It is clear that the cyber security posture for most organisations is a long way from where one might expect it to be. We’ve been fighting malware and spam for decades and the problem is worse now than it has ever been. Just a quick scan of the daily news reveals that the frequency, magnitude, and impact of attacks are on the increase. And if that was not bad enough, we are using technologies and protocols that were either built for more peaceful times or built with backdoors so that foreign governments could monitor communications and maintain an illusion of control. The reality is that organisations are not just losing the battle but are losing the cyber war to the adversary.
It’s a harsh reality, but it doesn’t have to be like this though.
Imagine if not too far into the future from now you could:
Not only make, but maintain cyber security as the number one priority in the minds of the executive team;
Bridge the language gap between operational and executive teams within your organisation;
Portray cyber security in a positive light to your organisation;
Empower the executive team in your organisation with the ability to make informed decisions about how to deal with cyber security risks;
Increase your ability to obtain cyber security budget with ease;
Reduce the budget required to implement and maintain an effective cyber security practice;
Create a cyber security aware culture within your organisation;
Improve your organisation’s operational efficiency simply by having good cyber security practices;
Reduce risks to your organisation simply by having good cyber security practices;
Help your organisation keep up with rapidly changing trends simply by having good cyber security practices;
Provide your organisation with a competitive advantage simply by having good cyber security practices; and
Look like a rock star for making all of this happen naturally.
Sounds great, doesn’t it? Sounds unrealistic? Let’s break it down into 3 steps and begin by taking the first small step right now. A lot can be achieved if you simply put your mind to it. As Lewis Carroll once said: “Imagination is the one weapon in the war against reality” A weapon which we see seldom used and a reality in which cyber security is under valued, under represented and under attack.
Using your imagination is the key to completing step 1 which is to create goals for where you would like your organisation’s cyber security position to be within the next three years
“Imagination is the one weapon in the war against reality.”
~ Lewis Carroll
Have you ever randomly asked twelve of your colleagues what your organisation’s mission is? If you did you would most likely receive twelve different responses. Not knowing the mission statement might not seem like that big a deal, but when you think about it in the context of people all pulling in a different direction it hampers your organisation’s ability to forge ahead with a unified visions in a single direction; the right direction; with agility and clarity.
Now consider this: if the people in your organisation can’t agree on something as simple as the mission statement, then how could one expect them to know about what assets enable the organisation to thrive? And what threats could ultimately cause your organisation to nose dive?
You can’t hope to win any battle against the adversary if you don’t know your current cyber security posture. You need to know your strengths and amplify those and you also need to know your weaknesses and reduce those. Insight into the inner workings of your organisation is essential before you can decide what resources to leverage, otherwise it is only a matter of time before the adversary garners greater insight about your organisation than you and takes control. In fact, chances are that has already happened; you just don’t know it yet.
Sadly we see many organisations aimlessly deploy the latest and greatest technologies with little or no insight into what benefits may come of those actions. As Johann Wolfgang von Goethe wisely said “There is nothing so terrible as activity without insight.”
Gaining insight is the key to completing step 2 which is to establish your current cyber security position
“There is nothing so terrible as activity without insight.”
~ Johann Wolfgang von Goethe
Columbus had a belief. He was not the first to believe, but set out to be the first to prove that the world was in fact spherical and not flat. He wanted to prove that he could travel in the opposite direction and still reach his chosen destination. He exhibited great courage, for many feared he could sail off the end of the earth; and he invested a great deal of effort in fulfilling his mission but, ultimately, he failed to reach his destination, but we do now know that the world is in deed not flat. What’s the point of this story? You may be able to take a different direction and you will at best take longer to reach it; or at worst get lost.
In cyber security direction is equally important for maintaining your organisation’s cyber security posture.
Direction can only be established when you have an origin and a destination in mind. By now you should have already read the first two steps which were
- set your cyber security goals (destination)
- establish your current position (origin)
The legendary John F Kennedy famously said “Efforts and courage are not enough without purpose and direction.” All that is essentially left is to plan the purpose and direction that will take you from your origin to your destination.
Would you hail a taxi and tell the driver to just drive in any direction? Of course not, it would be a costly exercise, yet we see many organisations engage in the crazy antics of implementing cyber security without having any sense of direction and wondering why they burn through budget rapidly.
Planning is the key to completing step 3 which is to plan your cyber security strategy which takes you from your current position to your goals
“Efforts and courage are not enough without purpose and direction.”
