By Richard Byfield
A Gartner VP recently suggested thatcurrent cyber security discussions on advanced threats are just hype to which most commercial enterprises should not pay attention. The argument likened cyber security technologies and practice to a “Ponzi scheme”, whereby the returns never match the investment and essentially entrap business into an ever increasing dependence on vendors and technologies.
This viewpoint is bound to draw attention from security vendors, practitioners and consumers. In part, it is most likely designed to create that very response and is a conversation that needs to be had. On the record, we have to agree with the sentiment. Advanced nation state threats are not targeting every commercial enterprise operating in Australia. So why should a business with a market cap of $4 million spend 25 per cent of that value trying to protect themselves from threats that are, in essence, of low to almost no threat?
Yes, there are legal and regulatory obligations for businesses to protect both personal and financial data. There are implications for businesses on the availability of information systems affecting revenue, continuity and a business’s ability to maintain commercial operations. Not to forget the impacts upon the reputation of those organisations whose security is known to have been compromised. Who would feel secure visiting a retail store after media reports suggested that the point of sale mechanism was stealing credit card details for “foreign” hackers?
Like any service designed to support commercial operations, cyber security has a known commercial value and impact. The difficult part is in assessing the “what” of value and business impact. Without this, it is almost impossible to measure the business effectiveness of cyber security.
The security posture should equate to business risk and impact value
At Datacom TSS, our focus is on helping our clients establish a security posture appropriate for business needs. We view a security posture as your organisation’s level of risk based upon commercial asset values (revenue, capital, IP, reputational, regulatory, legal), actual threat and recognised vulnerability. This is assessed against the maturity or effectiveness in ICT design, development, procurement, supply chain, policies, processes and service operations. We, therefore, begin by determining the impact of security specific to your business.
Based upon the assessment against your current security posture, a security strategy can be designed to mitigate or treat identified vulnerable areas in business operations. This strategy is always determined and traced against both business requirements and asset values. This ensures that security outcomes can be quantified against the value they protect versus the cost of implementation. Cost benefit analysis is essential in establishing commercial impact. Security must always be justified and quantified.
If the case for security cannot be justified, then the reasons for implementing security may not be well understood. If you cannot justify your expenditure against a business outcome, you most likely have paid for something you did not need.
The value of trust in your practitioner
It cannot be stated enough that many security outcomes do not involve the sale of a vendor product. As security practitioners, we must remain both solution- and vendor-agnostic in determining outcomes to security strategies. Without this approach, achieving a suitable security posture breaks down into an exercise of setting the strategy to meet product X. This, in turn, leads to businesses purchasing capability that had no impact against actual organisational security threats. The “What can we sell you today?” attitude will not extend effective security gains; adversaries are always adaptive and industry segment threats change constantly. Trust is the key. The truth that sometimes is counter to commercial interest is imperative in protecting assets. Without this, it is all hype.
Cyber security is not simply a “product solves everything” industry. It is as much a service to ICT as ICT is a service to business. As such, each business should seek solutions that align with its threat profile and the value of its assets. Being cognisant of these facts will enable both enterprises and governments alike to deliver actual outcomes for cyber security. This will rationalise the current discussions surrounding advanced threats, including that of APT.
In creating an understanding of the position and posture of security, including the needs of business to achieve security, you will avoid the hype and deliver cost-effective capability outcomes.