Security professionals are challenged every day with new vulnerabilities, attacks, threats, and looming impacts. It can seem relentless. In the struggle to break the cycle it is tempting to diverge from best-known-practices in the hopes that a new solution or tactic will produce a monumental return. In Part 1, the value of leadership was identified as key in managing risks. Experienced professionals will maintain devotion to the basics while carefully exploring new avenues to improve risk management, lower costs, and improve user experience and productivity. A continuous focus on optimization is important, but cannot occur based upon inward factors alone. A view of external factors is needed.
The threat landscape is a major contributing factor, continually changing, and must be part of the risk equation and security plan. Technology, attackers, and targets are rapidly advancing in unpredictable ways — as a result, the security industry shifts violently and schizophrenically every few months. Maintaining a working understanding of the primary elements fueling risks is imperative to recognize how environmental changes will be indicators of impending crisis or can be translated to uncover opportunities for timely, efficient, and effective security planning and operation.
Adapting to the Changing Landscape
Threats and Vulnerabilities. Threats will grow as long as the number of devices, users, and the value of data increases. Individual risks depend upon how lucrative a target you are and the comparative level of security you present. So protect your valuables and don’t be an easy target. Plan accordingly for an evolving set of controls aligned to changes in information technology services, devices, information value, and user expectations. The tighter that security is in lockstep with technology, the more cost efficient and effective it can be.
Technology and People. Security is comprised of both technical and behavioral aspects; they are intertwined and inseparable. Risk assessments, technology choices, accessibility, and mitigating controls must take these into consideration. Security cannot be addressed without understanding and addressing the interaction of both technology and people.
Technology is the electronic playing field where communication, services, and computing takes place. Its relentless automation is a perfect target for attackers who seek predictable systems to exploit. It benefits security by allowing consistent, automated, and scalable controls. But human behaviors are a random element in such a structured world, they can also can choose to sidestep protective mechanisms, and traditionally are a favorite target for attackers to manipulate. Technical solutions can provide reasonable limits, reinforce good behaviors, and proactively eliminate most attacks, but not all threats should be mitigated solely with technology. Limitations exist and there is no substitute for security savvy users as powerful allies in maintaining strong defenses in the face of tailored, variable, and novel attacks.
Obstacles vs. Opposition. Obstacles are static challenges to be overcome and opposition is dynamic in nature, representing intelligent threats. It is trivial to automate the controls for prevention, detection, and resolution of obstacles, as these types of problems are mostly technical in nature. Opposition is a different beast altogether. Threat agents are attackers who are creative, devious, and have specific motivations driving their actions. Close one door, and they follow the path of least resistance to the next available avenue. This is the true competitive nature of cybersecurity. Security organizations must be prepared to deal effectively with both static and dynamic threats.
Maintaining a proper mindset on the key aspects of the security landscape affords the ability to look deeper into changing threats and ascertain better ways to evaluate and plan for managing current and emerging risks. Not all changes are detrimental, as many can be an opportunity to increase efficiency, apply rational controls, or consolidate efforts for resource savings. In the final installment of this three-part series, I will discuss how proper control architectures can establish the solid foundation necessary to achieving and maintaining an optimal level of risk. Stay tuned to the IT Center for part three.
IT Peer Network: My Previous Posts
My Blog: Information Security Strategy