Never Forsake the Fundamentals of Security

Fundamentals 3.jpg

Risk Management

The evolutionary nature of cybersecurity requires professionals to focus on a multitude of criticalities. We must chase technology innovations, develop novel risk theories, seek insights into evolving threats, institute new controls practices, and push the boundaries of capabilities, cost efficiency, and relevancy outward in the pursuit of better computer security. It is a never-ending race to maneuver for an advantage, driven by both valid concerns and irrational fears. Some paths we take are worthy and many are not. In this pursuit, we risk being distracted from the fundamentals of cybersecurity.

Certain aspects of security will always hold true. They are based upon the nature of adversarial conflicts and persist over time. Attackers and defenders. Predators and prey. Security professionals must be vigilant in following these timeless concepts and how they specifically apply to cybersecurity. We must not allow ourselves to be distracted and forsake the basics of protecting computing systems, information, and services.

Risk management leadership, understanding the changing threat landscape, and establishing effective controls are fundamentals which drive the way security is perceived and how problems are approached, evaluated, and solved.

Three Tips for Stronger Risk Management

The very best security organizations all have one thing in common: A leader capable of navigating, commanding, and delivering results. Cybersecurity is difficult and ever changing, so strong risk management leadership is crucial. The security mindset drives action and is essential to every organization serious in defending its electronic assets, capabilities, and sovereignty.

  1. Seek optimal risk. Security comes at a cost — attempting to eliminate all loss is not realistic. Identifying the right tolerance of risk is challenging, but necessary to define success. There are tradeoffs to consider in that the triad of risk, cost, and productivity must be balanced. Investments in controls must be rationalized against the costs to acquire, integrate, and sustain capabilities, and also tempered against the user impact and productivity impediments which may be introduced.
  2. There is no room for superfluous activity. This is a race, best run with minimal burden and by relentlessly following security basics, leveraging best practices from across the industry, and developing a highly adaptive set of capabilities. Attackers maintain the initiative and are the genesis for the justification to invest in defense. By its very nature, security is responsive and must remain very flexible to adapt to the maneuvers of the threats. Take a lesson from the Maginot Line of World War II. It nearly bankrupted the country only to result in a fixed fortification that did little to protect the nation from invasion. Security must be fluid and not waste time, energy, credibility, or resources on expensive missteps.
  3. Keep morale high. Security can be unforgiving for practitioners, viewed as a cost sink by management and an unnecessary nuisance by users. The deck is stacked against us. Deal with it and don’t let that stop you or distract your focus from consistently following good practices. There is no finish line. Communicate up to executives, down to operational teams, and across peers as necessary to gain lasting support, confidence, and cooperation. It is a continuous state of effort, just as quality or customer service requires relentless dedication. Stay rational, settle in, build teamwork, and get comfortable!

Proactive management built around strong communication is the cornerstone of establishing a capable, sustainable, and balanced security capability. When you prioritize understanding the complexities and chaos of the threat landscape, as well as establishing effective controls, you will be on your way to properly fortifying your enterprise.

Security Landscape

Security professionals are challenged every day with new vulnerabilities, attacks, threats, and looming impacts. It can seem relentless. In the struggle to break the cycle it is tempting to diverge from best-known-practices in the hopes that a new solution or tactic will produce a monumental return. The value of leadership is key in managing risks. Experienced professionals will maintain devotion to the basics while carefully exploring new avenues to improve risk management, lower costs, and improve user experience and productivity. A continuous focus on optimization is important, but cannot occur based upon inward factors alone. A view of external factors is needed.

The threat landscape is a major contributing factor, continually changing, and must be part of the risk equation and security plan. Technology, attackers, and targets are rapidly advancing in unpredictable ways — as a result, the security industry shifts violently and schizophrenically every few months. Maintaining a working understanding of the primary elements fueling risks is imperative to recognize how environmental changes will be indicators of impending crisis or can be translated to uncover opportunities for timely, efficient, and effective security planning and operation.

Embrace Three Aspects to Better Understand the Changing Security Landscape

  1. Threats and Vulnerabilities. Threats will grow as long as the number of devices, users, and the value of data increases. Individual risks depend upon how lucrative a target you are and the comparative level of security you present. So protect your valuables and don’t be an easy target. Plan accordingly for an evolving set of controls aligned to changes in information technology services, devices, information value, and user expectations. The tighter that security is in lockstep with technology, the more cost efficient and effective it can be.
  2. Technology and People.  Security is comprised of both technical and behavioral aspects; they are intertwined and inseparable. Risk assessments, technology choices, accessibility, and mitigating controls must take these into consideration. Security cannot be addressed without understanding and addressing the interaction of both technology and people.

