Securing Global Crown Jewel Applications
Shankha Mukherjee is Vice President of Global Application Delivery at Schneider Electric. In his role, he oversees the application delivery of Schneider Electric’s global platforms like SAP, Oracle, Manhattan, Salesforce etc and manages global delivery teams based in India, US, Mexico and Europe. Shankha is currently based in Nashville, TN, US.
One of the key things that are on every CIO’s daily agenda is cybersecurity. Is my organization secure and well protected? The high growth of digitization and value moving to digital world is increasing the growth of computer usage across the world, as of end of 2016, 51% of people on earth are connected to internet which is reach 75% by 2022. The high growth also correlates to increase in computer crimes like data breaches (3.1 billion records breached in 2016), data manipulation producing millions of dollars in losses, spread of “worms” and “viruses” creating wide spread damage like “Wannacry” in 2017. Globally government and organizations have recognized computer abuse as one the major threats, for both economic fraud and national security. Indepth understanding of computer crime and development of prevention strategies require combination of knowledge from criminology, psychology, sociology, computer science and cybersecurity. For global corporations, securing the crown jewel applications is a top priority and any breaches results in financial loss and loss of trust on the organization. Crown Jewel applications are the most important applications of an organization on which business is run and business critical data is stored. Securing these systems and ensuring the availability of these systems is paramount for the survival of the organization.
Securing of Crown Jewel application is a very specialized activity and it requires working with experts from multiple domains of IT strategy, IT architecture, IT security, IT networking, Business leaders, auditors and many other teams to protect them from criminal activities. Security experts and
researchers like Cohen & Felson (1979) suggested that three crucial elements are necessary for a predatory criminal act: motivated offender, suitable target, and lack of a capable guardian. If one of the elements is absent, crime is not likely to occur. If all three elements are present, then the chances for crime increase. The first step is to identify the Crown Jewel applications in your organization, i.e. the suitable targets which motivated offenders will target. Examples are applications which store financial data, customer data (like credit card information), trade secrets, product pricing etc. Enough time is required to assess the Crown Jewel applications and it is an exercise which requires specialists to guide Business and IT leaders, and once the list is prepared, it is recommended that the top management validates it. Once the Crown Jewel applications are identified, then the next step is to assess the motivated offenders, i.e. the profile of hackers who may launch an attack on your application. This step is important to assess the strength of capable guardianship required.
Increasing the strength of capable guardianship to deter criminals and staying one step ahead of hackers in today’s world is a big challenge, and it requires a multipronged strategy. Training employees on cybersecurity, creating organization wide awareness, implementing security policy, strong firewalls, conducting internal and external security audits, creating a security operations control center are some of the steps which increase deterrence by improving strength of capable guardian ship. Like physical world where good policing deters criminals, digital world also requires strong guardians and deterrence. The office of the Chief Security Office (CSO) plays a vital role and determines the strength of capable guardianship. External security rating agencies like BITSIGHT which measures security performance of organizations based on external data available, provide good insights on areas of improvement.
Any security breach amounts to major financial loss and loss of trust. In today’s digital world, an organizations survival and success depend on the security of its crown jewel applications
Cyberspace environment is “antispatial”, which means cyberspace is not limited to distance, proximity, and physical separation. The deterrent strategies in cyberspace are evolving and there is still a grey area on what is considered as hacking or terrorism. Governments and organizations must create a very sophisticated capability to gather evidences and pin point the criminals. Between Governments, there is a need to have treaty to extradite cyber criminals to bring them to justice. The Budapest Convention serves as a guideline for any country developing comprehensive national legislation against Cybercrime and as a framework for international cooperation between State Parties to this treaty. Deterrence by denial is to create highly resilient mechanisms which reduce the cyber criminal’s incentive to attack. Reducing expected benefits, increasing costs, and raising risks can sway potential attackers’ cost-benefit analysis for a cyberattack. CIOs and CSOs must create highly resilient ecosystems to protect the Crown Jewel applications.
The reputation of an organization today depends on the security of Crown Jewel applications. Customers prefer to do business with organizations where they feel safe that their personal data, financial data is secured. Any security breach amounts to major financial loss and loss of trust. In today’s digital world, an organizations survival and success depend on the security of its Crown Jewel applications.