Fred Streefland, IT-Security Manager at Leaseweb and Dave Maasland, CEO Eset Netherlands.
A version of this article originally appeared on Computable.
Recently we’ve had the opportunity (a quite fun and interesting opportunity), to visit a number of Information Security and Cyber Security congresses. During these congresses we were flooded with relatively ‘new’ developments such as Next-Generation, IoT (Internet of Things), IoT DDoS, Security Intelligence Platform, et cetera. The fact that some these terms have become ‘hype’ is not in itself a problem, but we did begin to wonder whether the security world may be looking at things in the wrong way and thereby missing the demands that need to be addressed.
In this article we will suggest a new way of looking at cybersecurity that stops viewing it as a goal in itself and instead as something that is directly connected to business needs. As it stands now, it seems that too many security-organizations are missing the mark.
Security can be quite complex, but its essence is quite simple. Security is nothing more than reducing or taking away risks, and making them visible so that the business can accept them and continue doing its work – nothing more, nothing less. To do this as effectively and efficiently as possible, we, as security-people, have to understand the business and not see it solely from an IT-Perspective but form the broader perspective of the business itself.
When starting from the business, we first have to identify, map, and categorize the risks for the specific business. Second, we have to determine, together with the business itself, which risks need to be dealt with in which order. When that’s done, the person responsible for security within the company has to set-up a security-plan that depicts how these changes are executed. When doing so, there should always be clear goals and deadlines. Ideally, this should be done in a ‘smart’ way, one step at a time, so as to not engage in too many projects at once.
Lesson 1: Start with the business (and its risks)
Defining your security approach (or security roadmap) is essential and should be discussed with your business on an ongoing basis to make adjustments where and when necessary. During the creation and execution of the roadmap, the projects that are defined will all contribute to the reduction of risks and achievement of the end-goal. It’s important to not lose sight of the business goals, because the people responsible for security shouldn’t ‘restrict or obstruct’ the business with security measures. It’s not rocket-science, and shouldn’t be treated like it is. The creation of a plan should be something that everyone, even without IT skills, can understand. Of course IT plays a role, but only at the last moment when IT-solutions are needed for the execution of the security projects.
Lesson 2: Determine a security roadmap with a clear goal, step by step
Looking back at the congresses we attended, we noticed that most organizations don’t even have basic security-measures in place, let alone next-generation or IoT security solutions. Security company presentations on next-generation solutions and IoT developments often look stunning and offer interesting content, but they are simply too far ahead for most companies. Furthermore, experience shows that the most hacks (about 90%) are still using the simplest methods and weaknesses: phishing mails, malware attachments, and social engineering. And, of course, there is the weakest link of all: the human being.
Companies need to first create basic security solutions for these simple risks before they turn their attention to next-generation and IoT security solutions. Of course, these are important as well and they should be implemented in the future, but only after the basics are covered. Often during security congresses there is a focus on sophisticated threat and APT’s (advance’s persistent threats), but companies such as TalkTalk and Ashely Madison might have been protected from attack if even basic security was in place.
Lesson 3: Cover the basics before implementing next-generation solutions
New developments arise quickly and malicious groups and individuals are using more varied and advanced attacks and tactics. Eventually, next-generation and IoT security solutions will become inseparable from our organizations’ broader security roadmaps. However, the foundation has to be in place before the ‘house’ can be build. And to build this house, cooperation is needed between the architect, the realtor, the mason, the plasterer and of course the owner.
This sense of building something together, step by step, is exactly what needs to happen in the security-world. We have to cooperate intensively because, much like building a house, there is no single owner or architect who is also the best in masonry, painting, or construction. No single security company has the best solution for each and every security risk, so working together is a must. Those who would cause your company harm are already doing this, so it’s time security professionals do the same. We need to start with the owner (the business) and the foundation (the roadmap), and then forge relationships with the right contractors (security vendors). Only then can a strong, reliable, and safe house be built.
Lesson 4: Build the right partnerships; cooperation between IT Security professionals is essential
In short, to make progress with security there has to be understanding and support from the business and vice versa. The one responsible for security has to be able to provide short and clear explanations in order to to get all of the different stakeholders in the company to participate. If he or she can’t, then the business (and the board) will never understand, and there won’t be the necessary buy-in and support to implement your plans (no matter how good they may be). As Einstein once said, ‘if you can’t explain it simply, you don’t understand it well enough!’
Lesson 5: Get everyone involved, it’s the only road to success