Over the
past year, we have witnessed all the fuss surrounding cyber security that has
finally become a terrifying new reality in which corporate and government
organizations seem unable to stop cyber raids. No more listing statistics or
research to try to quantify the threat: cyber-attacks have become uninterrupted
headlines. The perceived threat transformation into real headlines occurred for
the following reasons:
- Hacking, cracking and other forms of cybercrime have reached a level of sophistication equaling (and in many cases exceeding) the ability of most organizations to defend themselves.
- Those who practice cyber-attacks in 2015 are qualified professionals with more years of technical security experience than the average IT worker employed to defend against them. The days of the amateur hacker enthusiast are largely gone. Today, cyber-attacks are carried out by nation states, terrorist groups and crime unions. It is no longer a hobby; it is a profession with very high risks involved.
- Those defending themselves against the current cyber-attack are facing the wrong threat: a threat defined in 2005. The 2015 threat is not focused on simple interruption; new threats are "campaigns" that involve complex strategies and tactics to achieve specific goals. It's like a war, but it's a war with hundreds of attackers, thousands of targets and no end in sight.
So what do
we do about it? Last week, President Obama held a Cyber Security Summit at
Stanford University, which was the culmination of nearly five years of federal
efforts to redefine how the government will continue to reorganize to address
this crisis. It has been a long process and much remains to be done; soon,
we'll probably have a new federal agency dedicated to nothing but cyber
security intelligence.
Check out the Latest Security Related
Jobs:
But how does
this help organizations under attack now? Although he points out that the
government is taking things more seriously, and the new Cyber security
Framework developed by NIST provides a good conceptual context for how cyber
defense should be addressed, but not yet much more. The president himself
acknowledged this by calling on private industry to come together to help solve
the challenge. So now the ball is back in our court.
While the
topic of cyber consortia is fascinating, I would like to address something that
almost all organizations can do on their own right now. If your group, company
or even agency is concerned about how to improve their security, there is only
one place to start. Organizations with any IT capabilities (you don't even need
Internet connectivity to be vulnerable) should use 2015 to reevaluate their
cyber security strategy, if any, or create one if they don't.
Here are 10 reasons why your
organization needs a (new) Cyber security Strategy this year:
- Chances are your assumptions you are defending yourself about are wrong (or at least incomplete). Perhaps you are only concerned with compliance or network intrusion - there are dozens of things that may have driven your strategy before. How many of them are still valid and how many have you lost? You will probably never find out if you do not engage in a deliberate effort to question them.
- Having a cyber-security-only strategy implies a level of commitment that would not otherwise be present. Keeping this strategy current and specifying it allows you to influence decisions at the highest level (for example, not just in the IT group).
- Reactive defense is a sure way to defeat. We don't need a cybernetic Maginot line and we already know it won't work. But how can an organization become more proactive? This starts with the cyber strategy, which takes into consideration what is unique in your organization (and also what is important to it). Everything else must be derived from this basis.
- Strategy is the central organizing mechanism of any group or organization. It enables centralized control, decision making and is the only way to coordinate policies, funding and action to solve a common problem. Again, this is not just a statement of principles, but a specific set of goals, objectives, and key decisions designed to meet the challenges.
- In any war, strategy directs tactics; there is no difference to cyber security. All detailed planning, solution architecture, behavioral response, and processes must align broadly with what is presented in the strategy.
- One strategy is the final performance metric. You can use it to highlight your performance expectations against the challenge while describing the approach required to meet those expectations. Without a strategy, you can never properly assess your security posture. Remember that the metric should not be based entirely on threats you have seen before; it should extend to those you haven't tried yet. Defending against yesterday's attack does not protect against many of today's dangers (and perhaps most of tomorrow).
- Using this metric, your cyber strategy provides accountability to your business stakeholders. It serves as the highest level contract (or SLA if you wish) for what you can and will do to ensure their safety.
- A cyber strategy is the first step in helping to bring together organizations that try to coordinate. Each individual entity in a larger group of companies can share certain parts of their strategy at a high level (and perhaps this is where things like the NIST Cyber Security Framework can be helpful). This can allow defenders to collaborate and coordinate just like attackers now. The key is to ensure that not every strategy is generic or shared.
- Your cyber strategy can and should provide language that can be passed on to consumers or end users that illustrate their commitment to security.
- A strategy is just a good starting point for dealing with complexity - and few things are as complex today as cyber security.
Some of you
may be thinking that the real battle is code- or network-level counter war, and
of course this is part of the puzzle. But that's exactly it: Until now, we've
moved puzzle pieces without being sure of the shape or contour they fit into.
The cyber security strategy is the general scenario that gives us a chance to
start solving this puzzle; instead of just being experts in three or four
pieces, we need to dominate the scenario.
This article was originally published on ------- Read More
great
ReplyDelete