That’s the million-dollar question, and the one CIOs or anyone responsible for managing an IT estate is constantly asking themselves. With the number of reported successful cyber attacks on big name establishments on the rise, it seems no one is immune. And the consequences of such an attack – both in terms of cost and reputational damage – can be enormous, potentially threatening the long-term viability of the enterprise.
So it’s a question that warrants some serious consideration.
We’ve probably all looked at some of the recent high-profile attacks and felt that the targeted organisation clearly hasn’t got the basics right. Equally, some of the more complex attacks appear almost impossible to completely mitigate. The reality is that many of the new options for mitigating security risk are becoming increasingly expensive and complex. Ultimately, the attacker only needs to find one weak line of defence to gain a foothold that can ultimately lead to a breach.
It’s a question of balance
In the current climate, as IT decision makers we could easily spend all our budget ensuring that we have the most advanced processes, people and technology to secure our estates (including moving away from increasingly vulnerable legacy platforms). But this drastic approach would leave nothing available for delivering new applications or services that keep the enterprise viable.
It used to be that implementing a DMZ, a few firewalls, a level of anti-virus and a patching regime was adequate for nearly all organisations. But the plethora of modern countermeasures is complex. And it is no longer clear which are the basics and which are enhanced capabilities only appropriate for organisations facing advanced threats (that’s assuming we even knew which organisations are exposed to advanced threats!)
When this is combined with the reality that our enterprise data is no longer in one place behind the castle walls, but instead it’s spread across multiple cloud, SAAS and on-premise platforms, the potential for security costs to increase exponentially starts to become a reality.
These technologies and approaches seem to change every day and this week include, but are not limited to…
|· Anti-virus||· Patching||· SIEM|
|· Behavioural analytics||· EDR||· App execution control|
|· Security architecture||· Isolation appliances||· Risk management tooling|
|· Red teaming…||· and Blue team, Purple team, Gold team – next month I’m sure there will be new hues to choose from||· Automated security code review|
|· Honeypots||· Multi-factor authentication||· Forensics|
|· Intrusion detection||· Security automation||·Threat hunting|
…I could go on for a very long time…
So how do you decide which threats to invest in mitigating?
I have a new security vendor wanting to present their tooling to me almost weekly but none of them have a viable answer to the question: “If I implement your technology, which of my current portfolio of countermeasures can I remove?”
Each one admits that their capability is incremental and continues to attempt to justify the (often eye-watering) additional cost in terms of threat mitigation. They all describe a real threat. But how do I decide which threats I should invest in mitigating, which tools to use, and which risks I should manage in another way?
In reality, we are all constrained by budget and resource. The need to innovate to provide new and improved digital services to employees, partners and customers is a fundamental need of all enterprises today. But this has to be balanced with the investment required to mitigate the ever-advancing security threat.
Hindsight and agility are critical
So how do we balance a portfolio where new function and digital capability are as key to the success (or even survival) of the organisation as a comprehensive approach to security?
The only ‘right’ answer comes with hindsight.
So, we need to maximise rapid learning from the threat, attempts and successful breaches, both internally and across peer organisations. Adopting an agile response to the combination of incidents and emerging threats therefore becomes essential.
If security always trumps other priorities the organisation will fail through lack of investment in the digital services it needs to be competitive. Yet if security is always second fiddle then the enterprise will fail through the direct and indirect impact of repeated breaches. In business this can be financial and reputational impact. In the public sector, defence and critical national infrastructure the potential impacts are even more concerning. This brings us back to the question of balance.
When we are attacked – not if!
Openness at all levels of management is essential – there is no point in pretending we are perfect! But can we convince ourselves (and our stakeholders) that we are doing a competent job of assessing and managing the risk?
- Have we rehearsed our organisation-wide response to incidents?
- Are we continually enhancing our personal security skills and training our teams appropriately?
- Do we all (including the Board) recognise that our thinking needs to be ‘when we are attacked’ not ‘if we are attacked’?
All too often I’m seeing delineation between the ‘Security Team’ and the rest of the IT function. And this is most unhelpful.
This was brought home to me recently by an organisation who described their standard approach to security. In their model the Security Team run a threat scan once a month. They then create many tickets for remediation, which are gradually closed by the Operational Teams before the next scan. Sure enough, the next scan then picks up the things that weren’t closed last month and runs against an evolved threat baseline, resulting in yet more tickets being created…
And so the hamster-wheel continues to turn…
This seemed a naïve approach to me which assumes two things:
- the management of the security posture is the responsibility of the Security Team, not the entire IT enterprise, and
- the security posture is managed retrospectively by what is effectively an ‘audit and respond’ approach.
Surely, good security management involves all development and support teams fully understanding both their security risk profile and proactively managing their security posture. That is what we should naturally be doing as IT professionals. The security team is then focussed on finding exceptions to good practice (which should be rare) and advising and skilling the teams to improve.
So why is the Security Team so separate?
As part of agile planning we need to include security-based user stories as well as the user functionality-based ones. This puts developers and other IT professionals in the security decision process as well as inserting security in the middle of the functionality debate. It should result in a more dynamic balance between the needs of both teams.
Whilst an urgent functional requirement may need immediate action, equally a new vulnerability or attack vector may need swift measures. To enable this, developers and operations staff need to improve their security knowledge and capability. But also the Security Teams need to step-up and engage proactively and collaboratively in both application and solution design and development.
A natural crossover between functions
Increasingly, there is a natural crossover between these functions. If we take the example of a ransomware attack, the planned response is likely to involve system restoration from some form of backup or archive. Hence, the backup and restoration strategy is closely interlinked with the security strategy.
As new security threats and opportunities emerge, these are dealt with in the same way as the other elements of the portfolio including new functionality for customer facing apps, handling legacy technology and the various other pressures on the IT programme.
If we can achieve this, then IT can achieve a dynamic and coherent portfolio that balances the need to invest in security with the other capabilities that drive the enterprise forward and effectively manage enterprise risk.
He is currently responsible for investment and innovation for Fujitsu’s Defence and National security business, supporting the business in shaping up for tomorrow’s challenges.