A blind spot is defined as “an area where a person's view is obstructed.” As a longstanding professional in the industry, seeing the rhetoric change over the years, from Information Security, through Information Assurance and now to “cyber security,” what is occurring is the creation of a significant and worrying blind spot. Sadly, what people appear to be hearing is “something, something, security, something, something, cyber, something, something, advanced persistent threat, something, something.”1 A Wikipedia search for “cyber security” finds it described thusly:
Computer security, also known as cybersecurity or IT security, is the protection of information systems from theft or damage to the hardware, the software, and to the information on them, as well as from disruption or misdirection of the services they provide.
...which makes this “cyber” thing nothing new, for many of us, given how long computers have been around and have needed securing. But it also is a mis-description. The “cyber” domain is just the medium through which so many threats are being realized – it is neither the skillset, nor the tool, nor the technology. It is a medium already known and identified previously as the digital domain, the electronic domain, the computing domain – all the same, and for all of which there have been existing risk assessments and strategies, industry standards and frameworks, regulation and legislation that applies. Over the last 5 years (2010 to 2015), £650 million of our tax payer’s hard earned money has been invested in a UK National Cyber Security Strategy. By 2015, the aspiration of the UK Cyber Security Strategy was that the measures outlined therein would mean that the UK is in a position where: law enforcement is tackling cyber criminals; citizens know what to do to protect themselves; effective cyber security is seen as a positive for UK business; a thriving cyber security sector has been established; public services online are secure and resilient; and the threats to our national infrastructure and national security have been confronted.2 Unfortunately, the headlines indicate the contrary is the reality. In 2011, a government panel addressed the disturbing level of increase of cyber attacks on government computers, along with defence, technology and engineering. Then in February of this year, the UK was “named and shamed as Europe’s worst country for data breaches”. This was then added to during week commencing October 12 with the announcement of the combined crime figures announcing that cybercrime is now officially the most common crime. Taking a step back from the coalface, there’s some soul searching to be done, given that the investment in programmes to address all things “cyber” do not appear to be working, tangibly. Towards the end of the first decade of the 21st century, the language began to be dominated by talk of all things cyber, as if it were a new concept. As part of PhD research into the area of Information Assurance (IA), the author conducted a Literature Review and found many resources dating much further back, all of which reinforced the need for good IA to be embedded on an ongoing basis. In 2013, the UK National Audit Office represented this reality visually with a timeline (see page 12) showing how the UK government had issued IA strategy documents from 2001 through to 2008, and then in 2009 changed the focus to issue the first UK Cyber Security Strategy, in line with global rhetoric.
Amnesia
It’s like some kind of collective amnesia is happening, or Groundhog Day or Déjà vu. In the noughties, governments insisted on putting an “e” in front of everything – e-government, e-citizen, e-directives etc, which then became t-everything – the transformation agenda. Now we are having cyber this and cyber that. This constant rebranding and playing with TLAs and terminology is proving to be a distraction that is taking us off course from succeeding at our necessary information protection endeavours. Board level individuals turn to the industry professionals for help, advice, guidance and support because most of the issues we deal with are too complex for them to fully embrace. As a learned colleague put it to me: “If those who do not see the risk of [misusing] terminology. . . .or the risk to a foundation industry, would I really trust them to have the capability to determine the nuances of risk with the information they are supposed to keep secure?“ Cyber threats are defined as: the possibility of a malicious attempt to damage or disrupt a computer network or system. So, just threats then, threats the information security community has been dealing with and considering for multiple decades, within our longstanding and existing traditions of computer, network or systems security. These are all available in plain sight and are not new. There is clearly a cyberspace which presents threats to our information security foundations, but it is just another threat vector to be considered in our entire ongoing horizon scanning risk assessment, analysis and management work. There was (and indeed still is) “the threat of mobile” and Bring Your Own Device (BYOD); there’s the upcoming threats from NFC (near field communication); there are new threats coming from new disruptive technologies spinning out of the Internet of Things (soon to be the Internet of Everything); we also have been through the excitement of all things Cloud and there’s the lure of Big Data – which runs the equal risk of becoming Big Disaster without tremendous depth of understanding with regard to Data Analytics and the science of data management. Cyber space is often referred to as the area of focus for policy development in the 21st century and yet the area of target by the criminals is not limited to just the Internet. It can involve many technological systems that may or may not be connected to the Worldwide Web. Criminals are more than content to use “threat vectors” that exist outside of government agencies’ jurisdictions due to near-sighted policies that have not kept pace with those technological developments. We are not working blind, in spite of how scary it may seem. The security industry is one of the most prolific in terms of reports, reviews, analysis and research. These come from industry analysts, corporate specialists, government researchers and think-tanks and other worldwide groups, including various membership organisations. There is a bountiful supply of source material from which to draw inspiration, learning, knowledge, tools and techniques to address the already identified threats with a plethora of framework options.
