Can an application or organisation exist in two states at the same time, and why does this often take a security assessment to determine which?

A very young (and cute) kitten on a lounge cautiously peers out from under a shaggy blanket
Gratuitous kitten photo

I am told that many great journeys on the Internet start with pictures of kittens, so for the cat lovers out there - you're welcome.


Recent security assessment work for a client lead me to asking some questions:

  1. If the client had not engaged us to perform the assessment, would things have stayed the same (or even got worse)?

  2. What specifically about an impending security assessment can lead to security improvements?

  3. If the intention of security assessment is to proactively identify risk, why are there still pockets of industry who may feel embarrassed or resistant to knowing how things really are?

A young female teacher writes mathematic equations on a whiteboard
WARNING: Science Content

First, some background. Students of scientific history will remember a thought experiment which involved a box, a cat and some unpleasant outcomes for the cat. This introduced the concept of superposition (i.e. that something can exist in multiple [undetermined] states until an observation is made).


Prior to security assessment, the hope and assumption from most clients is that all is well with their environment.

When a security assessment is planned, there may be a corresponding flurry of activity to patch / disable de-bugging / remove test data / remove old admin accounts / upgrade ancient middleware applications / disable unused services etc.

So, before the assessment has even commenced, the environment may actually become more secure.

Why does this happen? Well, just as the hapless cat in the box would (if it was aware of the dastardly plans by the mad scientist) probably take steps to either not get in the box or somehow free itself, avoiding negative findings around an environment by taking precautions is a pretty logical thing to do.

Why does it often happen just before (or sometimes during) an assessment? This usually comes down to over-work, lack of resources or prioritisation issues (organisationally or at the team level).

three young people sit in a semicircle around three Apple Macbooks with two pointing to the middle screen and one looking on intently
A group of developers excited to help improve security

What can we learn from this behaviour and harness it for the forces of good? If security and risk management are not given sufficient time, prioritisation and resourcing as well as clear [achievable] targets and expectations, the result will usually be a reactive and chaotic approach.

Harnessing this behaviour therefore requires the following foundational things to be in place:

  1. Ensuring there is clarity on the business value and importance of an asset (or service)

  2. Ensuring there is prioritisation of these assets (or services) in much the same way as business continuity plans require

  3. Setting realistic targets for security and risk management outcomes (e.g. patching etc)

  4. Measuring performance against these targets to help highlight any challenges and issues

  5. Ensuring that specific time and adequate resourcing is allocated to the management of security and risk to achieve the stated targets

If you would like to talk to us about proactive services to help prioritise and plan your security controls - get in touch.

Author: Clinton Smith

58 views0 comments

With the increased demand on remote working and connectivity due to the coronavirus, the role of an internal security operations team is becoming increasingly challenging. Teleworking and the volume of data, number of systems, complexity of networks and sophistication and capability of the adversary have increased faster than our capacity to respond.

With many organisations being forced to bench any contract staff, security operations teams are often overloaded, under resourced, and jumping from crisis to crisis. Articles and presentations have started to capture this concerning trend.

Each day can seem like walking through the egg room scene in Alien. Any moment, the next face-hugging threat can burst forth and attack.

The tricky challenge is to balance the need to apply business context to security events and controls whilst leveraging external capacity and skills, introducing automation for efficiency and reducing monotony for internal teams through outsourcing repetitive or generic activities.

Here are some suggestions to consider when filtering and prioritising security issues as they arise:

  • What is the potential real business risk or consequence? and who (and how many) will be impacted. This requires an understanding of not just the number of Customers in a given system but also the type of service and business conducted (e.g. Private banking)

  • How long has the security issue / vulnerability / event / threat been present, and has the impact grown, stayed the same or decreased? A new, fast growing threat may need to be addressed more quickly due to the lack of established controls and potential for evolution.

  • What is the point of decision / action and when must it be made? (and by whom) This is especially important to know. Some decisions can and should be made long in advance of an incident. Asking each system / service / information owner to agree on the conditions for 1) Declaring a security incident (e.g. compromise of a single account vs website defacement), and 2) Conditions requiring immediate quarantine or shutdown.

  • Are we equipped (Capacity, Skills, Tools, Services, Organisational Mandate) to address the issue? No orchestral conductor would perform without a good understanding of the music he is making, the capability of his musicians and the instruments they have, so too is the need for security teams to have a plan, access to (and competence with) the right tools and external services.

  • Are there larger controls that we can or should leverage (e.g. DR, BCP, etc)? Sometimes response is much larger than just the security component and will require organisational coordination (e.g. HR, Legal, PR, Contact Centres etc).

  • If we have high volume and low impacts for a particular event (e.g. Phishing) - can we create playbooks or leverage automation (Response and Recovery)?

  • If we have low volume and high impacts for a particular event (e.g. DDoS) - can we leverage defensive (Preventative) controls?

  • Have we considered long running or concurrent incidents? e.g. having shifts or delegated working groups?

As an important side note, the issue of mental health and PTSD is serious and affects many people. If you or someone you know needs support take a look at Beyond Blue.

If you would like to talk to us about services to reduce your stress and effort in managing cybersecurity - get in touch.

Author: Clinton Smith

90 views0 comments

According to feedback from many of my industry peers and clients, the business community has been steadily moving away from a focus of acquiring new security products, towards security services.

This is perhaps not surprising given the looming global shortage of cyber security expertise, but brings with it some important questions. In this article, I look at the problem and propose some potential answers.

a very small child in a supermarket stretches his arm hight to grab a toy car off the shelf
Some security capabilities seem out of reach

1) Does this mean that businesses should focus on educated security service procurement?

