With this growing dependence on technology we need to also accept there will be times when that technology is going to fail us, either by accidental or malicious intent. We do not expect 100% security in our everyday lives, and we should not expect it in our “technical” lives. What we need to do is design our systems and security programs to be resilient in the event of a failure. This means shifting our thinking away from solely preventing attacks to trying to develop strategies on how to ensure the business can continue to function should an attack happen and be successful. In essence, a change in mind-set is required, and not just in those developing the security programs, but also in senior business management.
To develop this resilience to cyber-attacks, the focus should be on ensuring the business understands the impact of a potential attack and the steps required for them to prevent, survive and recover from it. This requires security not to be viewed only as a purely technical discipline, but also from a business and risk management point of view. This requires technical people who would traditionally focus on point solutions to specific technical threats to translate the potential impact of security incidents into terms and language that business and non-technical people will understand.
Business operates on the principle of risk, and every business decision involves an element of risk. Sometimes the result of that risk is positive, for example, increased sales; sometimes it’s negative such as loss of market share. Traditionally, security people with technical backgrounds look at issues in a very black or white way, it either works or it does not work, it is secure or not secure.
Being resilient involves a change in mind-set whereby you look to identify how secure the business needs to be in order to survive. This is a challenge for both technical and non-technical people. For business people it requires that they get involved in the decision making process regarding information security security by identifying what are the critical assets to the business and how valuable those assets are.
The risks to those assets then need to be identified and quantified so that measures can be put in place to reduce the levels of risk against those assets to a level that is acceptable to the business. So instead of a checklist approach to security, or an all-or-nothing approach, decisions are more focused on what the business needs and investment can be best directed to the more appropriate areas.
I often compare developing a resilient approach to security to how kings protected their crown jewels in their castles during the Middle Ages. The core of the castle is the Keep and it is the most secure part of the castle. The Keep was where the most valuable assets were kept. The Keep itself was placed in a very defendable position within the castle walls. Those castle walls were defended in turn by moats, turrets, and drawbridges. Outside the castle walls were where the villagers and farmers lived. In the event of an attack the king would raise the drawbridge leaving those outside open to attack, but these were acceptable losses to protect the crown jewels. Even if the castle walls were breached the crown jewels would remain protected within the Keep.