Keys To Cyber Security Planning
June 5, 2018
Given increasing cyber regulation such as the GDPR and the rising threat of criminal cyber attacks there is much discussion of how to improve cyber security. Cyber security has progressively shifted its focus in its search for a ‘silver bullet’ to defend their organizations. To date no ‘silver bullet’ has been identified although marketing has identified Artificial Intelligence or AI as the next great hope. Rather than a device based approach to security, a classical, integrated approach to security planning has significant advantages. This article looks at three components of integrated planning.
The first component to integrated planning is executive direction. All high end security planning must be driven from the top, and I don’t mean the CISO or the CSO. The CEO, the President, the organizations leader has a unique perspective. I asked a CSO what his CEO’s top concern was: the CEO was most concerned about things that would drive changes in government regulation, changes that would affect the company’s business model, lowering profitability. That is a great example of a CEO’s concerns from the 50,000 foot level. It also provides a basis for more questions that need to be answered in order to protect that business model. In this case that meant defending industrial processes and Internet of Things (IoT) devices.
Another reason to involve the CEO/President is that there are always people and/or departments that want to opt out. One of my first experiences as a network contractor was working for the accounting corporation of a major Canadian corporation. The accounting department had a separate network leg with different software, different security and even different access. Marketing departments can be a challenging as accounting departments. I reported a cyber attack to a corporation, including the nation-state behind it. The Vice-President of Marketing refused to hear the whole report and insisted on maintaining full unfiltered, un-vetted contact with the attacking nation. Its worth noting that the company lost its intellectual property, its client list and eventually its business.
Instead of opting out of the cyber security process, all departments within the organization need to be active participants in the security planning process, responsible to the CEO for their input and support to the CSO and the integrated security planning process. This ensures that departmental requirements are heard and that their essential data is identified and included in security planning. Accountability to the CEO makes this part of the planning process work.
Risk and Threat are the two sides of the next component, intelligence. Understanding your risk is based on knowing what you are protecting and what you have that attackers might want. Since hackers appear to want everything from personal information to intellectual property, knowing how hackers value it is critical. The document that covers this information is called a Risk Assessment. Threat is about knowing your enemy. A Threat Assessment starts with knowing what you have (your Risk Assessment) and who looks for that information, how they look for it, as well as their tactics, techniques and procedures. For example if your company is in manufacturing and you have ICS / SCADA systems devices, you need to know who hacks those systems. Risk and Threat are key elements of developing foreknowledge about your adversaries, or intelligence.
Conventional wisdom says that organizations should build a Security Operations Centre (SOC) and that responsibility for security resides there. Using the integrated planning process briefly outlined in this article, security devices and procedures have a substantially different focus than conventional cyber security planning processes. The risks identified by the CEO provides strategic direction as to what must be protected and in what priority. The risk and threat assessments provide operational and tactical criteria for security devices and processes. The departmental inputs are also incorporated into security planning.
In addition to security devices and the SOC, security processes are extended into all departments. People within each department are tasked with keeping an eye on key functions and processes, reporting changes to both network administration and the SOC. This extends the scope of the security team’s oversight, making it much harder for hackers to invade and make changes without detection. The other effect is that cyber security responsibilities are extended outside the SOC, into all departments across the organization. Done correctly this provides a huge increase in cyber protection.
These components: CEO direction, intelligence processes, and an integrated security plan are elements of a extended and integrated planning process. Once the plan is completed, updating it becomes a search for changes. As long as there are no major changes, updates can be done fairly quickly. Note that core criteria for the integrated security plan comes from the CEO and contributing departments. Any security device, appliance or process needs to demonstrate how it protects one or more of the core criteria.
Using this integrated planning process, selection of security devices and appliances becomes criteria based. Even if Artificial Intelligence (AI) is used, the AI must include monitoring and defence of the strategic, operational and tactical criteria documented in the planing process. The objectives of the integrated security plan and the criteria for judging success or failure have moved from the technical descriptors of the cyber security environment to measurable business/organization processes. This planning process represents a radical departure from most current cyber security and threat intelligence planning processes. It has the advantage of being tested in multiple environments. It is proving just as effective wherever it is correctly implemented.
David Swan, Director Cyber Intelligence Defence Centre