Security Think Tank: Start outcomes-based security with asset identification

It has been said that “if you are not being attacked, either you are not looking or you have nothing worth stealing”. There are few successful businesses to which the latter applies, but a tick-box approach can result in turning a blind eye to effective security. 

For example, we were once approached to provide a basic IDS [intrusion detection system] service so an organisation could “tick the network monitoring box”. It should be as cheap as possible with minimal ongoing costs.

This would have been a vanilla IDS with out-of-the box signatures sitting behind the internet gateway. It would not see anything on the internal network or the VPN [virtual private network] connections and would only see basic attacks in the external traffic, so providing no real value. But it would tick the network monitoring box.

We declined the approach.

Check-lists are not a bad thing because they are useful to ensure something is not forgotten, but they do not prove you have done everything as you should have. Effective cyber protection generally doesn’t need lots of expensive appliances. However, equipment and networks do need to be configured properly to protect your key assets and mitigate your business risks, and these configurations need to be updated and maintained in the face of a changing environment. 

Adding an appliance may tick the box, but does not in itself provide cyber protection.

Outcome-based security is a broad approach in which you identify the security outcomes you are looking for to protect and enable your business. These would typically include:

• Understanding and managing security risk – ideally, this would treat cyber security as a business risk, linking the potential for a cyber attack to a business impact and as is implied by “managing security risk”, it would be ongoing. Classically, this would involve identifying the business-critical operational and data assets and the impact to the business in terms of legislative compliance, reputation and financial loss from a cyber attack.
• Protecting your systems against an attack – having appropriate protective security in place. This needs to be tailored to your situation over time.
• The ability to detect and manage security events – it must be possible to detect, understand and respond to events, eliminating false positives and escalating events as appropriate.
• Minimise the impact of an incident – this can be achieved through systems design to localise the impact of an intrusion, or planned response after an event, including incident response and media engagement plans.

Another outcome to consider would be user-friendly, unobtrusive security. Draconian security measures may protect against an attack, but won’t enable the business to thrive, so can themselves be a risk to the business.

Once you have identified the outcomes you want to achieve, the first step is to put in place the governance and risk management and, if necessary, moving expectations from the black-and-white world of check boxes to meet compliance targets to real world shades of grey in managing security risk to meet your security outcomes. 

I would always advocate starting by identifying the company assets (data assets, operational assets, for example) that need to be protected to avoid loss of business, reputation, regulatory compliance, and so on. 

Starting with these assets and assuming that a cyber breach is possible, the impact of a successful cyber attack on these assets, and consequently on the business, can then be identified. You can then focus on your existing cyber protection and to see if it mitigates the risk sufficiently and meets the outcomes you are looking for, or whether additional measures are needed.