The battle against cyber warfare
Between APTs, AETs and government/political sponsored cyber warfare, it seems like every three to six months a new Armageddon style threat emerges. If you were to believe all the hype, often presented by certain media outlets and some of the less responsible quarters of the Information Security industry, new threats to information systems and digital business would be the end of the world. Unless of course you buy their “army” of expensive technology or services for the battle to prevent this slaughter.
Despite all of these threats, digital business, information systems and technology continue to flourish. They are the key drivers and enablers for the modern and prosperous times that we live in. Why is this when these technological “comets of doom” continue to threaten the digital world we live in?
Security threats have been around for some time
New or emergent high impact security threats have been with us almost since Information Technology began. Before the current crop of threats, there were Viruses, Trojans, Worms, SPAM, DDoS, ransomware. Anyone remember when these emergent threats were hyped as the harbingers of doom of their respective day. Government/political and commercial sponsored spying and cyber warfare are not new or recent phenomena either, they have just been brought to the top of the agenda through revelations about the scale upon which they are happening, such as WikiLeaks and the mass surveillance exposed by Edward Snowden etc.
Threat lifecycle
In each case, these threats went through or are going through a typical lifecycle over time from emergence to outbreak, rising to a typically expensive peak impact followed by a sustainable, commoditised mitigation/operation. In each case the Information Security industry produced a management and mitigation strategy, usually comprising various combinations of technology, process and people.
The initial hype phase for these threats has value to organisations and consumers in making them aware of the threat. The ongoing hype really has most value to the companies who are developing or selling the usually expensive technology, to help mitigate the issue.
Non-sustainable strategy
- A strategy of ever-increasing security spend as a percentage of overall IT spend to counter the new and ever increasing amounts of threats is not sustainable.
- A strategy of continual ad hoc point security solution spend to help mitigate every new emerging threat is also not sustainable. This spend is not sustainable in terms of its cost, skills, resources, incremental infrastructure or reduced systems/service performance level.
- A strategy of treating all threats similarly in terms of their risk to the business and their point in the threat lifecycle is also not sustainable as it leads to diluted finite resource and budget.
The solution is a sustainable security strategy
A sustainable security strategy recognises how much risk a particular threat poses to their organisation and at which point it is in its lifecycle. A CISO employing this sustainable strategy balances their “portfolio” of threat according to the current and future likely risk from these threats.
They make their mitigation decisions by determining if, when and how to implement appropriate mitigation. They rebalance their mitigation solutions and resources, particularly after a threat’s peak impact in order to seek lower costs, less focus and requiring fewer resources. This frees up financial and resource budget to tackle relevant threats in the emergent or high impact phase.
To help manage a number of convergent peaks from a number of high risk threats, CISOs should employ flexible spending models such as MSSP or outsourced Security-as-a-Service (SaaS) as a bridge until the preferred safeguard is adopted or as a final solution if appropriate.
In the second part of this blog…..
we’ll recommend a number of best practice guidelines for a more sustainable security approach.