Security – A Misleading Concept?

Currently I am creating a presentation on cyber security as a competitive advantage. It looked like a simple task, but ….

When building a presentation I feel that the content should be meaningful. Starting to think about a good starting point, the fundamentals I need/want to transport and a good starting point i thought it would be a good idea to start with a definition of cyber security.

Defining both words, Cyber and Security I found a definition which is a little bit strange but it was taken from William Gibson’s Novel 1984:

„Cyberspace. A consensual hallucination experienced daily by billions of legitimate operators, in every nation, by children being taught mathematical concepts… A graphic representation of data abstracted from the banks of every computer in the human system. Unthinkable complexity. Lines of light ranged in the nonspace of the mind, clusters and constellations of data. Like city lights, receding.“ 

Source for the artwork: http://hqwide.com/wallpapers/l/1920×1080/61/artwork_neuromancer_william_gibson_1920x1080_60671.jpg

Another one I found good and better suitable for business purposes was given by the university of maryland

The interdependent network of information technology infrastructures, that includes the Internet, telecommunications networks, computer systems and embedded processors and controllers.

Source: http://www.umuc.edu/cybersecurity/about/cybersecurity-basics.cfm

I believe this one has a better fit for purpose. Nevertheless it gives a limited view on security issues. Cyberspace is meant to be digitally. But what does that mean related to intellectual property that people have. Information written or printed on paper. Proof of concepts doming from a machine and so on. Short story: What is the representation of non digital Information? From what I found non digital information is not covered by the term “cyber”!

What is the better term to provide a holistic view on security?

To be honest: I didn’t find one. Information is written on paper, stored in brains, computers. Sometimes it is tangible, sometimes not. Sometimes it is related to buildings and other forms that might represent information or a value. The next question deriving from these thoughts:

Is there anything of value that is not related to information?

If you find something please tell me!

Security in general is meant to be a concept that implies protection from harm to any asset.

That is also the reason why we find numerous security functions in enterprises:

  • Corporate security
  • Facility security
  • Information security
  • IT security
  • Cyber Security
  • Data protection

When talking to clients about their security functions I very often hear that there is a wish to add new skills to the organization to cover new threats! When doing this organizations tend to look for reasonable compromises which are more likely to be trade offs. Usually existing structures are maintained (e.g. the IT Security Officer) and new functions like a Cyber Security Department is added to the organization with newly defined responsibilities and different reporting lines.

Looking at the cyber definition again the conflict is obvious! IT security deals with infrastructures. The information protection officer deals with information stored anywhere and the Cyber Security Defense Service feels extremely hip because it is something new, really important having excellent budget and sits on the territory of the CISO, IT SecOfficer and others.

I started to write down where security applies and found numbers of issues and security functions. Most of them have an overlap which I feel that it is ok.

Detection is the new Prevention

In another article I already presented my view on Detection versus Prevention. I believe Detection is key! A huge misunderstanding is that looking at the concept of security the spotlight is on prevention. This might be true but detection is the new prevention. In order to avoid harm to your organization you need to know your enemy and be prepared against almost everything that can happen. You will have to accept hackers to jump into your networks and you will need to be prepared to detect them and fix the damage asap.

What happens here: It is RESILIENCE!

Organizations need to be better prepared to fix security incidents no matter if they are related to buildings, employes, VIPs, IT infrastructure, paper based information etc.

When I came to this conclusion I felt that any security function in an organization is an important feature. It is preventive feature. It helps to detect issues. But recovery from incidents will be more important than we have ever believed.

I feel that a Business Resilience Function in any organization is the key to eliminate conflicts between different security functions and helps to align them to a powerful organization helping with prevention, detection and recovery!

What do you think? I do not know if I am right or wrong! I am really interested to read your views on this! Please share your thoughts with me and the rest of the community!