~ John F Kennedy
Imagine taking a drive down the highway and perhaps you took a wrong turn and noticed yourself in the following predicament:
- You had not arrived where you thought you’d be by a specific time
- You realised that the place you were you didn’t even recognise
- You had no idea how to get from where you were to where you wanted to be.
There is one word that clearly describes that predicament:
Of course, the solution should quickly come to mind.
You would rely on GPS. You would simply input your destination, and it would figure out your current position and plan what direction you needed to travel.
Simple solutions are often the best when challenges are difficult.
“Life is like art. You have to work hard to keep it simple and still have meaning.”
~ Charles de Lint
Back to cyber security, if you find yourself in a predicament whereby:
- You had not arrived where you thought you’d be by a specific time meaning that your current cyber security posture does not leave you feeling comfortable
- You realised that the place you were you didn’t even recognise as you look at the threat landscape and feel like you are not in control
- You had no idea how to get from where you were to where you wanted to be and do not know the next steps to take to start gaining victories over the adversary
Then you need to declare that you are LOST!
What’s the solution, though?
NO… Not the kind with the somewhat sexy but authoritative voice that tells you where to go when you are driving.
Goals, Position, Strategy
It’s different, but it is also a revolutionary and creative three-step process that The Security Artist can help you implement:
Step 1: create goals for where you would like your organisation’s cyber security position to be within the next three years
Step 2: establish your current cyber security position
Step 3: plan your cyber security strategy, which takes you from your current position to your goals
The three-step process relies on four focus areas which must be carried out in sequence. Each focus area is made up of four tasks:
“Strategy is about making choices, trade-offs; it’s about deliberately choosing to be different.”
~ Michael Porter
business objective discovery allows you to collect information about the intended direction of your organisation. Will the organisation be undergoing an IPO? Will there be a merger or acquisition? New product launches? Or changes in partnerships? leadership? strategy? or branding? Is there regulatory compliance that needs to be met? Answering these questions will better prepare you to establish your cyber security goals.
business process discovery involves working with the leaders in each unit of the organisation to establish what processes they leverage in their job functions. From this exercise it is then possible to establish which processes are critical to maintain survival of the organisation and which business processes may be common across multiple business units.
ecosystem exploration is essential to understand the relationships between various business processes and to look at the interconnectivity with the supply chain, business partners, customers and any other external entities which have an impact on the functioning of your organisation.
asset discovery is the final task within business discovery and is intended to establish which assets are responsible for facilitating the most critical business processes. Assets are then placed into appropriate categories such as physical, digital and human.
vulnerability discovery builds upon asset discovery in order to identify and validate any weaknesses that may be inherent. Vulnerabilities could be due to weaknesses in people, process or technology.
threat landscape exploration assesses the current types of adversaries and their motives as well as any emerging trends which could alter the threat landscape in the coming months or years.
attack scenario modelling uncovers which threat vectors are going to be the most likely based on the assets and associated vulnerabilities.
attack consequence exploration determines the impact of a threat should it successfully exploit a vulnerability.
control effectiveness assessment examines each of the controls in place to protect specific assets against specific threats and identifies how much residual risk remains beyond a successful deployment of a control. Where controls are believed to be ineffective, additional control types are recommended.
cost benefit analysis calculates the costs of applying a number of different controls to treat each risk and compares this against accepting the risk.
risk profiling demonstrates the residual risk that remains beyond any controls which have already been implemented and expresses it in terms of likelihood and impact and prioritises it accordingly based on a combination of risk, cost, complexity and effort.
risk treatment considers the most effective method for treating risk based on the combination of the magnitude of the risk and its likelihood of impacting the organisation. Risk treatment could involve recommending one of: avoidance, acceptance, transfer or mitigation.
process management involves developing, maintaining and executing processes that will facilitate the interaction between people and technology. Processes include change management, incident management and problem management, each of which has numerous sub processes.
resource management focuses on finding, hiring, maintaining and career developing the right people within the organisation as well as the effective governance of business partners and customers. Resource management includes the development of a security culture that should be applied throughout the entire ecosystem.
operations management includes determining what types of technology can be integrated to provide assisted and automated protection, detection and response to known and emerging threats.
communications management provides the underlying plan for communicating within processes, from and between technologies and human to human interaction to ensure that a unified vision is stated, understood and enacted upon harmoniously, thereby fostering a security culture.
“Intelligence is the ability to adapt to change.”
~ Stephen Hawking