What are some key principles you follow in your work?
Firstly, Cyber security should be aligned with the business. A business becomes vulnerable when it doesn’t recognize the need for security solutions. To be effective, security should be comprehensible; the business needs to understand what security is achieving and why it is important. Too often I see security teams putting significant effort into implementing the solutions, but end up leaving the business behind. We also need to stop solely seeking technical solutions and focus on the business change requirements as well; this will change the relationship between businesses and security. We need capability that balances threat prevention with detection and response. This shouldn’t be a difficult concept for the business to understand. For example, would a CEO or COO be comfortable in just relying on the door locks, or would they also recognize the need for CCTV, security guards, and an alarm system? The key here is to go beyond prevention, because sometimes threats will get through. The business then needs to be ready to deal with that response, and this is as much a management challenge as it is a technical one. Changing the dynamics is very important. If we’re effective at spotting a threat and able to respond quickly, we can reduce some of the most inflexible security controls and give the business greater freedom to operate, helping it to become more agile and flexible to achieve greater goals. We need to change the conversation about security so that it’s not just seen as a drag on the business, but as an enabler, supporting smooth business continuity and resilience. It’s about helping businesses understand the part they have to play, and not just choosing tools or technologies to invest in.
What are some challenging aspects that organizations dealing with in regards to implementing a security strategy?
In my view, not enough effort is placed on elements of business change, such as governance, policy, organization, operating model, skills and processes. This capability needs to endure and adjust over time. Often with organizations, after a tool has been in place for some time, they discover that behavior and therefore the underlying security is neglected. This is not a problem that can be solved and forgotten about, and it is essential to keep up to date with threats, understand changes in the technology being defended, and stay abreast of the business priorities. All three dimensions will change on a continuous basis, and the security organization (even if it is only a few people) need to adjust accordingly. Our approach begins with strategy. This should start with an understanding of what needs to be protected. What does the board consider to be of value to the business? It might be intellectual property, customer information, resilience in the supply chain or finance and treasury. This isn’t a technical question. It is about understanding which things are most valuable to the business and who is likely to be motivated to harm them. Simply put, if there’s something that nobody is motivated to attack, there’s not much to worry about. The greatest volume of serious threats tends to come from criminal action. If a criminal can’t make money out of the attack, he is unlikely to invest time and effort into it. Therefore, it’s important to categorize what assets are valuable and what might threaten them, then develop a strategy of what you want to prevent and what you need to detect and respond. Once you have a security strategy, you can make sure that all actions you take contribute to delivering the desired outcome. It is often more effective and efficient to deliver this strategy in the form of a transformation program, rather than a collection of tactical projects.
How to you begin planning a security strategy for a business?
There are 4 key questions that we attempt to answer with our clients before any decisions are made about what technology or services to procure. Firstly, what are we trying to achieve? It sounds like an obvious question, but I have found many organizations, including government departments, organizations and corporations, whose projects struggled to deliver because this hadn’t been defined. For instance, in the case of the mission of the security operations team, one objective will undoubtedly be to detect incidents. But what part should they play in assessing the effectiveness of controls; or directing incident response; or contributing to greater business awareness? What is their scope; is it limited to in-house IT; or does it extend out to the cloud and into the supply chain; do they also have responsibilities with operational technology, or building management systems? The second question should identify what capabilities will be needed in order to achieve these goals? This should not be drawn into technology selection. It defines blocks of capabilities or functions and is limited to defining their purpose. Third question is about how that capability will be sourced or procured? Which elements will be in house and which will be out sourced? Fourth question, once we’ve decided what the main mission is, what capabilities are needed and where they will be sourced from, is to define the operating model that ties it all together. If you take the effort to develop this level of detail at the beginning, you can be confident during implementation that you will be developing the right processes, policies and technologies, and identify out front what changes and modifications will be needed across the various stakeholder groups within the business.
How do you balance the conflict between ease of use and security?
