Moving away from product-centric security
According to feedback from many of my industry peers and clients, the business community has been steadily moving away from a focus of acquiring new security products, towards security services.
This is perhaps not surprising given the looming global shortage of cyber security expertise, but brings with it some important questions. In this article, I look at the problem and propose some potential answers.
Some security capabilities seem out of reach
1) Does this mean that businesses should focus on educated security service procurement?
Yes. I find it heartbreaking to talk to clients that have been sold 'comprehensive' solutions by less than scrupulous vendors and service providers. