Failure is an option
Information is the lifeblood of today’s business world. With timely and accurate information business decisions can be made quickly and confidently. Thanks to modern technology, today’s business environment is no longer constrained by physical premises or office walls. We can work on laptops, smartphones or tablets and, with nearly ubiquitous internet connectivity, we can work from any location.
With this growing dependence on technology we need to also accept there will be times when that technology is going to fail us, either by accidental or malicious intent. We do not expect 100% security in our everyday lives, and we should not expect it in our “technical” lives. What we need to do is design our systems and security programs to be resilient in the event of a failure. This means shifting our thinking away from solely preventing attacks to trying to develop strategies on how to ensure the business can continue to function should an attack happen and be successful. In essence, a change in mind-set is required, and not just in those developing the security programs, but also in senior business management.
To develop this resilience to cyber-attacks, the focus should be on ensuring the business understands the impact of a potential attack and the steps required for them to prevent, survive and recover from it. This requires security not to be viewed only as a purely technical discipline, but also from a business and risk management point of view. This requires technical people who would traditionally focus on point solutions to specific technical threats to translate the potential impact of security incidents into terms and language that business and non-technical people will understand.
Business operates on the principle of risk, and every business decision involves an element of risk. Sometimes the result of that risk is positive, for example, increased sales; sometimes it’s negative such as loss of market share. Traditionally, security people with technical backgrounds look at issues in a very black or white way, it either works or it does not work, it is secure or not secure.
Being resilient involves a change in mind-set whereby you look to identify how secure the business needs to be in order to survive. This is a challenge for both technical and non-technical people. For business people it requires that they get involved in the decision making process regarding information security security by identifying what are the critical assets to the business and how valuable those assets are.
The risks to those assets then need to be identified and quantified so that measures can be put in place to reduce the levels of risk against those assets to a level that is acceptable to the business. So instead of a checklist approach to security, or an all-or-nothing approach, decisions are more focused on what the business needs and investment can be best directed to the more appropriate areas.
I often compare developing a resilient approach to security to how kings protected their crown jewels in their castles during the Middle Ages. The core of the castle is the Keep and it is the most secure part of the castle. The Keep was where the most valuable assets were kept. The Keep itself was placed in a very defendable position within the castle walls. Those castle walls were defended in turn by moats, turrets, and drawbridges. Outside the castle walls were where the villagers and farmers lived. In the event of an attack the king would raise the drawbridge leaving those outside open to attack, but these were acceptable losses to protect the crown jewels. Even if the castle walls were breached the crown jewels would remain protected within the Keep.
In today’s security landscape, businesses need to identify what their crown jewels are and protect them accordingly by moving them to the digital equivalent of a Keep. Similarly, they also need to identify what should remain within the village, or even within the castle walls, and be prepared to lose that in the event of a major attack.
Effective security requires rigorous and regular risk assessment exercises, particularly as today the business environments, technology, and security threats, change so quickly. These risk assessments should be supported by good security policies outlining what the required security controls are to manage the identified risks. Key to having a resilient approach to security is to have an effective incident response plan in place so that when an attack happens the business can still function and survive.
It is time we moved from designing our security infrastructure to avoid failure, and to acknowledge and accept that failure will happen. How we deal with that failure will determine how well our organizations can recover from security incidents. Instead of looking how to avoid failure, we need to learn that failure is an option. What is not an option is not being resilient enough to recover from and survive such a failure.
Brian Honan is an independent security consultant based in Dublin, Ireland, and is the founder and head of IRISSCERT, Ireland’s first CERT. He is a Special Advisor to the Europol Cybercrime Centre, an adjunct lecturer on Information Security in University College Dublin, and he sits on the Technical Advisory Board for several information security companies. He has addressed a number of major conferences, wrote ISO 27001 in a Windows Environment and co-author of The Cloud Security Rules.