6.28.23 > Rohit Tandon

We live in a world full of surprises. Sometimes events around us go unnoticed, and at other
times similar events have the potential to disrupt. Smart folks will develop predictive models of
how a specific event can impact our world and are forever tuning these models for that elusive
accuracy. For example, the Old Farmer’s Almanac winter forecast has been predicting since
1792 and proudly claims 80% accuracy on their website. I cannot speak to the last 230 years
that they were somewhat right, but for the 231 st year (Winter of 2022-23) they missed the mark
for my region. Predictive models depend on many discrete variables that are input to forecast
the outcome. These models are better suited for a complicated world where we know all the
components and can precisely measure each of them. In contrast for a complex world, we do
not know all the components, cannot fully define the interdependencies between those
components, and even small changes in one component can lead to a drastic outcome shift.
Cybersecurity is analogous to a complex world where our predictions are meaningless.
In our complex cybersecurity world, the cyber threat actors are constantly changing as old
criminal gangs are dismantled, maybe by law enforcement, and new entrants continue to pile
on. The techniques used by those cyber criminals to infiltrate into technology systems are
continuously evolving. Even the technology and data we are defending for our organization is
constantly changing as we expand capabilities or retire old information systems. We are far
more interconnected in the world today. The bad actors are targeting all organizations, and
their ability to negatively impact our operations can be disruptive for some entities, but
surprisingly has a negligible impact on others. The key differentiator for those that have a
negligible operational impact is their ability to absorb the disturbances from the cyber events
and in doing so they demonstrate resilience.

For an organization to defend from the ongoing cyber threats we need to take a multipronged
approach to build that resilience. The prevailing threat today continues to be ransomware for
all industries. As such, cyber security programs must have a higher resilience level for
ransomware criminals and their attack techniques on our technology systems.

We must maintain success on the basics like vulnerability and patch management because our
threat intelligence has highlighted how the ransomware criminals are exploiting unpatched
systems. Another vector of infiltration by the cyber criminals is through phishing emails and we
have elevated protections on emails and web browser to filter malicious emails or stop access
to known bad websites. In addition, we must also continuously educate every employee to
remain watchful and report suspicious emails or other activity to our security response team.
Ultimately, we need to ensure our network infrastructure and malware defenses can quickly
contain any detected threat that bypassed a protection layer.

While these protection techniques are necessary, independently they are insufficient to build
that sought after cyber resilience. To withstand the impact from a cyberattack, an organization
must invest in its ability to respond to an attack from an operational and business continuity
point of view. This investment is more than simply buying more tools for information security
or increase in funding of the information technology department resources.

Resilience in business operations needs to be in the culture of every department and employee in your
organization, and they must be adaptable to bounce back from the unforeseen derailment of
technology services. The flexibility of the organization’s employees to pivot and continue to
serve customers is not defined in the middle of a crisis, but communicated and exercised
regularly before the event. This I believe is the differentiator for those that have a negligible
operational impact with the ability to absorb the cyber disturbances.

A resilience thinking approach must engage everyone at your organization with a shared
responsibility in defending the technology and operations from an unpredictable and complex
cyber event!

ROHIT TANDON > CISO, Essentia Health

Rohit Tandon is the Chief Information Security Officer at Essentia Health. Rohit has 20 years of information security industry experience in both the public and private sector. Rohit was the former State Chief Information Security Officer at the State of Minnesota. He has also worked for Mayo Clinic Rochester to build secure systems for Electronic Health Records and championed Medical Device security. In his career as an information security leader, he has developed enterprise-wide cyber security programs from establishing vision to directing resources to execute in multiple regulated environments. Rohit is appointed as a Private Sector Member on the Minnesota Cybersecurity Taskforce to develop a statewide cybersecurity plan for Minnesota, and an adjunct professor at Metropolitan State University where he enjoys sharing his knowledge to build the nation’s future cyber workforce.

Connect Rohit here at the Cyber Security Summit at https://www.cybersecuritysummit.org/speakers/rohit-tandon/

And you can Connect with him on LinkedIn at https://www.linkedin.com/in/rohit-tandon/