If you read a book about management theory or specifically cyber security management you will find lots of frameworks, methods, formulas, models etc. None of them really let you know how insanely hard it can be to defend a moving target where regardless of how many controls you have, all it takes it someone doing something which may seem bonkers to you but perfectly reasonable for them. Their objective is to do business in an efficient manner, your objective is to protect the business in an efficient manner. Fundamentally these two things are not at odds, but there are a lot of human factors that come into play on top of some serious technical challenges.
The business must keep running, it is something which is a reality that no amount of theory can prepare you for. In the CIA triad for most organisations A is King of the HILL!
CIA should probably have been ordered like this, ACI!
This now brings to light a whole set of cyber realities and how they tend to play out in real terms.
If you can get leadership buy in, if you can secure sufficient funding, if you can acquire the relevant skills you still are not in a great position, because you are likely facing these realities:
- The data is everywhere
- The people are not trained in security
- You cannot know everything, even the best e-discovery tags will not give you all the context you need
- Change is hard
- Reducing freedom (e.g., removing admin rights etc.) is not easy from a human point of view
When we look at business security management, we have a whole range of areas to consider:
- Physical Security
- Personnel Security
- Data Security & Privacy
- Application Security
- Operating System
- Network Security
- Supply Chain Security
On top of all this there is also the stark reality, you cannot protect everything, and you cannot have a reality where there will be 0 incidents. We also need to recognise this:
- Cyber Security is a digital defence domain
- Information security spans multiple areas
- The business players are part of the game, you can’t just make it a “security” problem and ignore the reality that other areas are responsible and need to play their part.
Plan to Fail
Failure in security does not always mean you have failed to lead or manage. You can have a security program that covers a massive range of improvements, you can do all the things within your control to secure and environment, but the fact of life is this:
- Total Control is an illusion
- Total Control is impossible
Have a plan, practise it, also realise that if you hit the IR button then almost every incident is never perfect. Things you have not planned for occur, side channels hit you, unexpected scenarios will occur. You also cannot force everyone in the business who should be cyber ready to do so. Even with training things can do wrong, it is the nature of the business.
A hard task does not mean we should not try and defend
I often hear “well we aren’t a bank” or “we can’t defend against everything so why bother”. That is totally the wrong attitude:
- Not all bank security is great.
- Not trying is negligent.
- It is not just a resource/funding issue, but a lot of orgs do not allocate appropriate funds.
Being pragmatic, realistic etc. is not the same as being defeatist. Can every beach be prevented? No. Can we try? Hell yes!
Business is a journey of risk taking, opportunity exploration and market movements. Cyber security is one aspect of business risk management. On the ship the captain directs, in the end of the day the CEO/MD/Board etc. set the direction, as a security leader you can give advice, but you aren’t omnipotent, even if you get leadership support and investment you still have a world of moving complex systems and people.
For me, the key is to improve, learn adapt and move forward. You can’t win every round, but you can keep going! Turn the failures, the incidents and breaches into learning opporunities. Make improvements, for giving up is the only true failure.