Navigating the cyber space need vigilance as it can be a double-edged sword - bringing you fast lane with more user friendly automation and smarter device, but also exposing you to hidden traps and vulnerability yet to be discovered by adversary. Read on how we can still fail gracefully.
It's reaching the end of 2014, and a it's a great festive time to devote some time off from work and be with your loved ones.
This is also the phishers' opportunity ot use festive bait to lure and capture a bigger pool of "fishes". Check out those spam eCards and scam donation messages in your email box and the countless e-greeting emails from retailers. Do not click or open unsolicited email attachments! You will be their next victim. Cyber security takes no timeout. In fact, it is not an understatement to say "no time out" as no one can assume safety from such cyber threats, even after you have recovered from one.
With more cyber incidents hitting the news headlines, we need to prevent failure recurrences and safeguard our future business endeavours. It is never too late to start preparing for 2015. Shake off your procastination.
Stock Taking - What are the Good Fails and Bad Fails
Start by listing all significant past ICT (information and communications technology) related "Fails". Identify those documented lessons from every after-action review of a breach, no matter how minor. Categorise them into good or bad fails described below. The whole gist is to ensure those past lessons are not simply closeted away, that the organization has learned from them and done something about them.
The Good Fails
This refers to sound security principles - by default, "Fail secure" or "Fail close" in the event of breach. When a breach is detected, security is utmost priority so all damages can be contained. However, this strict principle needs to be balanced with business priorities so the service level committment to customers is maintained. The IT people enterprise cannot simply "press the stop button" on the firewall, denying all ingress and egress traffic. Another critical consideration is human safety. "Fail secure" or "Fail close" does not work out here. Imagine the case where fire alarms are activated; the sound principle would have all doors locked, denying and trapping anyone from exit and entry. Instead consider the options of having "Fail safe" or "Fail open" measures. Set aside a phase to perform risk assessment in the appropriate use of the security measures.
The Bad Fails
This refers to taking trust for granted by assuming claimed security and safety. Protections are assumed to put in place the necessary safeguard business. But no one project manager is flawless. No application is bug free. No security technology is 100 per cent foolproof. This worsens if complacency sets in. Existing security capability in placed does not necessarily close the exposure. To rectify this flawed perception, we need constant monitoring and oversight in security controls and measures. As part of risk assessment in the business plan, incorporate clear deliverables that establish verifiable proof for all security measures.
Wearing the hats of "Fail" actors
Put in context the different security processes for a better chance of convincing stakeholders on security investments. Selling fear should not be part of your security strategy, though it can be the introduction to be being aware. We can wear the hats of consumers and a service providers and put in context how business services can avoid or minimise exposure.
Avoid "failing as an Consumer"
Cyber security is a shared responsibility. As an end user or consumer, we need to see what lies below the iceberg. What lies beneath can be threatening too and mostly neglected. We should prepare for unknown threats. Heighten existing security measures to address new risk and imminent threats with new upcoming ICT initiatives. List out the risks, threat actors and vulnerabilities related in implementing initiatives and recommend the appropriate measures to mitigate and remediate the exposure in a timely fashion. Recommended security measures should have minimal business impacts and fulfill its functional and operational needs.
- Reduce manual intervention and add smarter security embedded in Internet of Everything (IoE) technology
- Reduce single factor (user/password) checks, and add multi-factor checks (biometric, one time password, token)
- Reduce denial of pervasive social e-services, and add seamless online identity verification
- Reduce the false sense of security by adding more security tests
- Reduce perimeter only defense emphasis and add more access deterrence
Avoid "failing as Provider"
As managed service providers we play a big role in delivering reliable and secure service. Making sure no lax in secure delivery requires seeing beyond the iceberg, anticipating imminent threats. The provider's managed services presence and wide cloud service portfolio should not tolerate any oversight on critical matters such as data sovereignty and regulatory changes. Upon detecting a service breach, negligence and oversight causing slow or no response is not excusable.
The adversary is no longer the script kiddie exploring, but multi-faceted groups, from the cyber-hacktivist seeking attention to organized criminals selling off digital loot to state-sponsored hackers behind covert espionage campaigns. Not only must we ensure data confidentiality, integrity and availability, we must make sure to not neglect customer privacy concern. Take well-calculated risks in all newly extended innovations existing business services. Measure up the defenses and examine additional preparation that might be required. Reach a consensus on all acceptable risks -- and inform your customer. Remain effective in continuous service delivery by eliminating complex security measures. Explore the information security community to stay informed about cyber threats, experiences and insights. Consider upcoming business trends that might require adjusting existing or adopting new defense postures and strategies.
- As the demand for 'bricks and mortar' declines, there will be more user demands for 'Click and order' requiring an emphasis on consumer security education as part of service portfolio offering.
- As the demand for plain vanilla services declines, there will be more extensive service offerings mandated, including a comprehensive security baseline for all services.
- More quantified and transparent measurements in business value and service health will require additional security investments in the service subscription.
- Misses and gaps leading to Snowden-like incidents will require more trustworthy service delivery, including ensuring information confidentiality using proven and well tested non-proprietary cryptography schemes.
- The distinction between network operations and security operations must be reduced, with more concerted efforts for overall timely incident response. Increase overall situation awareness across all customer services augmented with actionable intelligence from both network and cyber security analytics.
Security does not call the shots
The observation that security is a process, not a product stands. Pragmatically, security is an additional cost and is always perceived as showstopper by project teams. Security is frequently an afterthought causing qualms about unforecasted budget expenditures. But this is changing; the "chief information securiy officer" post has been
created to sit
among the senior executives. Security budgets are being allocated a
, especially in financial sectors after the bad hits on major banks.
cyber reality is ugly
. Companies are still trying to keep pace with the bad guys. We should not procastinate any longer. Be conscious of the "Fails". Wear the hats of individuals and providers in planning out your 2015 cyber security plan. Start now to augment existing defenses with service resilience. Always be ready to answer, "How quickly would we recognise an attack and effectively and readily could we stop it?"
Pardon me. I will review and revise the article and re-submit. Will try to keep article tighten with more concise and streamline the content and intent. My intent is also not to blast with too many statistics or too many links which divert reader attention too, will use sparingly and as needed.
By the way, CISO is Chief Information Security Officer who is the overall IC for security matters (supposedly) to be advising CIO. The latter is CISO superior normally. Will remove that since it can confuse reader. The emphasis is still on the Failure factors instead of CISO.