Regional cybersecurity faces fire

ON THE first day of the cybersecurity track at AmCham’s Health, Safety, Security, and Environment Conference on November 11, the regional response to cybersecurity threats led the agenda.

The discussion on the topic Outpaced and Under Fire – Navigating the New Era of Cyber Threats was summarised by moderator Gerardo Rivera Menjivar, “Traditional threat models are being outpaced and this means our strategies, governance, culture must evolve just as fast.”

Even casual observers of cybersecurity breaches are aware that attacks on businesses have increased dramatically over the last six years, despite industrious local efforts to keep successful breaches a business secret. Some cyberattacks were so bold and their impact so disruptive that they couldn’t be hidden.

How does TT and the region move forward from an approach that clearly isn’t working?

“We still operate largely in silos in the Caribbean,” said Dale Joseph, chief analyst, cyber, at Caricom IMPACS, the region’s collective implementation agency for crime and security response.

“That’s a problem, because if we don’t share information, we won’t be able to co-ordinate and we won’t be able to respond to (threats effectively). It could be ransomware, it could be AI-enabled threats, but if we don’t share information, we won’t be able to co-ordinate and have a structured, realistic response. In response to a cyber incident, there’s often confusion, knowing who to call, when to call, and who has responsibilities for what. That’s a challenge for us.”

“Just having asset management, even an Excel sheet (listing) some of your main assets, I’ll take that as opposed to nothing,” said Anish Bachu, head of the National Cyber Security Incident Response Team.

“That’s where things fall apart through failure to prepare. I can’t tell you how many times, during an incident, we’re trying to figure these things out on the fly.

“You never want, on one of the worst days of your professional career, to be trying to figure out who to call. I think the biggest failure (I’ve experienced) is the failure to prepare.”

“From an organisational standpoint, a siloed approach is one of the biggest hindrances to resilience,” agreed Travais Sookoo, security engineer with Check Point, a cybersecurity response and risk assessment company.

“Every department is juggling and running to do something, but nobody’s co-ordinating in between. (In my) experience across the region, that lack of co-ordination during an event leads to slower recovery, and after an event, a lack of lessons learned to improve handling of future incidents.”

The lack of legislation requiring disclosure from businesses or government agencies after a breach is another stumbling block to effective response.

“If you don’t tell the doctor your symptoms, you can’t be treated,” Joseph said.

“In TT and many other islands in the Caribbean, there’s still no legislation to compel organisations to report incidents. I’ll get a call from other contacts, there’s an incident. But is there a structured approach for them in legislation that would compel them to report? Preparedness and co-ordination would dovetail from that approach. This structure would come from a national security strategy.”

Should leaders be held personally accountable for inaction that leads to cybersecurity risks?

“We’re all accountable for something. If I’m not accountable from a business perspective, then who really drives this change? No one,” said Terrence Panchoo, head of technology at Proman Trinidad.

“If I’m unable to say, yes, this is a result of an issue that we had, then who really is responsible? There’s a move to legal accountability for corporate executives. In the event of gross negligence, they will be held accountable and are potentially liable, whether it be in financial compensation or other mechanisms.

“Boards that are being formed now accept that these areas of both cybersecurity and ECG (ethics, compliance and governance) are critical components (of their scope of responsibilities).”

“(When it comes to) accountability in failures in cybersecurity, it needs to be a balanced discussion,” said Bachu.

“Looking for a head to put on the block at the onset of a cyber incident will not get us anywhere productive. I only get information (from the C-suite) if they see me as a trusted source. If they see me as somebody that they could talk to without getting in trouble with their board or without getting in trouble with their line minister. If I share this information with you, I’m going to get in trouble.

“We’re still talking about getting boards to accept that responsibility, getting senior persons in government to accept that responsibility. Once we get to the point where somebody owns it, then we can talk about accountability after the fact.”

Mark Lyndersay is the editor of technewstt.com. An expanded version of this column can be found there.