Yes. I find it heartbreaking to talk to clients that have been sold 'comprehensive' solutions by less than scrupulous vendors and service providers. Clients often know that they need to do something, but are not 100% sure of what that is. They then engage a specialist who (rather than taking the time to understand their business) sells them their highest margin product or service.

Here are a few tips and suggestions for the non-security business when having such discussions:

  • Do you have some reference clients and can we talk to them about your service?

  • How does your product / service help us i) reduce the likelihood or ii) impact of a security issue?

  • Is your product / service certified, comply with any standard or will it help us to demonstrate compliance? (e.g. PCI DSS, CPS 234, Privacy Act)

  • What specific security issue (Threat, Vulnerability, etc) does this product or service address and how do we know that it is the most important to invest in?

  • You have told us that your product/service will reduce our risk. What specific measures or reporting will you put in place to demonstrate this ongoing?

Two young women in a fashion store looking at swatches
The consultant advises her client on security measures

2) What are we doing to help businesses make informed investment and procurement decisions?

The short answer is "Not Enough". So what could we do? Standardise cybersecurity products and services, simplify language (ideally bringing it back to a discussion about business risk) and invest in education and training.

Other alternatives (just as in other industries such as Building, Engineering and Manufacturing) organisations can use specialists as advocates, arbitrators and advisors.

Here are a few tips to help make informed decisions on procuring security services:

  • Get references - and check them.

  • Check for qualifications and certifications such as CREST and ISO 27001.

  • Ask for samples of reports or deliverables.

  • Ask for demo's and walkthroughs.

  • Consult with industry analysts Gartner or Forrester.

  • Phone a friend - talk to industry colleagues about their experiences.

Two explorers in red jackets in the foreground with a backdrop of frozen landscape with snow, mountains and lake beneath a blue partly cloudy sky
The CISO surveys just the surface of their issues

3) Even though security hardware and software continue to evolve, why is the problem space still so large and seemingly insurmountable?

Every business (budget, culture, imperative, obligations, capability, location, information, technology) is unique, not every threat and vulnerability are relevant, nor a one-size fits all for security controls.

The security gap is based on where a business is at (initial state) where it wants to be (target state) and its appetite and capacity for change (and ability to sustain the change).

There are many options for Technology based controls for security but few that take into consideration the People and Process (or service). In addition, the evolution of defensive security measures still lags behind offensive ones.

In the same way that knowing that a system is missing patches and may be vulnerable to certain attacks, simply patching may not be as straightforward. As platforms and applications form only part of the full ecosystem and the role of the defender in cybersecurity must also consider the potential (negative) impacts of applying any security controls.

On a wet dark road with the image of a man standing in the middle of the road as a car with headlights ablaze approaches
Cybersecurity, often like driving at night on a dark road

4) Why do security vendors still use scare tactics to promote their wares?

The short answer is that fear (and the organisational requirement to reduce/avoid risk) still motivates many organisation to invest in security. The problem with this is that the threat landscape is a moving target and often based on what is happening locally and globally.

The more difficult answer is that security vendors and service providers struggle to properly articulate the positive value (what will the security control actually enable). To provide this requires a lot more business context and requires a deeper understanding of the objectives, the environment, constraints and dependencies.

Here are a few tips to put security products and services in context:

  • Rather than focus on risk mitigation alone, consider what additional benefits may be able to be achieved. e.g. While SSL Encryption helps to avoid compromise of the communications between a web browser and a web server, it also helps to show a customer that they are talking to the website that they expect to be (i.e. helps to build online trust).

  • Work out where the control fits in the scheme of things. Preparation, Prevention, Detection, Response or Recovery. Usually security controls can help to address the Likelihood or Consequence of Loss or Harm from a given threat.

  • Determine how you (or the provider on your behalf) will demonstrate (and track) the value and performance of the security control ongoing. If not properly maintained, it is common for the value of a security control to degrade over time.

  • Weigh the cost of the service against the potential value, loss or downsides. If the cost is higher than the expected annual (or likely) loss or impact (or if there are better, cheaper controls) some services may not be so cost effective or justifiable.

A mother and child sit harnessed in an amusement arcade ride with a combination of glee and excitement visible on their faces
You must be "this" tall to operate the firewall

5) What is the minimum / baseline knowledge required to safely interact with technology?

This is a tricky question as it depends on a number of factors but one thing is clear that basic security awareness is a key requirement for a modern business. Minimum security knowledge should ideally include:

  • Keeping systems up to date and patched

  • Basic antivirus and security software

  • Safe web browsing and email habits and be wary of downloads and attachments

  • Limit sharing of personal information and consider using temporary email services (to help avoid spam and other scams)

  • Limit the use of untrusted WiFi networks (and consider using a VPN)

  • Maintain awareness of online threats and scams

Here are additional some tips and thoughts from Kaspersky

A computer chip is examined under a lighted microscope
AI delivers the first CISO on a chip

6) What are some of the big problems security professionals are trying to solve?

Here are a few of the big problems (not exhaustive)

  • Application Security and security within the software development lifecycle.

  • Patching of IoT devices (especially those that are a] numerous, b] geographically dispersed, c] lacking vendor support)

  • Supply chain security

  • The shortage of cybersecurity expertise

  • Workforce resilience and education

It is clear from the list above that AI and automation will be central to security long into the future, however the next question is where / when will the collaboration between security and AI become more commonplace and less product centric?

In summary, security is not really something you can buy off a shelf. As a risk management discipline it is an ecosystem that involves People, Process and Technology.

If you would like to talk to us about improving your overall resilience to cyber attack (and not just products and technology) - get in touch.

Author: Clinton Smith

95 views0 comments