Advertisements

The link Between a Company’s Supervisory Board and its Security Strategy

Companies Need New Security Strategies

With regard to cloud computing, Bring Your Own Device (BYOD) or Social Networks companies have to think about their security strategy. Whereas the principle of prevention was effective for a long time it is not effective any more. Having a huge number of mobile devices in place, using various storage systems within the enterprise or outside and the demand for flexible and fast collaboration with clients, partners and suppliers nobody is able to predict where a certain piece of data is right now, how often it has been copied or will be tomorrow.
It is just a fact that business critical information does not reside within the perimeters of the enterprise any more.
Given this fact a company can protect its perimeters with huge efforts and be almost save, a weak system outside the enterprise like a social network or a pubic cloud system destroys all efforts of protecting the assets by preventing intrusion in the own infrastructure. The enterprises are simply not in control of prevention system any more.
Another challenge is the complexity of of attacks against enterprise infrastructures. Nowadays more often zero day exploits and strongly customized malicious code is being used, applying advanced persistent threat techniques which leads to the situation that most of the high sophisticated attacks are not recognized by any prevention system like antivirus, intrusion detection / prevention system or firewalls.
These attacks are simply below the radar screen of the traditional security systems.

What are the new Security Strategies to be applied better today than tomorrow?

The prevention of the future is detection! What does that mean? This means that enterprises have to improve their ability to register anomalies in the data flows leading to a more reliable and faster detection of security incidents. There are two main areas of improvement:

  1. Time to detect a security incident caused by APTs or other high sophisticated techniques
  2. Time to fix the issue

Especially the time to detects requires companies to have intense monitoring capabilities in place to ensure reliable detection. By building these capabilities not only the requirements of companies are in scope but also the personal rights of employees are affected. A company going this way will need to have trust within their working councils and from my perspective it is even better to integrate the employees to build trust that these facilities are not only a requirement to secure the enterprise but also the individual.

Any requirement for the supervisory board?

With respect to the supervisory boards requirements to monitor and give advise to C-Levels, a few questions have to be clarified:

  1. Does the internal control system of the enterprise reduce the risk of exposure of employees and management against threats from the outside (e.G. Use of eMail, websites, unknown documents)?
  2. Is a reporting system in place to to indicate potential threats and suspicious activities?
  3. Does the enterprise have a stable detection system in place to uncover security incidents?
  4. Did the company test the effectiveness of detection techniques and includes the results in a continuous improvement process?
  5. Are security incidents adequately reflected in the board of management’s report on the business situation of the company?

Conclusion

In the end this means that companies have numerous options in place to improve security, deal with liabilities of board members and the supervisory board and drive efficient security measures.

I would suggest to keep an eye on two work streams:

  1. Switch of non effective security measures that simply address prevention – Just talk to me and I will assist you to go this way based on a success fee.
  2. Establish a process too ensure that materiality and severity of security incidents becomes transparent to board members and their supervisory boards to ensure conformity to financial reporting standards.

Just in case that you do not believe that security is to be reflected in the financial reporting you should read the Corporate Finance Disclosure Guidance No. 2: Cybersecurity issued by the SEC. You might also want to use Google to find out who was already addressed by the Regulators of the US to have not properly addressed this issue!

What is the bigger threat? Employees or hackers?

Years ago I read an FBI survey on security incidents and a root cause analysis. I didn’t find it again (if you have it – please send it to me) but I can still remember that it said something like almost 70% of security incidents have been caused by employees.

The last survey I found from the United States Secret Service named “2013 US State of Cybercrime Survey” says that only 21% of cybersecurity incidents have been caused by current and former employees (There is a summary availabe from PwC in the US that helps you to avoid reading all this stuff).

Nevertheless I found it really difficult to qualify these information and have a more solid foundation of sources that helps me to better understand and to better argue with my peers.

But as time went by and big data is not just a buzzword but real applications are available I found a website I desperately want to share with you. They analyzed hacks and other security incidents and built categories to classify these hacks.

The result is a really meaning- and beautiful visualization of security breaches and their sources. What strikes me is the possibility to slice and dice industries sources and size of the incident and get a visual presentation.

Bild

I believe that this is one of the most advanced ways to present these figures without leaving room for arguing if the numbers are correct or not. They are simply based on press releases!

My suggestion: Read it and play with it! Click on the graphics and you are forwarded to the website. Enjoy it!

Btw: They also disclose the source of information that leads to this fantastic visualization: Click me!