A recent article by The Financial Times argues that boards should be looking to employ younger directors to tackle the cyber security “problem." Meanwhile, the EU has unveiled the proposed Network and Information Security Directive. Think about the psychology here, really… The more we raise the bar and levels of expectations, given the volume of frameworks created, legislation struck, regulations issued – what evidence do we have to show that in collective terms we can show that it has made a difference? In the car manufacturing industry, deaths on the road were reduced year on year with the introduction of safety measures. However, with the ongoing increased introduction of controls available to mitigate identified risk, there has not been a corresponding level of reduction in breaches, cyber-attacks, loss of data – far from it. Consider a medical analogy as the inspiration for this blog. Autumn 2015 saw much about the plight of "junior doctors" in the UK press. But they are so-called because that is what they are – junior in terms of knowledge and experience with patients. The term may denote someone with anywhere between 5 and 15 years’ worth of experience. Theoretically, is the lower end of that who we want in our boardroom making important decisions without a depth and breadth of knowledge and experience across the landscape of information assurance, tackling the core of our organisational risk management challenges? Due to the ability of the media to maintain a level of single focus, what is missing is an understanding that effectively there are three doctors trying to diagnose the cyber illness – Information Security, Information Assurance and now Cyber Security. They are consistently tripping up over each other and getting in each other’s way, diagnosing the problem differently, seeking to treat it from different angles, particularly with an assumption that by virtue of the perception of the “newness” of the cyber challenge, this must require new skills and younger individuals to tackle it head on. However, Information Security and Information Assurance are steps on a continuum, the former being the forerunner for the latter, in maturity terms. Cyber Security is a response to the blatantly obvious requirement to ensure that the Information Security programme addresses the risks identified in the cyber domain. (You’ll recognise this constant theme in my writings – I’ve said it before and I’ll keep saying it until it is fully understood). The younger generation believe that “cyber” is new, believing that it has only been around for the last year or two. I refer you to previous blogs I have written. Security professionals have been advising on the scale of the cyber threat, the risks that need to be considered – for multiple decades. Back to the medical theme, though. The problems in our industry continue when you consider our approaches to treatment. We have technology that alerts us to a health issue in our systems, but doesn’t provide a remediation option or solution. Oh no, that would require another visit from your friendly vendor to sell you yet another piece of technology to add to your already bloated environment. We have multiple vendors providing multiple options for diagnosis these days. In many ways, and I know I speak as one, there are equally multiple consultants available to offer suggestions as to treatment options. A doctor is paid to provide both services – is expected to know how to treat the symptoms we present with.
- Based on the symptoms described, you have a virus.
- The doctor narrows down the field of solution (treatment) options based on knowledge and experience and categorises the virus (malware).
- Having specified the virus family, it then makes it easier for the doctor to treat with specific antibiotics – or whatever remediation best suits (scan and update signatures).
- The doctor will also know for how long it will be necessary to take the antibiotics in order for the virus to be cured and for you to return to sufficient health as to neither be a risk to others nor to yourself.
- The doctor may also be able to provide prevention tips to ensure you don’t catch another cold/virus/whatever… Wash hands often, use anti-bacterial wipes on your remote controls (Use the Top 20 Cyber Security Controls, or the UK Cyber Essentials).
Given that we are straddled within the 12 days of Christmas and in line of sight of the opportunity to make some New Year’s resolutions, if we consider the “12 Steps” to addressing addiction, perhaps we need to make the following declaration:
1. Admit Powerlessness
The criminals are better funded, better researched and better resourced than we are – end of story.
2. Find Hope
In this case, the person responsible for security in your organisation needs to be suitably empowered to restore sanity and reduce the feelings of powerlessness.
3. Surrender
To actually genuinely doing something to change rather than continuing to either moan or be fearful – both of which approaches are simply destructive rather than constructive.
4. Take Inventory
Make a searching and fearless inventory of our assets (Yes, that old chestnut!).
5. Share the Inventory
Admit to ourselves, and to others, the exact nature of our wrongs. For example, believing that adding more technology would solve the problems created by the existing technology or not patching identified vulnerabilities in a timely manner.
6. Become Ready
To have the CISO remove all these defects in our infrastructure, and in our organisational behaviour, end-to-end – from mergers and acquisitions, through purchasing and people management – the wider gambit.
7. Ask the CISO
Humbly ask the CISO to help us remove our shortcomings. We need options on treatment, all of which are available.
8. Create Your ISMS
Your Information Security Management System will effectively contain the “to do” list of all that needs to be done in order to achieve the required level of information protection for the organisation we are operating within. In the 12 Steps programme, this stage is about making a list of people to whom amends need to be made. This takes some thinking about, and could or should include Internal Audit.
9. Make Amends
For years, IA has been identifying issues and raising risks to board level but have been blocked... How else do we explain the state we are in?
10. Continue to Inventory
Review, review, review. Back in the day, when you issued a company telephone list, someone pointed out who you had missed off the list: someone who had left the organisation, someone who had joined or someone who had changed department. Our landscape is constantly changing, and we have “shadow IT” to contend with. There is a never ending stream of known-knowns that need to be continually addressed and promptly addressed. This will include ISCM – Information Security Continuous Monitoring programmes. There are logs to be reviewed – being produced from the multiplicity of systems identified in our Inventory. These all require review, as well, and the “Actionable Intelligence” that we are hearing about applied to them. Enter the Data Scientists, stage right.
11. Meditate
Reflection time is vital to improve our conscious understanding, our knowledge of the risk landscape and the skills to carry that out.
12. Help Others
Having had a spiritual awakening as a result of following the previous steps, means sharing the learning with others – our suppliers, our providers, our vendors, our family and friends, our wider social circle – so that we can improve the interconnectivity of all our collective devices. Therefore, at this festive season, the season of many a nasty winter virus, take some time to reflect on the year that has been and the year that is soon to roll in. Don’t go looking for treatment for a self-inflicted wound – you’re just wasting the doctor’s time at that point... the under-resourced and under-funded, weary doctor! Equally, stop blaming the doctor (the CISO) for the fact that you caught a cold because you didn’t take reasonable precautions to protect yourself. Consider how to make amends in terms of addressing the many known-knowns in addressing cyber security. As identified above, there are existing frameworks available to help. Ignore them at your peril.
About the Author: Andrea C Simmons, FBCS CITP, CISM, CISSP, M.Inst.ISP, MA, ISSA Senior Member has more than 17 years direct information security, assurance and governance experience, helping organisations establish appropriate controls, achieving and maintaining security certifications. Andrea’s most recent role as Chief Information Security Officer for HP Enterprise Security was one of worldwide influence addressing Security Policy and Risk Governance seeking to support and evidence the delivery of organisational assurance across a wide portfolio of clients and services. Her work has included development of a patentable enterprise governance, risk & compliance (eGRC) approach to addressing business information governance needs. Whilst also spending the last 6 years researching Information Assurance, Andrea has published two books. She may be reached at [email protected] Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc. Title image courtesy of ShutterStock