    Technology is the electronic playing field where communication, services, and computing takes place. Its relentless automation is a perfect target for attackers who seek predictable systems to exploit. It benefits security by allowing consistent, automated, and scalable controls. But human behaviors are a random element in such a structured world, they can also can choose to sidestep protective mechanisms, and traditionally are a favorite target for attackers to manipulate. Technical solutions can provide reasonable limits, reinforce good behaviors, and proactively eliminate most attacks, but not all threats should be mitigated solely with technology. Limitations exist and there is no substitute for security savvy users as powerful allies in maintaining strong defenses in the face of tailored, variable, and novel attacks.
  3. Obstacles vs. Opposition.  Obstacles are static challenges to be overcome and opposition is dynamic in nature, representing intelligent threats. It is trivial to automate the controls for prevention, detection, and resolution of obstacles, as these types of problems are mostly technical in nature. Opposition is a different beast altogether. Threat agents are attackers who are creative, devious, and have specific motivations driving their actions. Close one door, and they follow the path of least resistance to the next available avenue. This is the true competitive nature of cybersecurity. Security organizations must be prepared to deal effectively with both static and dynamic threats.

Maintaining a proper mindset on the key aspects of the security landscape affords the ability to look deeper into changing threats and ascertain better ways to evaluate and plan for managing current and emerging risks. Not all changes are detrimental, as many can be an opportunity to increase efficiency, apply rational controls, or consolidate efforts for resource savings.

Controls Architecture

Professionals must respect and relentlessly deliver to the fundamentals of computer security. They provide the stability and clarity necessary to maintain an effective force and insights to the ever-changing myriad of threats and attacks.

Combining proper risk management techniques and an understanding of the rapidly evolving security landscape, provides the foundation for good compensating controls. Such mitigations are the practical measures which reduce risk. To remain effective over time, a thorough controls architecture and intelligent business process must be embraced and sufficiently fluid to adapt to changes in the threat landscape. The result can be a comprehensive and consistent security capability that stands up against a great diversity of evolving threats.

Focus on Three Areas to Deliver Controls for Comprehensive and Consistent Security

  1. Layered defense. Security must exist ubiquitously and be present anywhere data flows, is processed, or stored. It must exist in the mind of the user, the hardware and software in devices they employ, the network communication infrastructure, storage devices, and the back-end cloud or data center environments. Only protecting part of the electronic ecosystem leaves weak points that will be easily targeted. In order to be sufficient, security capabilities must saturate the environment broadly. As threats change and new attack methods emerge, the level of security capabilities for different layers must adapt and be rebalanced.
  2. A Defense-in-Depth methodology. A holistic and systematic approach is necessary to intersect risks across the attack-cycles timeline. It is a self-improving feedback loop to improve the entire security controls structure. By incorporating aspects of prediction, prevention, detection, and response into the security strategy, a greater set of opportunities present themselves to be more cost efficient and effective at managing risk.
  3. Common sense and best practices. Close vulnerabilities when it makes sense, but don’t solely rely upon this for security. Take measures to ensure survivability in the event of a crisis and cognitively choose to implement security that is smart, trusted, strong, and ubiquitous. Learn from mistakes, whether they are your own or those made by others. Communicate across peer groups to understand pitfalls and opportunities. The industry changes rapidly and security innovation, especially when tested in real world environments, can provide great benefits when applied in a timely fashion. Stay informed and apply best practices as they emerge.

Risk management leadership, understanding the shifting threat landscape, and establishing effective controls are the foundation of every great security organization. They exist as a baseline for good practices to protect against the vast majority of threats we face and are adaptable to emerging threats and methods of attack. To succeed, we must lead strategically with vision, comprehend the deeper aspects of the risks we face, institute adaptable control structures, and remain vigilant to never forsake the fundamentals of security.

Twitter: @Matt_Rosenquist

IT Peer Network: My Previous Posts


My Blog: Information Security Strategy

Published on Categories Archive
Matthew Rosenquist

About Matthew Rosenquist

Matthew Rosenquist is a Cybersecurity Strategist for Intel Corp and benefits from 20+ years in the field of security. He specializes in strategy, measuring value, and developing cost effective capabilities and organizations which deliver optimal levels of security. Matthew helped with the formation of the Intel Security Group, an industry leading organization bringing together security across hardware, firmware, software and services. An outspoken advocate of cybersecurity, he strives to advance the industry and his guidance can be heard at conferences, and found in whitepapers, articles, and blogs.