IT Governance and Critical Infrastructure Protection: A Conversation with Dr. Oren Eytan And Denise Louie

On April 22, odix CEO Dr. Oren Eytan joined Denise Louie of the J.M. Smuckers company for a lively discussion on the importance of IT governance in Critical Infrastructure Protection. We’ll highlight some of the most interesting topics in the blog below.

What is the relationship Between Cyber Resilience and Protection?

Denise Louie: “Critical infrastructure are either guiding your operations or containing some of your most critical data assets, right. Some of which are governed by law and governed by law because perhaps organizations were not doing what they were supposed to be doing in the first place relative to that data… I’ve spoken with many its executives over the years and frankly CFOs and other members of the C suite who are struggling to understand these concepts, right. And they often thru at the headlines understand that there is a certain law that’s driving a certain level of investment in this area. And they feel oftentimes, as I’ve been chatting with them, that once you have met the bar of complying with the law that they have done what they need to do, but it’s important for our most senior executives to understand that the law is written is frankly, the minimum level of protection that an organization should be seeking.”

Dr. Oren Eytan: “I think we need to really reframe the question and not assume it has to be resilience versus protection. Resilience and protection complement each other. So, it’s not that if you have resilience, you can give up your protection and vice versa. It starts when you’re talking about resilience, you’re talking about some of the rules that you want to impose on your organization, and if you want to impact employee behavior then protection really comes into play. From experience, the only way to improve this is by prioritizing cyber education and awareness training. I think that after dealing with critical infrastructure for so many years, like Denise, so I think that you need to have the right mixture. Between resilience and, and protection in your organization.”

How to you balance the division of accountability to promote IT governance?

Denise Louie: “all IT professionals need to have this understanding, right. But now, I would say that we have progressed as a society and as this interconnected, global network of, you know, suppliers and companies and consumers of products, that we all now need a basic literacy of it risk, and IT security and these concepts. When you’re writing policy, and when you’re writing procedure, you need to recognize, what is the basic skill level of the individuals that you’re touching, you know, you really do need to understand that the credentials that your team has, you know, literally, do they have credentials to support, you know, their work in this field. And therefore, they have got that, that baseline knowledge and you built from that? Or are you teaching people the very fundamentals from the very beginning, and that would severely change the approach that you would end up taking?”

Dr. Oren Eytan: “The accountability in not only in the military, but in organization, at the end of the day, lies with the CISO, or you have one person that is responsible for the information security of the organization. And when something happened, they need to provide explanations. And so, I count him as the responsible for all the cyber threats. And since he’s the guy that at the end of the day, either the CEO or the Chief of Staff will come and say, okay, what happens in So, when, when you are a CISO, or when you are in charge of the Cybersecurity of your company?… s Dennis said, I need to give them the right policy, I need to make sure they understand it, I need to make sure they fulfill it. But I want to make sure that I have another tools to protect myself in order to keep this policy and I want to have the technology that will help me to do that. Because at the end of the day, we we’ve met so many cases, what I call the internal threats, that sometimes some cyber-attacks were initiated from the internal threats from internal employed. Sometimes they are doing it intentionally sometimes, you know, without any intention, but they are just forward you know, some malicious code from somewhere and so on.”

How do you analyze and elevate the importance data?

Denise Louie: “You need to have a pretty strong pipeline of communication out to your employees, again, understanding kind of their education level in this topic. But it, I think it starts really, with the organization having a strong data classification effort underway to understand the different buckets of information that it handles and whether there is an external law, governing it, wherever that law might be, you know, in whatever jurisdiction of the world that the business operates in, or it is something that is contractually mandated by a customer of yours, or a supplier of yours, you know, contract manufacturer, for example, or something that maybe just simply, I don’t want to say simply a trade secret of your own, but it’s the onus is really on the organization to protect that asset, but to help your employees, and for that matter, any third parties that you routinely work with, to understand that tear of classification.”

Dr. Oren Eytan: “In the military, we solve this issue very easily. It’s it started also, when we the data was, you know, papers and written letters, and this is the classification methods. So, you have kind of non-classified documents. And then you have some classified and you have different specifications like secret top secret. And whatever the classification is, it dictates the level of protection that you need to provide to this, you know, to this document or to this source. And when it moves from, you know, paper to data, we did the same thing. Namely, we also said, okay, we need to provide classification, for every email, and for every data, that piece of data that’s getting into the network, and then we can treat this, and we can impose a different policy based on the classification. So, in critical infrastructure, they try to do something similar when they said, okay, we don’t have, like top secret or this kind of classification, but we have what we call, let’s say, sensitive data.”

What does the Future hold?

Dr. Oren Eytan: “What we see the trend is that data is all over, and big data, it’s become very common. So, whenever you deal with, organization, whenever you deal with any networking, you have lots of data and a lot of channels, that this data may come to your network. And what I see is that more and more AI tools are there in order to try to at the data and try to find out and try to make some decisions about the classification, because it’s, it’s now become an issue, how to really classify the data, it’s, when they, when you already decide the classification of the data, then there’s no problem how to protect it, but the issue will come how to navigate in the ocean of the data, and how you really can define and what is really sensitive, and what is not.”

Denise Louie: “I think of how this evolution of now how much unstructured data has just kind of taken over our networks. And, and without discipline, without an understanding of the value of the data that you’re managing, you could inadvertently capture it in an unstructured way and broadcast it to a large audience that you did not actually intend. And it absolutely makes the protection of that data that much harder, but it then it makes me think of something that I wanted to get into, oh, gosh, 20 years ago, but it was it’s called knowledge management, right? So how do you take these nuggets of your most sensitive trade secrets, or you know, are data assets? How do you discipline the organization in a way that that information remains contained? In a certain out use the word container.”

To watch the complete discussion, click here.