing up-and-coming threats
“The reality is that hackers are getting more sophisticated. And they’re using and deploying very sophisticated tools to come into our organisation,” Francis says. To address this, organisations need to ensure that all employees in an organisation are aware of and understand basic cyber hygiene practices.
“At least with that, you can react to any threats that are coming up,” he explains.
In SPH, for instance, Francis implemented cybersecurity standards and guidelines established by the National Institute of Standards and Technology (NIST) to ensure that they have the appropriate solutions in place for each cyber risk area.
While putting in place prudent cybersecurity measures can help to mitigate a majority of cyber risks today, there will come a day when the game will change, Francis cautions. Already, concerns have been raised about what the rise of quantum computing will mean for cybersecurity. Quantum computing has the potential to break encrypted data with the ease of a snap of a finger, Francis illustrates.
To best prepare themselves for this, Francis recommends that IT teams should invest ample time into researching and speaking with cybersecurity providers. “Most organisations don’t have a R&D team to research what hackers are doing, but the vendors will have that,” he explains.
This way, organisations will be kept abreast of innovations emerging from the cyber industry, allowing them to keep up with any new threats that may emerge.