To quote Lewis Carrol, from Alice's Adventures in Wonderland:
'Would you tell me, please, which way I ought to go from here?'
'That depends a good deal on where you want to get to,' said the Cat.
'I don't much care where —' said Alice.
'Then it doesn't matter which way you go,' said the Cat
It might sound like a relaxing way to go through life, but it is one we cannot follow in security. After all, data breaches and disruptions of service come from weaknesses where you have not put in place enough protection. All those paths are essentially a broader attack surface.
Business strategy is often based on a 'vision, strategy, immediate action' model. The organizational vision is the factor you might use to inspire, propel and focus. A good vision statement defines a desired end-state, so that your team can feel they are part of a broader goal. It also often makes reference to what you will not do. Sometimes, you need to say 'no' or stop doing a certain thing to focus your attention.
Using the same model for security, we would prioritise the use of information to achieve such a vision - you could use the tried-and-true CIA
model or the hexad
What do you most care about?
- Maintaining the trust of your clients, such as a high-end retailer? Then ensure you don't lose or corrupt their personal data.
- Being the leading edge in R&D, such as a pharmaceutical company? Then emphasise the protection of confidentiality.
- Providing trustworthy and timely information, like a news provider? Then prioritise integrity and availability of data.
A couple of examples, from a large company to one of my friend's businesses:
eBay: "Provide a global trading platform where practically anyone can trade practically anything." eBay has an interesting challenge to empower its customers to manage their own sales and provides an invisible platform for them to do so. This would suggest that availability
of the platform should be key.
A small dressmaker:
"We want to make the most unique dresses that make you look beautiful and feel confident." Protect, above all else, the dresses' designs, as well as the shortcuts and methods, or people, you've used to give you that competitive edge.
One example comes to mind in a stock exchange I visited as part of a vendor security assessment for an investment management firm. I was surprised to hear that they did not use any encryption on their internal systems at all
. The rationale, explained with a knowing smile from the security manager, was that if you had access to enough resources to make use of the information in sub-second trades, then you didn’t really need any more money, and that if you could build such a technical marvel, then he’d like to hire you. A good example of the need to prioritise availability
Ultimately, all I’m really proposing here is to make sure that your approach to securing information – your 'cyber strategy' – serves the business. Whereas the technology and compliance departments have stayed firmly in their old roles of serving, enabling and controlling the business, I feel that in cyber security we can use the closer ties between business and technology to envision a service that can be clearly seen to help the business achieve its objectives.
There’s a role here to use cyber security-related information to drive better business decisions – using a threat model to advise on the best new market to break into, or to help that new acquisition cope with the additional scrutiny that comes from attackers now that it is affiliated with a big-name player.
About the Author: Chris Gunner works as a security consultant for one the of the 'Big Four' professional services firms, specialising in cyber security strategy, governance and policy in the finance sector. Starting life as an astrophysicist, he soon got his head out of the stars and into some real work. Chris holds a CISM and ISO27001 Lead Implementer and Auditor. and has consulted in the UK public sector, for supply-side energy clients, and retail / private banking.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
Title image courtesy of ShutterStock