That conflict will always be there. In my view, security needs to operate with the businesses’ consent. If security is seen as a problem or a nuisance, it will cease to be effective. For example, if a security function within an organization outlaws the use of file sharing services such as Dropbox, and puts controls in place to prevent it but without providing an alternative convenient way of sharing information with external parties, people will find a way around these controls to get things done. On the other hand, if the security function engages with the business, it can come up with solutions that work for that business. It is rare that employees genuinely want to jeopardize the business; mostly, they are just trying to do their job. But often, the actions they take can harm the business without them realizing it. In the last example, controlling file sharing is important, and there are a multitude of service providers out there so there need to be limits. By understanding the business need, in the context of the business risk, it should be possible select the most appropriate cloud provider or build a solution in house that enables you to run your business efficiently and securely. Good security is an enabler, and is about providing solutions to get the job done. Creating that dialogue with the business often isn’t easy but it’s important. This starts at the top, and I have often impressed on clients my belief that the Chief Information Security Officer may need to spend more than half of his or her time reaching out across the business and building relationships there. This is not always recognized, with the view that their time will be dominated by implementing and managing the security controls. But the business is a critical part of those controls, so it cannot be ignored. I think there are similarities from history in the IT world. Some twenty years ago, there were a lot of discussions about the role and authority of IT. There were numerous debates about whether the CIO should be on the board or not. Looking at businesses that were successful, I realized it’s not particularly about who the CIO reported to, but more about the type of person the CIO was and about the relationship that he or she had with the business. If security has a healthy relationship with the business then everybody is more likely to understand what they are trying to achieve. The approach that Cyhesion takes increases the chances that the balance between control and business enablement will be correct. We believe the secret to success is based on:
Good Strategy - Defining what we are trying to achieve and doing the hard thinking about how we will achieve it before we get into the interesting business of buying technology. Effective Transformation – Having the discipline to change the business so that it delivers the right outcome, rather than focusing too heavily on implementing new technology. Sustaining Capability – This is about making the change stick. Sometimes it can help to drive that change from the inside, and interim management can play a part here, transferring knowledge and adjusting the model to make it work. Ultimately though it is the client who will need to continue to maintain and adjust capability on an ongoing basis as circumstances change.
Do you have your own technology?
Cyhesion does not develop it’s own technology. We have strong relationships with a variety of tech providers, particularly in emerging areas which we see as important at the moment. We help our clients to understand what technologies are available and relevant to them, and how to implement them in the most effective manner possible.
Which technologies do you feel are currently most relevant?
One technology I think can add a lot to security operations automation and orchestration. Too date this area has being neglected, but used properly, it has a lot to contribute. There are many technologies that are good at detecting threats, but once they do that, the work has just begun. Automation is vital in reducing the mundane work, and allowing security teams to focus their efforts on the areas where they deliver the greatest value. I consider threats in 3 different categories:
Well-known and well-defined threats, where you know precisely what needs to be done to eliminate them. Threats that are known but not well defined, which require a degree of research, investigation and judgement to get solved. Completely unknown threats, or zero-day attacks, which are the most worrying but also the least frequent.
The known threats consume the vast majority of a security effort, because they are most frequent, but they are actually relatively mundane, and much of the effort can be taken over completely by technology. These are the kind of threats where response could be fully automated, enabling analysts to spend time on the more ambiguous tasks. It’s difficult to recruit security analysts; and they tend to leave because they are bored with mundane work. Analysts are more satisfied and less likely to leave if they feel their work is meaningful. The use of tools for automation and decision support also means responses are more consistent. If the tools enable analysts to develop their own runbooks and orchestration patterns, that knowledge stays within the company, allowing for more sustainable solutions while using fewer resources. Another technology taking a close interest in is remote browsing. This is quite an emerging area, but I recognize it can deliver significant benefits. Browsers are highly vulnerable to threats simply because they have largely unrestricted access to the internet. So if you move all except for the most trusted browsing activity away from the business assets, you can significantly improve the security of the business. As with any technology, the key here would be to do it without compromising the user experience, or you will have a very angry business feeling they are being sent back to the days of internet kiosks.