I was listening to a chap on the car radio who commented that “you stand more chance of sending your child to school and not getting a cold, than you do from avoidance of hacking” – and again I found my in-car entertainment in complete synergy with my own mind-set and opinion that it is not a case of if, but when.
However, this presents me with another self-propagated argument: if we have come so far down the matured route toward infosecurity just how can this be the case?
It was around 1995 when we encountered one of the first moves toward the underpinning of infosec standards with the birth of the BS7799, which quickly moved through the stages of the ISO/IEC 17001, eventually maturing into the ISO/IEC 27001, along with its sub-derivatives covering topics ranging from business continuity through to incident response.
And of course there are other, similar families of such guidance in publication out of the PAS (Publically Available Specification) camp, with one such notable being PAS 555 – again provisioning the answers to the challenges we face in the area of incident response and management. And of course we also have documentation out of the ISACA stables, TOGAF, and those directives issued by the PCI-DSS Council. Thus when some, or all, of these are properly enabled we have delivered perfect security. Right? Wrong.
Security Dashboards
If we go back to those very early days of what we called infosecurity, and now tag as cyber, we were very much focused on delivering real-time pragmatic security by implementing systems and tools like those new anti-virus applications, new-age firewalls, technical security, and workarounds to effect adequate levels of protection.
But along the way some got lost – very lost indeed. As the new age of must-have standards evolved they started to take on the guise of assured security insofar as if you tick all the boxes, then you had evolved the armor-clad world of impenetrable defense, with the mother of all represented by Certified Status under the ISO/IEC 27001.
However, the problem was that, along this journey, many organizations got far too used to pulling out those green-tipped pens to apply the en-masse tick approach, and discounted the technological shortfalls, forgetting about the ultimate goal of robust security. So proud were many of the achievements, they went on to train many main boards to see the security dashboard and its associated reams of green-ticked paper as representing the red pill which would assure a good night’s sleep – a slumber many have now awoken from with a cold sweat.
But let me be clear here; I am very supportive of the soft-security paper covers which represent the documented framework of the security machine – but I expect to see the paper-masking in context with effective and robust underbody mechanics when I pull back the ticked-covers.
For instance consider the instance of the valued ISO/IEC certification, and believe it or not, I know of at least two large-name companies who have fluffed certification by employing smoke-and-mirrors to demonstrate to the assessor what should be done, rather than what was done. That is to say the security posture was skewed from reality, and it was not that they lied, they just avoided any in-depth explanation of the truth.
Fabric of a Security Structure
There has also been an evolution of the CISO, cyber gurus, and security management teams who feel they only need to understand the basic-fundamentals of what cybersecurity is, leaving the day-to-day interpretation for operational security to those lesser mortals who at times do their level best in the absence of any training, or real time investment. In fact, don’t take my word for it; look at some of those respectable organizations who have hit the press post some very successful compromises.
Moreover, there are those who have suffered unauthorized incursions with the devil’s-luck of not being discovered, or suffering name and shame. On that subject, I have been unfortunate enough to follow some renowned CISOs in the industry into their departed organizations, only to find to my surprise fragile fabric of a security structure (which at best littered the organization), with security documentation only fit to hold the door open on a hot day (which if you think about it is quite apt).
And then we may move onto the topic of that insider threat which has been hosted on the lips of the majority for so very long. The only confusion in the debate is that many so-called insider threats have manifested from actors who are actually outside the origination – which in one of the worst examples I have ever observed were working on a system of, as one insider hacker is identified and ejected, another intrudes in what the company acknowledged to be a lifecycle of one-in-one-out state of consistent compromise.
But all that said, whilst I don’t expect any director of security, Cyber King, or CISO to appreciate the in-depth complexities and working of the world according to Cisco, or the order of magnitude of a Firewall Rule Set, I do expect these well-paid personalities to ‘get’ the fundamentals and understand when they are being sold a pup and to step in to assure their paying masters get secure operability to safeguard their assets, employees, clients, and any other associated third parties.
Creating a State of Synergy
In this dangerous current Cyber Age, I am of a very firm opinion that if we are to counter and robustly mitigate the onslaught of the cyber adversity in whatever form it arrives, the old-boys’ club style of mediocrity will no longer suffice, and that we must get with the 2020 Program and start to evolve security operatives who are skilled up, and are as cyber accomplished and savvy as are those who are attacking with such vigorous success.
We need to get with the 2020 Program that looks beyond what we know, and develop a new, digital-age, cyber-combatant who will act as the corporate gladiator(s) to fight-the-good-fight in the modern connected world. And above all, what is so very important is that, as we swing the other way to the world of evolved security though the portal of back-to-basics and nuts-and-bolts, we do not spin off the aforementioned standards in the process.
What we need to do is create a state of synergy between the security mission and a measured contextual underpin of governed balance to assure the digital world and internet will survive beyond this decade.