Cybersecurity: at the forefront Department of ICT Policy and Innovation, Ministry of National Security, Government of Bermuda Everyone, everywhere is concerned about, or at least interested in cybersecurity. Are the systems we have in place enough? What is best practice? What are other organizations and countries doing? What can we do to get ahead of the curve? It is no secret that enterprises will have to change the way they do business and secure their digital assets in order to meet their ever-evolving needs. Going hand in hand with the changing customer landscape and business practices is the general overarching need for a mindset change. While customers and system users are for the most part aware of the sensitivity of digital assets, comprehension often lacks on the scope, impact and possible severity of a cybersecurity breach. It is also key to balance the needs of the customer with the need for tighter controls and practices due to the cybercriminal element. Cybercriminals and attacks evolve in the same manner as the customers they target or indiscriminately invade. It is important to remember that although the nature of attacks may not change, the tactics will. It is imperative that enterprises respond in like, through proactive education, awareness training, monitoring and controls. Also, with the ever-evolving cybersecurity landscape, it is important to share new information and encourage communication; not just between fellow organizations but jurisdictions as well. Bermuda in Baltimore Recently a delegation of team members from the Ministry of National Security within the Government of Bermuda represented the Island of Bermuda by participating in the NIST (National Institute of Standards and Technology) Cybersecurity Risk Conference held in Baltimore, Maryland. The conference aimed to share and explore best practices and to encourage stakeholder input on key cybersecurity and privacy risk management topics - and it did just that! The three-day event was attended by an estimated 700 cybersecurity and privacy professionals from a wide variety of organizations ranging in size, background and needs, and covering topics that included privacy engineering, maintaining cyber-situational awareness and using NIST standards to develop an information systems risk management programme for a small Government. The NIST Cybersecurity Risk Conference also aimed to provide an inclusive experience, one that not only gave guidance and direction to large enterprises but also to smaller business professionals that understand the importance of promoting digital awareness and security. The value of the meeting of minds was not only the information that was expertly - and at times entertainingly - presented, but also the candid and fruitful conversations that were sparked. The experiences shared through roundtable discussions and workshops allowed cybersecurity professionals the opportunity to present their real-life situations and allowed others to seek solutions through guidance in areas such as vendor management and compliance. It was apparent that the current cultural shift taking place in the cybersecurity sphere was phenomenal because more and more organisations were taking seriously the requirements for a safe and secure enterprise. Bermuda provided an overview of the Information Systems Risk Management Programme it developed to protect information and information systems within its Government departments. The presentation, led by Stuart Daniels, Security Manager for the Government of Bermuda, outlined the steps taken by the Government, recognizing that the security of Government information systems and other related critical infrastructure, were vital to the success of the country. Although Bermuda is a small island, it hosts many international businesses, and the Government of Bermuda is a diverse and complex organization which presents a unique set of challenges. Daniels explained how Bermuda has used internationally-recognized security standards to develop a programme uniquely tailored to its needs. Daniels discussed that in order to meet the increasing needs of both the Government and the Island as a whole, specific strategic planning was utilized in order to first identify and categorize assets. That led to the establishment of clear delineations of roles and responsibilities within the organization. Awareness and training for all users within every level of the organization was the next big push that took place. A formal process was implemented, ensuring that security was integrated into the systems’ life cycle in a consistent, effective and efficient manner. This also required the development of appropriate policies, standards and procedures. Foundational programme policies were developed and approved at the highest decision-making level: the country’s Cabinet: Information Systems Risk Management Programme Policy Information Systems Security Categorization Policy Security Awareness and Training Policy The programme also required that appropriate standards, procedures and practices be implemented and maintained for all NIST 800-53 Security and Privacy Control Families. The Information Security Risk Management Committee, a cross-sectional, multi-disciplinary team, was established to guide the implementation of the programme in four phases: Phase 1. Secure general support and common security control system. Phase 2. Protect highly critical sensitive departmental systems. Phase 3. Stabilize remaining business information systems, and Phase 4. Maintain continuous monitoring and improvement. As the programme matures, more advanced quantitative risk assessment methods and threat modeling processes are being developed to ensure the programme evolves to meet the ever-increasing threats. The country continues to push forward while maintaining the security of its cybersecurity infrastructure. Cybersecurity is a mindset Phased awareness training is an important facet of cybersecurity. Bermuda understands that effective cybersecurity begins with a core foundation of knowledge that sets the stage for effective application. Through continuous monitoring, the Government of Bermuda strengthens its first line of defense against cyberattacks through system users at every level. In this way, it is able to mitigate future negative-impact events. Bermuda, like many other jurisdictions, has found the NIST Cybersecurity Framework to be a helpful tool for aligning information systems with business needs across departments and ministries while identifying information gaps and security control deficiencies, allowing for the focus to be shifted to specific areas for improvement.
It was apparent that the current cultural shift taking place in the cybersecurity sphere was phenomenal because more and more organisations were taking seriously the requirements for a safe and secure enterprise