Ignorance is not bliss
Just relabeling everything as “cyber security” hasn’t made it different – and it clearly hasn’t made us more secure. It didn’t make our operational security needs different. All the recent, high profile, breaches are showing that the root causes are a combination of human error(s) and a lack of operational security hygiene. “Cyber security,” in the grand scheme of things, will be a short-term bandwagon – long-term strategic risks for organisations require knowledge of the criticality of information.
Inattentional blindness
There is Risk Myopia – an ability to not see the big picture nor believe it when it is explained to you – also referred to as inattentional blindness. This rather ugly sounding coin of phrase is defined as:
A psychological lack of attention and is not associated with any vision defects or deficits. It may be further defined as the event in which an individual fails to recognize an unexpected stimulus that is in plain sight.
Given the level of awareness and insight that is available, what appears to be missing is wider and deeper understanding amongst other professions: Legal, HR, Finance, Procurement, not the least of which is IT – in particular, software development. The current application landscape is made up of many libraries of freeware, much of which is designed by enthusiasts, not by trained professionals and thus security has not been built in from the outset and we will be constantly chasing our tails as we seek to patch (literally and figuratively) and repair systems that are becoming more and more interconnected. To address “cyber” threats, we need less of the cyber-waffle and more dialogue that brings us back to a full and detailed understanding of the basics; basic that still hold true as first principles and must be learned in the same way as learning that Tuesday follows Monday, or "30 days hath September, April, June and November." Basics of secure and safe system development – with an acceptance by those who design systems that will talk to each other, that there are ethical challenges and no doubt unintended consequences and unforeseen circumstances. Basics of patch management, vulnerability management, anti-virus, firewall management, access control etc. Eighty percent of cyber crimes can be prevented by implementing basic security controls. Building security in across both the software design landscape and the infrastructure architecture, to ensuring board level understanding – is what we should be focusing on. The industry is constantly changing and evolving thus the threat landscape presents new and different challenges all the time. But that does not mean that we need to create a new profession every time there is a shift in the landscape. As industry professionals we should be ensuring that these efforts are neither duplicative nor wasted and should be well informed of the existing landscape and available materials. The Information Society has been growing since the 70s and therefore those who have been working with “systems” throughout the intervening years are well aware of an implicit requirement to be information security specialists, alert to all threats across the landscape within which they are operating – and beyond. Well rounded professionals understand risk within this context. The aspects created by operating more widely within the cyber domain are just another manifestation of this. Whilst the cry is always for more investment:
“….governments need to invest a lot more in cyber security because there is no alternative,” David Lacey.
...the author remains concerned that this is tantamount to throwing good money after bad. Always remember that it’s your and my money that is being thrown at a problem that is being created by the private sector, by the lack of adherence to standards in the constant rush to be first to market with the next great shiny development in the information age.
Sources
1Davies, "Black Swans, Turkeys, Ostriches and other Christmas Poultry a tale of Strategic Risk," The Davies Report (blog), November 30, 2010, UK Cabinet Office (2011e)
About the Author: Andrea C Simmons, FBCS CITP, CISM, CISSP, M.Inst.ISP, MA, ISSA Senior Member has more than 17 years direct information security, assurance and governance experience, helping organisations establish appropriate controls, achieving and maintaining security certifications. Andrea’s most recent role as Chief Information Security Officer for HP Enterprise Security was one of worldwide influence addressing Security Policy and Risk Governance seeking to support and evidence the delivery of organisational assurance across a wide portfolio of clients and services. Her work has included development of a patentable enterprise governance, risk & compliance (eGRC) approach to addressing business information governance needs. Whilst also spending the last 6 years researching Information Assurance, Andrea has published two books. She may be reached at [email protected] Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc. Title image courtesy of ShutterStock
Mastering Security Configuration Management
Master Security Configuration Management with Tripwire's guide on best practices. This resource explores SCM's role in modern cybersecurity, reducing the attack surface, and achieving compliance with regulations. Gain practical insights for using SCM effectively in various environments.
