The author of this article argues that organizations that invest in mil-spec cyberdefense strategies such as cyber ranges can dramatically increase their ability to defend against a hack, while maintaining a cyber cost reduction.

Cybersecurity remains a major concern for wealth managers, private banks, family offices and other entities. That’s unsurprising: that’s where the money is, as a convicted bank robber once told a judge when asked why he kept robbing banks. In recent years we’ve explored cybersecurity on a number of fronts. (See an example here.) We’re pleased to share the following commentary from James Gerber, who is chief financial officer of SimSpace, a Boston, Massachusetts-based security business in the digital space. Gerber explains how organizations can prepare for increased regulation and prove their cybersecurity program’s readiness under emergency conditions. (More about Gerber below.)

The editors are pleased to share these insights; the usual editorial disclaimers apply and we urge readers not to be shy and jump into the conversation. Email tom.burroughes@wealthbriefing.com

In March 2022, the US Security Exchanges Commission issued a proposed regulation –  Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure. Within it, the SEC describes the need to enhance the standardization of disclosure regarding cybersecurity risk management and reporting. This follows the “Cyber Incident Reporting for Critical Infrastructure Act of 2022” (CIRCIA) signed into law last March that asks companies to voluntarily disclose their cyber breaches.

With the new proposed regulation, the SEC suggests that organizations should be mandated to periodically disclose the policies and procedures they have in place to identify and manage cyber risk. This would include the management’s role in implementing cybersecurity best practice as well as their board members’ cybersecurity expertise. The proposed legislation would also require companies to provide updates about previously reported cybersecurity incidents.

The regulation intends to inform investors in greater detail about a registrant’s risk management strategies and the governance they have in place to ensure that their systems are ready to face a cyber attack. However, this proposed legislation has resulted in outcry and demands for withdrawal from Fortune 100 companies who fear that the regulation will incur adverse consequences on shareholder price and stakeholder demand.

The threat to businesses
Catalyzed by the Russian war in Ukraine, threat actors continue to attack national critical infrastructure and governmental organizations around the world. However, these tactics, techniques and procedures (TTPs) are now being launched at businesses and organizations as cybercriminals are becoming increasingly focused on extorting and exfiltrating sensitive data from highly lucrative businesses. The IBM Cost of a Data Breach Report 2022 revealed that, reaching an all-time high, the overall cost of a data breach averaged $4.35 million in 2022.

Regulatory bodies have now recognized the importance of cybersecurity legislation for companies as organizations continue to fall victim to cyber hacks. The goal of ensuring that boards are doing everything in their power to protect sensitive customer and investor data will now make organizations held directly accountable for their cybersecurity defence plans and tools.

Cyber defense strategies
As complete cybersecurity disclosure will likely become mandatory for businesses, they would be well placed to act now to avoid data leaks and legal reprimands. Outside of the proposed SEC regulation, the Biden administration is also getting much more aggressive. A 35-page document, entitled National Cybersecurity Strategy is expected to be signed in the coming months. 

The paper will impose mandatory regulations on a wide swathe of American industries. The bill will also authorize US defense, intelligence, and law enforcement agencies to go on the offensive, hacking into the computer networks of criminals and foreign governments. Governments and regulatory bodies are awakening to the threat posed by hostile nation state actors. Businesses must ensure a return on cybersecurity investment, especially in an uncertain economic environment.

Organizations have to ensure that their cybersecurity platforms are running effectively and cost-efficiently. This is essential for best practice cybersecurity disclosure as well as customer confidence and investor reassurance. One way in which organizations can prepare for this new wave of mandatory regulation is to test their defensive capabilities within a safe, simulated environment, such as a cyber range.

Implementing advanced cybersecurity technology
A cyber range is a high fidelity, scaled replica of an organization’s production environment complete with accurate terrain and actual, primary defense tools. Cyberattacks can then be launched against this model, identifying weak points through which threat actors can enter. This system can also quantifiably measure the success of an organization’s individual defensive tools. The applications which are not providing quantifiable intelligence can be offloaded, saving the company money which can be invested elsewhere.

Although a range realistically simulates user and active traffic within which real attacks and defense can occur, testing to this extent within a replication of a network rather than the real system means that the company does not have to sacrifice its uptime or risk major damage on their systems.

A cyber range is flexible enough to rapidly build to great detail a production network as well as examine overall performance with a different set of tools. An organization's whole stack performance can be scored against the latest attack threats. In this way, businesses can safeguard the data held within their networks by constantly testing their people, processes, and technology.

Businesses should be determining the preparedness of their organization against known threats by using cyber ranges in accordance with best practice guidelines:

1. Performing exercises aimed at reviewing your current breach and disclosure process in order to understand the gaps within an organization’s defense systems.

2. Conducting live-fire exercises on a cyber range can establish new success benchmarks and identify weaknesses within your people, processes, and technology. From this, a dashboard can be established to track performance in accordance with the new SEC standards.

3. Based on the results of the range exercise, organizations then need to start a program of continuous security improvements that would include updating their processes, training their teams, and optimizing their security stack.

4. Finally, businesses need to develop a regular cadence of communications across their leadership teams to provide security and risk reviews for all new business initiatives and third-party programs, ensuring an end-to-end security mind-set.

Organizations that are investing in mil-spec cyberdefense strategies such as cyber ranges can dramatically increase their ability to defend against a hack, while maintaining a cyber cost reduction. This means that they will be able to accurately and confidently report to regulators on their cyber shielding practices, instilling confidence and trust in their customers and investors. Cyber ranges provide evidence which can be presented to regulation boards and shareholders, proving that an organization's systems are combat-ready to tackle the latest cyber threats. 

About the author

James brings over 30 years of experience working with the leading providers of cutting-edge cybersecurity in the industrial and transportation sectors. Prior to joining SimSpace in 2007, James was the CFO of venture and private equity-backed companies in the cybersecurity and education spaces, serving as a leader in the governance of an SEC-regulated public company traded on the New York Stock Exchange. During his time at the Pension Benefit Guaranty Corporation, he oversaw risk forecasting over most of the companies in the S&P 500, and he managed an institutional investment portfolio with over $50 billion of assets under management.