Navigating the 2015 Fail Factors - Go for "good" fails and lesser "bad" fails.

It's reaching the end of 2014, and a it's a great festive time to devote some time off from work and be with your loved ones.

This is also the phishers' opportunity ot use festive bait to lure and capture a bigger pool of "fishes". Check out those spam eCards and scam donation messages in your email box and the countless e-greeting emails from retailers. Do not click or open unsolicited email attachments! You will be their next victim. Cyber security takes no timeout. In fact, it is not an understatement to say "no time out" as no one can assume safety from such cyber threats, even after you have recovered from one.

With more cyber incidents hitting the news headlines, we need to prevent failure recurrences and safeguard our future business endeavours. It is never too late to start preparing for 2015. Shake off your procastination.
 

Stock Taking - What are the Good Fails and Bad Fails

Start by listing all significant past ICT (information and communications technology) related "Fails". Identify those documented lessons from every after-action review of a breach, no matter how minor. Categorise them into good or bad fails described below. The whole gist is to ensure those past lessons are not simply closeted away, that the organization has learned from them and done something about them.
 

The Good Fails

This refers to sound security principles - by default, "Fail secure" or "Fail close" in the event of breach. When a breach is detected, security is utmost priority so all damages can be contained. However, this strict principle needs to be balanced with business priorities so the service level committment to customers is maintained. The IT people enterprise cannot simply "press the stop button" on the firewall, denying all ingress and egress traffic. Another critical consideration is human safety. "Fail secure" or "Fail close" does not work out here. Imagine the case where fire alarms are activated; the sound principle would have all doors locked, denying and trapping anyone from exit and entry. Instead consider the options of having "Fail safe" or "Fail open" measures. Set aside a phase to perform risk assessment in the appropriate use of the security measures.
 

The Bad Fails

This refers to taking trust for granted by assuming claimed security and safety. Protections are assumed to put in place the necessary safeguard business. But no one project manager is flawless. No application is bug free. No security technology is 100 per cent foolproof. This worsens if complacency sets in. Existing security capability in placed does not necessarily close the exposure. To rectify this flawed perception, we need constant monitoring and oversight in security controls and measures. As part of risk assessment in the business plan, incorporate clear deliverables that establish verifiable proof for all security measures.
 

Wearing the hats of "Fail" actors

Put in context the different security processes for a better chance of convincing stakeholders on security investments. Selling fear should not be part of your security strategy, though it can be the introduction to be being aware. We can wear the hats of consumers and a service providers and put in context how business services can avoid or minimise exposure.
 

Avoid "failing as an Consumer"

Cyber security is a shared responsibility. As an end user or consumer, we need to see what lies below the iceberg. What lies beneath can be threatening too and mostly neglected. We should prepare for unknown threats. Heighten existing security measures to address new risk and imminent threats with new upcoming ICT initiatives. List out the risks, threat actors and vulnerabilities related in implementing initiatives and recommend the appropriate measures to mitigate and remediate the exposure in a timely fashion. Recommended security measures should have minimal business impacts and fulfill its functional and operational needs.

• Reduce manual intervention and add smarter security embedded in Internet of Everything (IoE) technology
• Reduce single factor (user/password) checks, and add multi-factor checks (biometric, one time password, token)
• Reduce denial of pervasive social e-services, and add seamless online identity verification
• Reduce the false sense of security by adding more security tests
• Reduce perimeter only defense emphasis and add more access deterrence

 

Avoid "failing as Provider"

As managed service providers we play a big role in delivering reliable and secure service. Making sure no lax in secure delivery requires seeing beyond the iceberg, anticipating imminent threats. The provider's managed services presence and wide cloud service portfolio should not tolerate any oversight on critical matters such as data sovereignty and regulatory changes. Upon detecting a service breach, negligence and oversight causing slow or no response is not excusable.

The adversary is no longer the script kiddie exploring, but multi-faceted groups, from the cyber-hacktivist seeking attention to organized criminals selling off digital loot to state-sponsored hackers behind covert espionage campaigns. Not only must we ensure data confidentiality, integrity and availability, we must make sure to not neglect customer privacy concern. Take well-calculated risks in all newly extended innovations existing business services. Measure up the defenses and examine additional preparation that might be required. Reach a consensus on all acceptable risks -- and inform your customer. Remain effective in continuous service delivery by eliminating complex security measures. Explore the information security community to stay informed about cyber threats, experiences and insights. Consider upcoming business trends that might require adjusting existing or adopting new defense postures and strategies.

• As the demand for 'bricks and mortar' declines, there will be more user demands for 'Click and order' requiring an emphasis on consumer security education as part of service portfolio offering.
• As the demand for plain vanilla services declines, there will be more extensive service offerings mandated, including a comprehensive security baseline for all services.
• More quantified and transparent measurements in business value and service health will require additional security investments in the service subscription.
• Misses and gaps leading to Snowden-like incidents will require more trustworthy service delivery, including ensuring information confidentiality using proven and well tested non-proprietary cryptography schemes.
• The distinction between network operations and security operations must be reduced, with more concerted efforts for overall timely incident response. Increase overall situation awareness across all customer services augmented with actionable intelligence from both network and cyber security analytics.

 

Security does not call the shots

The observation that security is a process, not a product stands. Pragmatically, security is an additional cost and is always perceived as showstopper by project teams. Security is frequently an afterthought causing qualms about unforecasted budget expenditures. But this is changing; the "chief information securiy officer" post has been created to sit among the senior executives. Security budgets are being allocated a bigger share, especially in financial sectors after the bad hits on major banks.

The cyber reality is ugly. Companies are still trying to keep pace with the bad guys. We should not procastinate any longer. Be conscious of the "Fails". Wear the hats of individuals and providers in planning out your 2015 cyber security plan. Start now to augment existing defenses with service resilience. Always be ready to answer, "How quickly would we recognise an attack and effectively and readily could we stop it?"