He'll be speaking about targeted cyber attacks at ISACA's North America CACS conference in April.
What are the main challenges in balancing a growing security architecture with emerging threats, while at the same time justifying ROI to the management?
There are at least two primary challenges to balancing a growing security architecture against emerging threats.
The first is that emerging threats are developed and deployed very rapidly, while almost any new element of the security architecture generally takes much longer to put in place, generating a window of risk where an emerging threat initially has no corresponding security component to address it.
The second is that new elements of the security architecture typically impact users and business processes in some manner. A practical example of this impact is a three-pronged security project that removes users from local administrative groups, requires password vaulting for all accounts with elevated privileges, and deploys application whitelisting in an effort to counteract the emerging threat of phishing attacks. Users, including server administrators accustomed to having local administrative privileges, must adapt to the new security environment. Likewise, some automated business processes that require accounts with elevated privileges must also be adapted to use the password vault. These changes have an impact on administrators and users that must be addressed in the planning phase of the architecture project.
Justifying ROI for information security can be a challenge. Information security is, in fact, a business problem, not an IT problem. The information security team should develop an information security strategy aligned with the companyís business imperatives and the various IT programs designed to support those business imperatives. A well-executed information security program should also deploy a security architecture that enables business focused outcomes (i.e. enabling the company to research and develop new products, to expand in existing markets or enter new ones, or to attract new customers) in secure ways.
But that is not enough. Because users are both the target of advanced attacks and the first line of defense, the information security strategy should include components designed to modify userís behaviors, enable risk-aware behaviors and require risk-aware decision making, all while driving compliance with law and regulation. These are the components of the ROI calculus for information security.
The number and complexity of cyber attacks continues to rise and the information security industry is playing catch-up. Do you think we'll ever be ahead of the bad guys?
Attackers have always had an advantage. They have to be right onceódefenders have to be right all the time. And the window of risk defined above when an attacker can deploy some new attack technique or capability ensures attackers will continue to have an opportunity at a point in time when capable defenses have not yet been developed or deployed.