Security incidents are ramping up, cyber criminals have become more sophisticated, and perimeters are disappearing. The rules are changing, and IT security needs to respond.
Mark Jackson, Principal Information Assurance Architect of Cisco, talks about the need for an architectural approach to cybersecurity to more effectively tackle this changing security landscape.
Cybersecurity teams have historically operated on the basis of a perceived set of risks they try to fix using technology. They invest heavily in firewalls, anti-virus and other tech, but attacks continue to evade these defences. In almost 30 years of malware history, from the Morris worm to WannaCry, we see the same software weakness being continually exploited, and yet our response remains consistent; invest in more technology. But this approach is akin to putting a plaster on a broken arm and fails to address the wider issues that now exist.
We can no longer block cyberattacks, we must anticipate attacks and have an action plan
Cyber criminals are becoming even more sophisticated and clever and the threat side is ever-increasing. With mobile, Internet of Things and the cloud, our ‘border’ is open wider now than it has ever been in the past. In fact, the perimeter is effectively non-existent. Traditionally, security teams have been obsessed with blocking attacks, but the reality is, they won’t be able to block every attack; organisations need to assume an attack will happen and they need to devise a plan to deal with that eventuality.
This will require a completely new way of thinking where one question dominates – what does the organisation ultimately care about? Business continuity: downtime or unavailability of services has a dramatic impact on every organisation, large or small, and when we’re talking about front line services, that impact is multiplied.
WannaCry and the NHS: Disruption to Operations
Let’s look at the WannaCry attack in May 2017, and specifically how the NHS dealt with the incident. In all, 81 NHS trusts were affected by WannaCry, but 44 were impacted, not by the attack itself but by the measures the organisation took to prevent infection. These actions lead to a self-imposed denial of service causing as much, if not more, disruption to operations as the infection might have if it had taken hold. Lack of local cyber response planning was to blame here and clearly demonstrates how poor decisions taken in the face of a cyber incident can be as damaging as a breach.
This example illustrates a bottom up approach to cyber security. Where the security team reacts to security threats instinctively to try to mitigate the impact. However, where this approach fails is its inability to see the bigger picture, or rather the business side of the story.
An aligned organisation-wide approach to cybersecurity
It’s time for a new approach. This approach is two-fold: IT security teams need to start aligning security decisions to business strategy, and organisations need to stop seeing IT security as a cost centre.
For this approach to work the right people need to be involved from the start. Enterprise security needs to foster executive sponsorship and IT security teams need to be represented when business decisions are made. For a truly effective security strategy, each area of the business needs a voice as this will ensure an all-inclusive enterprise security architecture, where the entire organisation recognises that security is everyone’s concern and responsibility.
This joined-up approach will naturally lead to better decision making; security teams will be better able to protect the business if they have insights into specific plans, such as expanding into new markets, releasing new products, implementing new software, etc. And on the flip side, organisations will be more realistic about the security implications of their decisions.
This complementary approach will only work if both sides learn to speak each other’s language. For management to understand the consequences of their plans, security teams will need to explain the risks in a relatable, human, way. Tech talk has its place, but its place is not in the boardroom where executives struggle to understand, and worse, tune out, when security teams outline the solutions they need or the threats they face.
It’s not just the language that needs to change. Attitudes too need a reassessment; for too long, security professionals have been saying ‘our users are stupid’. And we’ve read countless headlines where employees are blamed for data leaks and security breaches. We need to face facts: IT systems and security are complicated. And when people don’t understand something they often find ways of working around it.
The security industry needs to look inward. Are we explaining things well enough, in terms people will understand? Are we making security too complex with instructions that are too difficult for the average user to follow? Let’s stop designing systems where all it takes is one user to click on a link to bring the whole system down. That’s a failure on the security team’s part, not the user.
An architectural approach: Built-in security from the beginning
The good news is, with an architectural approach to IT security, security itself is embedded in the thinking right from the beginning, rather than simply being bolted on. And while education and training can work up to a point, by embedding security in an in-built way, we can eliminate the need for users to follow prompts and instructions, thus reducing the risk of misunderstandings, mistakes and workarounds.
Traditionally, the security department has always said ‘no’. That’s the wrong answer in today’s fast-moving, digital world. Security’s job is to support the business and enable business decisions, not stymie them and stifle innovation or expansion. By drawing a line of sight between security and business operations and reputation, security can have a real, positive impact on a business. This architectural approach, with players from all sides involved and engaged, will be the most effective way of delivering business strategy.