Dr Zibby Kwecka’s passion for cybersecurity and data privacy comes from personal experience. His unusual name makes it impossible to keep a low profile on the internet. “If you are James Smith, you can hide quite well,” says Kwecka, who grew up in Poland. “I can’t hide with my first name and surname combination. That’s why I’ve got quite a big interest in privacy.”
Kwecka is head of information security at Heineken UK, the British arm of Europe’s largest brewer. Before joining the company, he held a variety of cybersecurity-related roles, including lecturer at Edinburgh Napier University, security and resilience manager at the Royal Bank of Scotland, and consultant for firms including KPMG and ECS Security.
In that time, he has witnessed, devised, and executed a number of cybersecurity strategies. Speaking from his home office in Edinburgh, Kwecka shared with Tech Monitor the ingredients of an effective cybersecurity strategy.
No silver bullet for cybersecurity strategy
“If we’re talking about writing a cybersecurity strategy for a business, it’s not that different to writing a very good business strategy,” Kwecka says. “The thing is that, unfortunately, it’s not a very well-thought subject.”
During his time as a cybersecurity consultant, Kwecka says that most of the security strategies he saw were poor, often based on “gut feel” or a “utopian” management vision with little chances of success: “They were not strategies that would be complete,” he explains. “They were based on hunches… and that’s not how a realistic strategy that can be achieved is written.”
Another common mistake that consulting clients made was to ask for security strategies that had worked for other businesses and that could be transposed to their organisations, Kwecka says. “My first answer [to those clients] was no, because everybody is different and you need to understand where you are in the journey,” he explains.
You need to understand the culture of the business, the culture of the people who made up this business in order to move forward, because what works for one company will most likely not work for another.
Dr Zibby Kwecka, Heineken UK
Even within an industry, a strategy that works for one organisation is not a foolproof solution for another. Banks, for example, which would appear to be similar in their operations, need radically different cybersecurity strategies that take into account their idiosyncratic internal and corporate cultures, Kwecka explains. “You need to understand the culture of the business, the culture of the people who made up this business in order to move forward, because what works for one company will most likely not work for another.”
Start with a gap analysis
The first step in creating an effective cybersecurity strategy, Kwecka advises, is to perform a gap analysis – assessing the weakness in an organisation’s defences and the maturity of its systems.
“You need to look at where you are today and also understand where you want to be,” he says. “What are your aims in cybersecurity? Do you need to be top-of-the-world secure? Or do you need to be just ahead of the pack? Do you need to be in the main pack? Because in some industries, just being in the pack is good enough to protect you.”
For example, the finance sector’s cybersecurity capabilities are mature, Kwecka says, so keeping pace with “the pack” is an adequate safeguard. Financial institutions also benefit from a high degree of government protection, which serves as a deterrent for cybercriminals. “Hackers don’t like attacking banking these days because the police and other forces are quite quick to go after people that attack them,” Kwecka explains. “If you are within that pack and stay within that pack, that will protect you because people will move away for a weaker target.”
Other industries, however, do not have the level of protection or maturity, making them desirable targets for criminals. According to a report by cloud security supplier CDNetworks, the sectors most vulnerable to cyberattack in 2021 are healthcare, government, energy and higher education. For those industries, staying within their “pack” is not enough and they should instead be taking a more proactive strategy to stay ahead of the game.
“You need to be a little bit ahead of the pack because just benchmarking yourself against a company that you think is very similar to you and is next door to you is not necessarily making you secure,” says Kwecka. “Just because both of you are afloat today doesn’t mean that you will be afloat tomorrow.”
Incorporating external factors and identifying key assets
A cybersecurity gap analysis must also include an assessment of the external threat an organisation faces. “One thing that is different in cyber from any other kind of risk analysis is that there is an active adversary outside of your business,” Kwecka says. “There is somebody out there that is actively working against you.”
Cyber attackers come in four forms: criminals, state-sponsored attackers, hacktivists and insider threats. The first two must be fought with effective cybersecurity defences, Kwecka argues, while the second two should be deterred by ethical business practices. “Their control is to do the right thing for people,” he says. “You want to be the organisation that is doing the right thing for the environment, for the planet, for individuals… and you would hope that the organisation you work for is doing that.”
The gap analysis should also identify the organisation’s key assets that cyberattackers may want to target. “What are you trying to protect? Is it the availability of a resource? Integrity of data? Making sure that something remains confidential?” asks Kwecka. Although these are simple questions, many organisations are nevertheless unable to answer them – and a gap analysis will force them to do so.
Choosing a cybersecurity framework
Once the business has identified the gap between where it is in terms of cybersecurity and where it wants to be, Kwecka says, it is time to choose a security framework – a set of policies, objectives and guidelines that inform cybersecurity activities.
Few organisations need to devise their own framework, he explains. “You don’t need to reinvent the wheel”. Instead, organisations should choose one of the many available frameworks – such as NIST CSF, ISO/IEC 27001, or ISF Standard of Good Practice – and tailor it to their needs. “That’s what I would advise everybody.”
These frameworks may be too complex for SMEs, Kwecka advises. For those that are not entirely digital, the UK’s National Cyber Security Centre (NCSC) is enough to help create a full cyber awareness training campaign and conduct a basic cybersecurity assessment. Digital SMEs, meanwhile, should familiarise themselves with OWASP top 10 web application security risks and the 18 CIS Critical Security Controls.
Once the gap analysis and security framework are in place, Kwecka says security strategy should then focus on the organisation’s security behaviours, ensuring that hygiene and best practice are well-established among employees. These behaviours are sustained by strong policies and actions that make up the third and final pillar of a complete security strategy.
Kwecka likens cybersecurity strategy to adopting a new fitness regime. “If you want to get your body to a certain shape (either get leaner or bulking up), you need to understand what’s your starting position. What do you eat right now? Do you need to change your diet or do you need to change your exercise regime?”
Similarly, a company’s gap analysis, security behaviours, and policies and actions must be managed together. “When you’re presenting a strategy, you need to have those three elements together.”