A recent security survey indicated half of those surveyed, have a documented cyber security strategy.
I don't believe it! More specifically, I don’t believe the organizations with a 'documented strategy’ have something which represents a realistic and comprehensive cyber-security strategy. One which is a valued long term plan providing guidance in how to keep the organization on the healthy side of security. If I had to guess, I would say the actual number is less than 1% meet such criteria.
Why the disparity and why should anyone care?
The numbers are opinions with no criteria. The word 'strategy' is being interpreted differently by those respondents. Does a plan to keep firewalls and client anti-malware current, constitute a strategy? I think not. That is a tactic. It is a common sense practice, in response to immediate threats. A strategy, by definition, is a forward looking long term plan to achieve a goal. In this case, maintain a level of security which controls losses to an acceptable degree.
Thinking you have a plan when you do not, is dangerous. If system administrators and management believe they have a cyber security strategy, they are less likely to allocate and focus resources to understand long term needs. It becomes easy to ignore, hoping the status quo is sufficient and then be surprised when it is not.
So I have created a quick 5 question test, to validate the existence of a realistic cyber-security strategy. Pass my test and I will concede you have a strategy. Fail, and you must admit you don’t. Deal?
Question #1: Does your strategy identify the threat agents who will be attacking your organization over the next 3 to 5 years?
Without knowing the attackers, defenders remain in the dark and are forced to protect from threats both real and imagined. The first step to any realistic strategy is to know who the opposition is, both today and in the future. Thereby understand their capabilities, objectives, and likely methods.
Question #2: Does your strategy articulate how you will likely be attacked by those threat agents?
Understanding the computing ecosystem, where it is less secure, and how specific threat agents will attack over time is imperative to a strategy. Does the strategy talk about generic worms, viruses, and system patching, or does it take into account likely exploits paths. The ones which align to the common methods of those pervasive threat agents identified in Question #1?
Question #3: What impacts and losses are estimated from these attacks, given the expected defenses
Strategy is about planning. Planning security is about finding the right balance between spending for controls and the losses prevented. Ultimately getting to a comfy place where the residual losses are acceptable for the cost of security. Without knowing the likely losses, even at a generic level, it is impossible to plan forward.
Question #4: How does your budget and efforts align to managing those losses? Does it fall within the range of acceptable levels of loss?
If you don’t have an accepted level of loss identified, you fail this question. Impervious security, where no losses occur, either do not exist or are far too costly to employ. Such a system is not practical. So, some losses must be accepted. Knowing this range is important to planning as it will trigger either growth or contraction for security spending
Question #5: Who is responsible for the care and maintenance of the security strategy?
Given the radical and chaotic nature of security threats, vulnerabilities, and impacts, a strategy must continually flex, adapt, and be updated. Without crisp ownership, most strategies rapidly become stale and worthless. Many such plans are rolled under some organization with little real stewardship. The manager of the group is therefore the 'owner', yet so far removed it is an invalid answer. If you don’t have the name of a single person, knows and agrees to actively manage the planning, you fail the question.
So do you have a viable documented cyber security strategy? If not, don't be too disheartened. You are in good company. These are tough questions. Most organizations struggle with cyber security strategy. It is the norm, not the exception.
We are still at the beginning of this endeavor. Rushing to claim maturity is not the path of enlightenment. Let’s be realistic and recognize where we are and where we need to go. Over time the community must move to a mature model where they benefit from pragmatic cyber security strategies. To get there we must see our shortcomings and effort the good fight.