Cyber Security – not a goal in itself
Information Security and Cyber Security conferences are often overleaded with relatively ‘new’ developments such as Next-gen, IoT (Internet of Things), IoT DDoS, Security Intelligence Platform, and the rest. The fact that some of these terms have become ‘hype’ is not in itself a problem, but it does makes you wonder if the security world could be looking at things in the wrong way. Perhaps they are missing demands that need to be urgently addressed.
ESET, a Europe-based leader in IT security, has generously shared five basic cyber security lessons from its experts. Dave Maasland, CEO ESET Netherlands, in cooperation with Fred Streefland, IT Security Manager at LeaseWeb, explore a new way of looking at cybersecurity. They encourage you to stop viewing cyber security as a goal in itself. They want you to see it as something that is directly connected to business needs. It seems that too many security organizations are missing this distinction.
Lesson 1: Start with the business (and its risks)
Cyber security can be complex, but it is essentially quite simple. Security is nothing more than reducing or taking away risks, and making them visible. Then the business can accept them and continue doing its work – nothing more, nothing less. To do this effectively and efficiently, thos responsible for security have to understand the business and not see it solely from an IT perspective. They must understand the broader perspective of the business itself.
When starting from the business, they firstly need to identify, map, and categorize the risks faced by the specific business. Secondly, they need to determine, together with the business itself, which risks need to be dealt with and in what order. Once that is done, a security plan that describes how these changes are to be executed needs to be created. There need to be clear goals and deadlines. Ideally, this should be done in a ‘smart’ way, one step at a time, without engaging in too many projects at once.
Lesson 2: Determine a security roadmap with a clear goal, step by step
Defining the cyber security approach (or security roadmap) is essential. This should be discussed with the business on an ongoing basis, making adjustments where and when necessary. During the creation and execution of the roadmap, the defined projects will all contribute to the reduction of risks and the achievement of the end goal. It’s important not to lose sight of the business goals. The people responsible for security shouldn’t ‘restrict or obstruct’ the business with security measures. It’s not rocket science, and shouldn’t be treated like it is. The creation of a plan needs to be something that everyone, even people without IT skills, can understand. IT plays a role, but only at the last moment when IT solutions are needed to execute security projects.
Lesson 3: Cover the basics before implementing more advanced security solutions
Most organizations don’t have even basic security measures in place, let alone advanced security solutions. Security company presentations on these technologies may look stunning and offer interesting content, but they are simply too advanced for most companies. Experience shows that most hacks (about 90%) are still using simple methods – phishing emails, malware attachments, and the like. Of course, there is the weakest link of all – the human being.
Companies must create basic security solutions for these simple risks before they turn their attention to more advanced technologies. These are also important and they should be implemented in the future, but only after the basics are fortified. Often during security congresses there is a focus on sophisticated threats and APTs (advance’s persistent threats), but companies such as TalkTalk and Ashley Madison might have been protected from attack if even basic security was in place.
Lesson 4: Build the right partnerships; cooperation between IT Security professionals is essential
New developments arise quickly and malicious groups and individuals are using more varied and advanced tactics. Eventually, more advanced security solutions will become inseparable from broader security roadmaps. However, the foundation has to be in place before the ‘house’ can be built. To build this house, cooperation is needed between the architect, the realtor, the mason, the plasterer and of course the homeowner.
This sense of building something together, step by step, is exactly what needs to happen in the security world. There is a need to cooperate because, much like building a house, there is no single owner or architect who is also the best in masonry, painting, or construction. No single security company has the best solution for each and every security risk. Working together is essential. People who aim to do your company harm are already doing this, security professionals need to do the same. Start with the owner (the business) and the foundation (the roadmap). Then forge relationships with the right contractors (security vendors). Only then can a strong, reliable, and safe house be built.
Lesson 5: Get everyone involved, it’s the only road to success
To make progress between security and the business, there has to be understanding and support from the business – and vice versa. Those responsible for security have to be able to provide short and clear explanations to get all stakeholders in the company to participate. If they can’t, then the business will never understand. This means that there won’t be the necessary buy-in and support to implement your plans. As Einstein once said, ‘if you can’t explain it simply, you don’t understand it well enough!’