While we don't yet know the precise cause of the breach as the investigation is still underway, what we do know is that successful threat actors are persistent by nature and sophisticated in application. Which means that alarm bells should now be sounding to the tune of the 'reactive compliance-driven blues' in boardrooms far and wide. If you are serious about your security posture then you really do have to walk the walk instead of just ticking the regulatory requirement checkboxes; you really do need to adopt a risk-based, proactive approach to your security strategy.
Business and threat landscapes are transforming in parallel
Digital transformation means different things to different people, but everyone can agree that shifts in technology have changed the landscape of the average business. There are few organizations today that have not embraced the cloud or Internet of Things to some degree. The bad news is that these technological shifts, and the accompanying cultural shift towards an anywhere/anytime availability expectation of staff, have not gone unnoticed by the bad guys. It's true to say that the threatscape has been transformed in parallel, with most every attack methodology now available to hire as-a-service and will continue to be remapped as cybercriminals of all types become better resourced and more sophisticated. This expansion of the attack surface at a truly unprecedented rate is only matched by the inability of both security budgets and skilled cybersecurity specialist numbers to keep pace. It should come as little surprise to anyone then, that organizations are finding it hard to detect breaches in a timely fashion let alone prevent them from happening in the first place. Not only are the tools being employed all too often past their best before date, but so is strategic security thinking within the organization.
A compliance-driven strategy delivers a false sense of security
Software development cycles are no longer linear, data centers are no longer on-premise and protecting the perimeter mentality just no longer cuts it. Nor, for that matter, does the notion that meeting the regulatory compliance requirements of your industry sector or simply ticking the checkboxes against data protection legislation for your locale is good enough. Honest truth time? Mandatory compliance isn't a bad thing in security terms, but neither is it everything and it certainly won't properly protect your data and your reputation from cybersecurity risk. All this kind of approach will do is provide baseline security, if that given the speed at which threats evolve and the latency built into regulatory update procedures. The threats to your data are dynamic, however, so your security strategy to protect it needs to be as well. Here's another bit of honest truth from me: compliance-driven reactive security costs money, a lot of it, yet creates very little real value. That is evidenced by the huge number of major data breaches we see hitting the headlines; breaches that are getting bigger, more frequent and more costly year on year. The problem should be apparent by now, and it's that a compliance-driven strategy is always going to a reactive one. That means a tendency towards a too narrow focus that lacks cohesion with the wider business. End result? A false sense of security leaving far too much white space that can, and will, be exploited.
A risk-based strategy helps find your security focus
It doesn't take a rocket scientist, nor hopefully a CISO, to understand that sitting back and hoping that vulnerabilities will stay unnoticed (and if that doesn't work then closing them down when they are) is at best a busted flush. It does take a little strategic vision, however, to realise that a proactive approach must include more than just a vulnerability detection and patching cycle. It requires an understanding that not everything can be protected, that visibility and prioritisation must go hand in hand; an understanding that a risk-based approach is how to find your security focus while simultaneously delivering real value to the business. So, what does this actually mean? If you ask me, and I'll assume you have as you are reading this of your own free will, it means identifying and then prioritising the high-probability threats to your business.. What infrastructure, applications, and data are most important for your business to stay running? This is not a trivial topic, because you can't just run a scan to determine it, instead you must know your business to establish the criticality of systems and data. It also means focusing on the available options for mitigating those prioritised threats through a process of dynamic monitoring to deliver real-time visibility into your data flows as well as diagnostic capabilities that enable an early, proactive, remediation.
Visibility is key for proactive cybersecurity
Anyone who thinks it is possible to effectively allocate resources, be that strictly financial or in consequential incident response terms, and adequately remediate vulnerabilities without first knowing the contextual risk they represent, reminds me of a quote from Shakespeare's As You Like It: "The fool doth think he is wise, but the wise man knows himself to be a fool...". By combining business criticality and exploited vulnerabilities, you can take a meaningful view of how to prioritize your security efforts. You can put more investment towards those systems that are vital to the business, and you can focus in on the weaknesses that will most likely be used for an eventual attack. An even yet more sage person, of course, knows that in order to shorten the window of opportunity a 21st century threat actor has to act within requires a holistic understanding of both assets and their 'cyber-exposure' across the entire IT infrastructure, from the network to the data itself. Visibility of this exposure allows a holistic analysis of risk and more value at the board level because Security Practitioners can suggest a budget allocation that makes sense to the leaders of the business based upon the likelihood of the threat and the impact upon the business of a breach.
The bottom line, for this happens to be it, is that only by adopting a risk-driven approach to your security strategy can you effectively reduce the attack surface, harden your defensive posture and deliver real value on your security investments.
Want more information about your proactive cybersecurity?
About the author:
Davey Winder is a veteran security journalist with three decades under his belt. The only three-time winner of the BT Security Journalist of the Year award, he was presented with the Enigma Award for a 'lifetime contribution to IT security journalism' in 2011. Currently contributing to Digital Health, Forbes, Infosecurity, PC Pro, SC Magazine and The Times (via Raconteur Special Reports) you can catch up with all his latest writings at www.happygeek.com