Originally Published: 10 January 2018
I was thinking back over the last few years in Cyber Security and was wondering just how many billions of dollars have gone into this domain. I’m not sure it’s even possible to accurately calculate the figure, but it’s a staggering sum. And guess what, we are still regularly seeing wide spread damage from Ransomware as well as massive scale breaches in the news.
A short while back Andrew Penn, Telstra CEO, wrote a ‘must read’ article describing how Cybersecurity should be viewed and managed at a Board Level. In my previous post I referred to Andrew’s excellent article a ‘Top-Down’ perspective. I am going to again try and complement his article with a further ‘Bottom-Up’ perspective. I made a number of suggestions in my previous blog post on this topic. I want to emphasise a few additional key points which, I believe, should be understood at an executive level.
Over the past decade I have observed some key trends. A key one has been the substantial increase in complexity in just about every aspect of IT including security. This is not helped by the fact organisations have to architect and deploy increasingly sophisticated infrastructure with an increasingly long list of individual elements, conflicting and overlapping technologies – akin to an airline having to build its own planes from individual components.
In many cases, these systems have grown in an organic manner, through numerous staff changes, against project deadlines, and in many cases with the mindset of ”just get it working”.
In a world of complexity, if robust architectural approaches are not followed you will end up with a network or Information System architecture which resembles a ‘Furball’ the cat coughed up. Put another way – a highly complex, interconnected and monolithic mess. Such systems are not reliable, maintainable or securable. Usually the inherent problems will first manifest themselves are security issues. Just like chinks in a set of armour. New and pervasive technologies like Cloud and IoT integrations will only continue to add to the problem space.
I use the ‘Furball’ analogy as I want to highlight the need for well architected Information Systems and the consequence of not doing so. Unravelling a Furball is at best a very expensive proposition, at worst, a point of no return. This whole industry is in desperate need of standardised architectural approaches which can be applied to common business and organisational situations more universally, as opposed to today’s “roll your own” approach. But that, along with the need for Security Automation, is a topic for another post.
Achieving solid architectures to facilitate today’s business needs requires people with strong technical skills. Or as Gilfoyle from HBO’s incredibly funny series Silicon Valley so eloquently puts it (amongst other things) “it takes talent and sweat” (Just google “Silicon Valley, what Gilfoyle does”). I use this example as I want to highlight the need for serious investment in in-house technical security expertise and the people who can provide it.
A lot is being written about the shortage of skilled security professionals and how bad the problem is. In many case I see this excuse used as a cop out. We are only going to find our way out of this whole sad and sorry mess when organisations start seriously investing in that in-house technical security expertise. Not outsourcing the problem, or moving responsibility somewhere else. Accepting it and developing key skills In-House. Not just developing that expertise, but ensuring clear bidirectional communication lines exist between those domain experts and executive management. Executive management should at least conceptually understand the challenges being encountered at the coalface and likewise, the technical staff must align with business goals and business risk minimisation needs. While it might sound obvious, I rarely see it working well in practice. So, I put this out as a focus area.
I have heard statements like “we doubled our security budget last year”. That is good, but it’s a relative statement. Was the initial budget anywhere near adequate? It’s not just about allocating more budget. It’s about working knowledgably to achieve that solid architecture and then efficiently operationalising security in a manner that acceptably minimise cyber risks to the organisations information assets.
I have said this before, and will say it again. Be careful from where you take advice, particularly external advice. Just because a company has setup a Cybersecurity practice and has people with fancy titles does not mean they know what they are doing. There are a lot of new entrants charging a lot of money to provide mediocre advice. If they stuff it up, then sure you can fire them, but it’s a moot point if you get fired too. Hence, I again make the case for investing in and developing your own people.
The current hot, sexy topics in Cybersecurity are things like Next Gen technologies, Threat Hunting, AI, ML and the like. At the same time, virtually all of the major breaches can be attributed to not having the basics in place or a breakdown of what should have been a fundamental process. I’m not saying sophisticated attacks don’t happen as they absolutely do. But in most cases the attackers don’t need to use them as there are far easier options.
So how do you go about it? It is critical to start with the basics… and that part is not actually that hard and it doesn’t require elite level talent. There are many good sources of information. If there was one place to start, have a look at the Australian Signals Directorate (ASD) ‘Essential 8’ and “Strategies To Mitigate Cyber Security Incidents”, or the NIST 800 framework. In larger organisations, building a community where people can leverage and help each other is a hugely powerful approach when supported from executive levels. Something I always encourage.
_