A whitepaper to understand BiModal IT Security Risks & Considerations from a CISO perspective.

1. CISO Organizational priorities to build a Resilient Bimodal IT
Every Enterprise is challenged to provide increased value to customers to find predictable growth
as their stakeholders expect. Constantly delivering increased value show their customer care
which will in turn help their businesses to grow. On a closer look, senior business leaders become
responsible for the following during certain as well as uncertain times.
1. Keep-the-wheels-on to deliver predictable stakeholder expectations at minimum.
2. Constantly maximize value by using innovative methods and approaches.
The above mentioned sustain and innovate type of paradigm confirm to two different work
models and approaches. When these two modes are combined to deliver results through
Information Technology, it is referred as Bimodal IT. These two modes require different
leadership styles, strategies, approaches, workforce, culture and execution models.
Developing such an IT Organization is a CIO priority. CISO has to align security Organization to
support the IT Environment to realize Bimodal success. From a CISO perspective, they use a
different lens to review the inner workings of IT Environment and operations. With-in these two
silos, CIO objectives are most unilateral as his/her key focus is only on enablement to produce
desired outcomes. CISO’s organization has to take on the harder task of identifying different
Bimodal IT risk dynamics. Their approach has to be tuned-for-modal which otherwise, there is
an increased tendency of creating friction in supporting Bimodal initiatives. These two modes
different types of information risk, business continuity and resilience issues. It is a CISO priority
to ensure most of the Cyber risk (if not all) is addressed.
Modal 1 Organization is more conventional organization which focuses on ensuring the continuum of
activities using existing Systems, Channels, Architectures, Infrastructure, Frameworks & Applications.
Modal 2 Organization may be using exploratory technologies that are less than 3-4 years old, often may
be from Gartner’s first or second plateau of Hype cycle. Quick adoption to these technologies provide
strategic and transformative edge over competition. To insert these technologies, IT has to identify game-
changing usecases. To pilot these, they use new business models, new systems – on-premise/cloud, new
devices, niche vendor’s workforce for a short-term --- all these variabilities introduce a different type of
risk. To facilitate such R&D, Modal 2 priorities and their risks should be well-understood and
communicated to the workforce.

2. Knowing the symbiotic relationship between cybersecurity and
cyber-risk, it would be better we speak with respect to risk
dynamics, objectives and priorities rather than solely from
cybersecurity moving forward. Because time and time again, no
matter how much ever technology has been stood up, there is
always an enterprise that has been breached. So, enterprises
started to look cybersecurity as a risk management issue rather
than it is solely a technology issue.
Modal 1 Security Challenges & Objectives Modal 2 Security Challenges & Objectives
Protect existing Intellectual Property Secure new innovation
Preserve Privacy Ensure delivery of competitive advantage
Secure existing Systems Manage unknown risks introduced due to new
technologies, new business processes and people
engagement through new partnerships
Sustain value Anticipate risk and sufficiently allocate people and
financial resources
Ensure CIA of existing infrastructure – network,
systems and applications
Ensure risk is transferred to third party suppliers
and vendors while drafting new contracts &
agreements
Ensure safety of People – Employees, Partners &
Customers
Isolate environments from day to day to contain
emerging risk
Secure day to day functioning of enterprise Identify suitable approach to integrate new
development into existing. Be aware thread
model and knowledge may not be completely
available for new technologies and their
integration touchpoints
All modal 2 initiatives mostly pose high risk and constantly face greater resistance of change-averse forces
due to the very nature of their perceived engagement to serve as business extenders and game changers.
All this new and creative work that has been developed soon or later has to be integrated into the modal
1 IT environment. Most of the Modal 1 environment infrastructure is not so latest and there may already
be a high technical debt, which further modification to infrastructure, network and applications may
introduce new threats and vulnerabilities when they are being integrated at a rapid speed. New
technology has to be gradually and incrementally adopted across the enterprise to deliver the required
business value.
As an example, if an Enterprises has just started journey with Big Data, Machine Learning, building new
data lakes, 3D technology, Robotic Process Automation etc., the threat model for these technologies and
their integration touchpoints are aware to a greater extent. So, with right partnerships, all the risks can
be sufficiently mitigated. There is very little residual risk that may exist for integrating these types of
technologies.

3. However, if an Enterprise has started understanding the relevance of IoT, Cognitive, 4D Printing,
Computer Vision, Brain-computer interface, Smart Robots, Virtual Assistants, Blockchain, Autonomous
vehicles etc., the technology and tools aren’t sufficiently developed. Threat model for these is not
completely known. These threats may not purely emerge from the technology itself but may also emerge
from its application. While addressing such integrations, ensure the following:
• security policies are appropriately updated
• vulnerabilities are caught early in the development cycle
• collect required data points sufficiently to meet compliance objectives
• rely strongly on adaptive monitoring, detection and protection model leveraging SIEM &
integrations
• constantly collect KPI’s that help you review the security posture of new software
• consider security by design
• perform risk assessments
• transfer risk wherever applicable in new contracts and agreements
• apply latest patches ensuring endpoint security
• perform sufficient penetration testing
• use third party expertise to minimize exposure
• keep check on technical debt. Remediate wherever necessary
• use network sandboxing during pilot phases
• perform business continuity exercises and update playbooks to meet revised RPO & RTOs
• take more backups at frequent intervals until sufficient trust is developed
• think through the domino effect, it may be different from what is before. As an example, it may
cause loss of privacy along with lost sales and pressure on operations.
• review controls
The above are just few that I could think of, there may be many other considerations. No matter what is
done, everything cannot be protected. It will be a myth to think that you have considered everything to
sufficiently protect the enterprise. Occasional negligence may also a risk. It is not just the responsibility
of Business Leaders and Executive/Senior Management to ensure cybersecurity. It is everyone’s
responsibility. So, everyone should be educated to defend risks at all levels. At the last, be prepared to
respond if there is a breach. It is inevitable, often times, the lack of proper response to a breach will cause
more damage than the breach itself.