Current business processes need to constantly adapt to changing threats. Surely we do not want to be the next victim. We can take an active stance and stay agile. This article shares some tips.
The way to make security make sense to anyone is really in helping them to understand how security is just another sensible outcome in making their venture and business successful. It does not need one to be a genius to achieve that. Really?
We don't stop playing because we grow old; we grow old because we stop playing. " - George Bernard Shaw
You just need to engage ones' senses and sharpen what make sense to the users. Security cannot be an afterthought.
If you can't explain it simply, you don't understand it well enough. " - Albert Einstein
Security can make "sense" in your project environment. Take from an inside-out , outside-in telescope view of the people involved, the potential threat faced. Understand how the people are going to be affected and measures to be taken to address concerns and what matters to them most, e.g. overall project deliverable and timeline.
For example, exercise your innate sensory and guide the project team to build in security early into the project. This will help them stay compliance and not suffer a "U-turn" (e.g. end deliverable prior to commissioning only surface out there are inadequate controls, and it may be too late for any changes).
- Observe: Eyes to see, Ear to hear; (insights and data)
- Orientate: Teeth to bite, Tongue to taste, Skin to touch; (bias and relevances)
- Decide: Brain to think; (actionable for intelligence)
- Act: Heart to feel, Voice to communicate, Gesture to move (Being humane, Interact and reciprocate)
We can take on a proactive "role" and stay agile. Be prepared to take up different roles as threats evolve. You really need to exercise all these senses to sharpen your security objective and ultimately always keep the defense strategies up to date. These constitute to achieving coherence between security design and system architecture developed. They need to be comprehensive and not to introduce unnecessary risk exposure due to miscommunication or silo team especially for big organization or when there are extended partnership involvement.
Here is an analogy to stay proactive and take on the "animal" sense to adapt defense to threat faced.
|Porcupine Defense Mechanism - If a predator gets too close, the quills will dislodge off the porcupine and stick into the offending animal. Quills grow back.
Hedgehog Defense Mechanism - When threatened, hedgehogs will roll into a tight ball so their spines protrude and their hands, feet, and faces are tucked away.
Armadillo Defense Mechanism - Its entire body covered with bony plates, which makes it appear as if it is really wearing an armor. Rest in burrows
Pangolin Defense Mechanism - Similarly, it has a protective armor and it is a large keratin scales. But it stays on the ground and stays on the ground (no cover).
Need to take a risk measured approach
To stay well defended with good senses, you need to have (or encourage) agility such that threats can be blocked out sufficiently by the control deployed. Gain greater confidence with a proactive stance to deter the adversary and block them out. Exert further "stress" on them to gain a higher vantage. You do not have to be an easy target.
Having said that, the approach taken really depends on the risk appetite level and be prepared for side-effect repercussion and failure. In any good planning, there is always need to have a contingency in the event the damage increase beyond the security controls to contain it effectively, e.g. controls went into a denial of services leading to outage, a zero-day discovered without any patch to the partners' managed system, etc.
This is not unexpected but it takes us to be actively identify such area that need more attention. A proper risk assessment is requires and a regular review is paramount to keep stakeholder well informed of the residue risks and what are done to bring these to an acceptable level.
For example, during a sophisticated external attacks, watching over your perimeter security may be a distraction as it remains the stealthy insider threats which require you to still maintain a good oversight of all privileged staff and 3rd parties access while the attack at front continues . Stay proactive and be agile to adapt to changes in the situation. Things can get ugly if you do not stay on top of things and the damages can drastic and lead to greater impact.
So what can we do?
For coherence in the defense approach, get the Operational, IT and security team involved. Have this hybrid team as there is a need for an Ops tech defense approach. Silo team cannot work well in agility. Orchestrate the security and IT controls such that centrally the Operational team maintains command and control to detect and respond seamlessly to keep stakeholders informed on any security and IT incident in a timely manner.
For automation of control and measures, first is to identify human manual processes, and find out where they are heavily used. Check for any past incidents due to human error. Manual processes are error-prone. Rethink and synergize to build network with the Tech community and IT vendor to promote more use of technology. Be opportunistic - there is no silver bullet or 100% perfect solution that can give you a zero incident rate.
Adopt a "Fail Fast, Learn Fast" Mindset
Get it FIRST time RIGHT
- Stand guided by the established security policy in the organization. Go for risk-based compliance.
- Adopt regular risk assessment. Have a top down and bottom up involvement. Stakeholder updated by teams on residual risk
- Build a network of technology savvy experts. Leverage technology driven control where best possible. Encourage changes.
- Maintain the oversight of the overall security strategy and have a steering committee to oversee these.
Be Pragmatic and ALWAYS prioritize
- We cannot cover all gaps and defend all over the places. Neither is this a pragmatic or optimal strategy.
- We can guard what is deemed a critical asset to us and divide and conquer.
- We take a risk measured approach as shared in the past few series of articles of the "Hard IT Truth".
- You can shoot then aim, but first, learn to aim then shoot.
Nurture an Inclusive Learning Environment
Identify the Champion and develop an Outreach programme to get buy-in from ALL
- Build your role model - one who preaches good practice. Have another with seniority who supports the initiative.
- Be careful in using of scare stories as it stirs up emotion. It may not necessarily backfire if messages are well guided.
- Bring out a clear and concise security message. Be straight to the point and throw away the technical jargons.
- Treat everyone and yourself as a "blank sheet" to start off the basic.
- Ask, ask, and ask for feedback and respond on understanding.
- Seek to understand first then to be understood. Security folks tend to be aggressive and defensive, be wary about this.
Exercise good principles and encourage exploration practices
- Do leverage opportune time to seek more resources and better executive backing for security initiatives.
- Do not stay complacent with existing security measures. There is no "one size fit all" strategy. Threats evolve.
- Do encourage more Ops-Tech mindsets to develop better-deliberated responses for a win-win.
- Do not neglect security experimentation and innovation. Adversaries never stop so why should we.
Ultimately, the whole gist is that without preparation (like going through the above), it will be difficult, if not impossible, to stay ahead and ready when a breach befalls on the organization.
In this fast-paced cyber ecosystem, learning never stops.
Live as if you were to die tomorrow. Learn as if you were to live forever.
-Gandhi, Spiritual Leader
Stay resilient and always be prepared to adapt to change.
Keep learning. Learn from role models. Put knowledge and experience into practice. Walk the talk!