The sizzling summer in Surrey (UK) has slowed my writing, though the cyber security market is also equally hot with many fresh initiatives emerging. Your own perspective will no doubt vary of course, depending if you’re an investment bank, an energy company or a government agency. Personally, I work across all sectors so I’m interested in observing any relevant trends.
Such diversity of interest is to be expected of course as the problem space in cyber security progressively develops. The risk profiles and drivers of individual market sectors have in fact always been very different, though the desired solutions have seemed very similar which tends to encourage a herd mentality.
But the business drivers are the key trends to watch. Banking, for example, is focused primarily on compliance. Energy is (or should be) focused on insecure SCADA systems. And government agencies should now be paranoid about the theft of their secrets. These are the hot topics. They are very different concerns. The priorities and fixes are not quite the same though the vocabulary and articulation of the problem space is coalescing.
The answer to senior management demands for better security used to be to conduct a risk assessment, carry out a gap analysis, or develop a remedial programme. But these days just about everyone has already been there and done that so we’re now contemplating the next level of maturity. What does that look like?
The answer is that it’s quite different from the guidance you might find in ISO and similar standards. Concepts such as Carnegie Mellon style maturity frameworks simply don’t deliver. Paperwork, metrics and targets don’t make things better. They were always a theory rather than a proven practice. Real progress now depends on short or medium term indications of improvement,such as stemming data breaches and intrusions.
Achieving this is hard. Make no mistake. It means taking sensitive data and unnecessary users off the network. It means raising the bar on systems development standards. And it means ramping up the resources assigned to network and audit trail monitoring. These are unpalatable business decisions. So what’s the answer?
It’s quite simple in fact. We need to start with an early investment in secure development (or procurement) processes because, like it or not, that takes the longest time to deliver. We need to then switch to network security architecture and monitoring because that’s the key to short term fixes that can stop or detect an intrusion.
Finally we need to develop the security practitioner skills needed to respond to a major incident, because that’s our saving grace. Whether or not we prevent incidents the key thing that impresses management is how we behave when the spotlight shines on our function.
Unfortunately you won’t get advice on this from reading standards or following compliance processes. Smart CISOs need to avoid being seen to be deficient on compliance, but they should major on real security management improvements that deliver true business value.