In recent years, cybersecurity has taken front stage in the news, political discussions, social media and even dinner conversations. Last year began with much chatter about the Ukraine power grid, then the cyber bank heist in February as hackers stole $81 million from the Bangladesh National Bank’s account at the US Federal Reserve. Five hundred million Yahoo accounts were breached and a distributed denial of service (DDoS) attack on Dyn crippled the Internet for several hours. This year is no different as we experienced recently with a ransomware attack that seized hundreds of thousands of computer systems in nearly 100 countries. These are just the publicized events, but similar network security threats reached far and wide affecting almost every business.
Combat Cyber Threats By Going on the Offensive
Juniper research recently predicted that the cost of data breaches will reach an estimated $2.1 trillion globally by 2019. With the increasing magnitude and frequency of these cyber attacks, how can we stay ahead of these threats?
For years, we've been programmed to think about network and data security as a defensive action. Cyberattack prevention is as simple as setting a good perimeter and everything inside that perimeter will be safe. In today's security climate however, simply playing defense is no longer sufficient. Businesses today need to operate under the assumption that their data is continually at risk. They also need to take on a strategic offensive disposition. As boxing legend Jack Dempsey said, “the best defense is a good offense”.
A good offense for today’s CISO means more than just establishing best practices for data and computer network security or preparing for the multiple tiers of threats that range from state sanctioned programs to a network security breach carried out by mischievous individuals. In no way should those challenges be underestimated. Adapting to the ever-changing threat landscape is problematic and ability to confidently assess and defend against those attacks means also taking a proactive posture that roots out intruders, before they become a problem.
Balancing Security with Strategic Initiatives
In his bucket of responsibilities, the CISO is faced with challenges that go beyond combating threats and triaging incidents. Trying to stay ahead of the IT needs of their CIOs and other business leaders as well as privacy and compliance, cost avoidance, lack of qualified staff, fire drills that force time consuming reactive behavior, bring your own device programs, corporate culture and more are all real challenges that are being faced. The magnitude of these challenges means that the CISO’s bucket is overflowing, in fact it probably looks as if it was hit with birdshot and there's a new challenge gushing from each hole.
As a result, most IT decision makers are looking for simplification of IT operations and chief security officers are included in that. In terms of IT management, most business leaders are pitted in a never ending exercise of balancing the care and security of data and networks against focusing on end-user convenience, and new service and strategic initiatives. By one measurement, half of all IT managers spend at least 30% of their time monitoring their networks and troubleshooting. This vast amount of hours spent on non-core business issues makes it hard to achieve IT priorities and defeat security threats.
Fortunately, Security is a Marathon and Not a Sprint
How often have you heard the questions “Is the network secure?” or “Are we spending enough?” or “What's the best firewall?” These questions can be frustrating, because things are not that simple. The harsh reality is that there is no easy button when it comes to security.
On the other hand, there's the situation where loads of technology has been acquired, but operational security problems remain unsolved and incident responders and analysts are chasing one alert after another without any prioritization of alerts or processes and procedures to follow. Over-complication isn’t great either.
It may be tempting to run after the latest craze, but there is a simply no substitute for a methodical, strategic, intelligence-informed, risk-based approach to security that considers visibility, minimization of administration points and integration into existing controls and business processes
So, what's the answer? Effective security starts with making sure that your security is right-sized for your organization. By understanding the risks and threats faced by the organization: Informed and guided by intelligence, executives, the board, customers, and other key stakeholders.
It also means implementing an architectural approach. Meaning, there should be a cohesive design of the elements. A strategic and effective enterprise security architecture of today needs to be based on “Defense in Depth” which is a concept used to describe layers of defense strategies. The components at each layer work in tandem to provide one cohesive security mechanism. This layered approach will also help localize the impact if one element of the mechanism is compromised. Businesses can do this by:
- Prioritizing those risks and threats
- Allocating the optimal mix of people, process, and technology
- Developing the right content
- Running day-to-day security operations
- Documenting processes and procedures
- Communication to stakeholders
- Information sharing
- Continuously improving
Security should be looked at as a marathon and not a sprint. Doing so will enable the CISO to plan, course correct, and adjust over time to get the business to where it needs to be.
Comments