Cyber Security: From FUD To The 4Rs
In this blogpost I discuss my experience with the evolution of security as an industry and how FUD has become the 4 Rs of Cyber Security.
You can listen to a podcast version of this blog here
Not a day goes by when I’m not surrounded by information security / cyber security related stories, not only from colleagues in the industry but also in the mainstream media. Security as an industry has arrived and I think I’m still in shock. It shouldn’t really be a shock. To me its obvious that security over information is important, that some information really needs to be protected. But it wasn’t so long that cyber security wasn’t a board agenda, when everyone didn’t have an opinion about encryption. When security for most people meant making sure that protected their pin number from view at the ATM and for businesses – that really annoying password for your clunky desktop computer.
When I started out my career in the industry, I fell into to it by accident, it was the first job I landed after University. I knew I loved technology and from what I knew of spending countless weekends working at Curry’s PC World on the weekends – I was a good sales person. This combination of skills and chance landed me a role at Wick Hill, the award winning security distributor. What I learned quite quickly was that information security was a very niche area, it wasn’t like infrastructure (servers, desktops, laptops, networking etc), which was a necessity for most organisations. Security was that insurance plan that nobody really wanted. And just like many other insurance products, be it life, health, car, home; to sell security products and services, you had to rely on a heap load of FUD. For those who aren’t familiar with this term, let me break it down for you:
Many conversations with customers or training provided to reseller partners would revolve around:
“What if one day your organisation faced a DDOS attack?”
“Imagine if you were breached and the press got hold of this?”
“No I didn’t say FISHING, I said PHISHING – oooh, you need to know about this”
The buyers of security products and services weren’t the board of directors or even anyone who had a seat at the table, it was a forward looking security evangelist who knew what could possibly, maybe, someday happen – very much to the annoyance of everyone else. He was sort of seen as Noah when nobody believed the world was about to end. This guy was usually sat somewhere in IT and security was one of the many things he had to think about, including keeping the network, phones and desktops running, as well as forever answering the question – “but why do I have to change my password again”?
Move forward a decade to 2016 and its amazing how far Security has come. The fact that the internet is an intravenous drip to the world, supplying anything a heart desires, connecting people and organisatons and is the backbone of modern commerce has made security vital. Especially for businesses.
Businesses may see it as an appropriate statement that they belong to a specific sector e.g travel , banking, consumer electronics – and they would be partially correct. But the majority of organisations either trade or process data in order to facilitate their core business. Information and Data is the new economy.
From my experience (at least with mid to large organisations) of being the Information Security Officer at a global bank and more recent experience in security and privacy consulting, businesses are no longer being sold the concept of security. They know it and have a good appreciation of the impact if something were to go wrong. There is still fear, uncertainty and doubt but this is based on tangible real world examples of cyber security incidents, not the worst case scenarios presented as part of a sales pitch. However, it is becoming very evident that no amount of technology, policies or training can guarantee security. There is no absolute security. This is why organisations need to be forward looking and not lull themselves into a false sense of security (pun intended) that they will not be next.
At this point, let me introduce you to the concept of the 4 Rs.
The 4 R’s of Cyber Security”
It is no longer the concept of IF an organisation will suffer some sort of security breach, its WHEN. The sooner organisations appreciate this, they can start to prepare for the worst. Just Google cyber attack and its very evident that no one should really need convincing that their organisation may one day, suffer a security incident.
How an organisation manages its response to a security breach/attack may have as much impact as the incident itself. Key considerations are:
- How quickly the incident can be identified
- Speed at which response teams are mobilised
- How impacted staff/customers are supported
- Management of external stakeholders such as shareholders and regulators
- Management of the media
Done right, its damage limitation and potentially a stronger relationship with both internal and external stakeholders.
Done wrong, it could mean the end for many organisations or at a minimum, a loss of trust that which may never recover.
Okay, so someone got through, a process didn’t work, a technology failed or there was cyber seagull and it just dive bombed and left an unmistakeable present. The response was rapid, well received and a PR success. Now What? One thing for certain is that if the same thing happened again, forgiveness goes out the window and so does trust.
“Fool me once, shame on you
Fool me twice, shame on me”- Randall Terry.
It is important to learn from incidents and mistakes and equally important implement change which addresses the root cause. By doing do, organisations make themselves more resilient the next time they face the same or similar issue. Every error or incident is a learning opportunity and a steroid injection for the organisational immune system.
So, the lesson was learned a process was changed or a new technology implemented. How certain is it that the new process / technology actually mitigates the risk or event that’s we’re trying to address? The only sure way to know is to rehearse and stress test and if its a key organisational process, repeatedly rehearse and stress test. I don’t mean a nice and comfortable rehearsal where all the variables are known, where everyone is pre-warned, can schedule it in their diaries. Real incidents rarely come with a warning.
If organisations really want to test how good their resilience framework, processes and training are, the below is a potential model to follow.
- Restrict the number of people who need to know about the rehearsal to those absolutely necessary to authorise and manage it. This includes relevant senior management at clients or third parties which may be impacted by any potential delay in service delivery.
- Where possible, initiate an exercise with no warning (a bit like a SURPRISE fire drill, not the one you know is going to go off every Thursday at 3pm).
- Test the end to end process – not manageable chunks. If there is ever a security incident we need to know that all parties can do their part but more importantly do their part in a stressful environment. In addition, demonstrate that disparate teams can work in unison when they are interdependent on each other during the response and recovery process.
Sure, we’re always going to get those who say:
“But I can’t handle any downtime” or “I can’t free up any resource for this exercise”
As I stated before, real incidents rarely come with a warning and if a process, technology or business area is running at maximum capacity as part of day to day operations – imagine the impact and downtime when the metaphorical smelly stuff does hit the fan.
In the security field we talk about Zero Day threats, usually related to application code vulnerabilities. What happens when we have a Zero Day people, process or hardware vulnerability which can be exploited by a cyber attack?
“To be prepared is half the victory.” – Miguel De Cervantes
Again, there is no absolute security but at least by following this process, assumptions can be made to a strong degree of confidence, supported by documented analysis and evidence.
You can probably guess as with most business & management speak – the 4 R process is a never ending cycle. Every security incident kicking off recovery, the leanings of which feed into resilience and testing of the resilience via rehearsals.
I’m positive for some of the security professionals reading this, the above process may be obvious. It is fairly obvious but as we all know, common sense doesn’t always prevail. When faced with the pressures of business as usual, it is often too easy to bypass the lessons learned and miss the opportunity to challenge the security framework and the business on its cyber resilience capability.
Hopefully this article got you thinking about embedding and demonstrating some good practice. We could all do with a little less FUD in the world, right?
See you on my next post and podcast – Stay safe and remember – “Information is a risky business””
If you like what you’ve read, please use the below links to share this post!
About the author:
Jeremy Kajendran has over 13 years of experience Information Security, Privacy and Risk Management. Jeremy leads Ernst & Young’s (EY’s) UK Financial Services Privacy Practice and is a Fellow of Information Privacy (awarded by the International Association of Privacy Professionals).
Views and opinions presented on inforisky.com, talks and podcasts by Jeremy are personal opinions only and in no way represent the views, positions or opinions – expressed or implied – of Jeremy’s previous, current, future employers, consulting customers or anyone else.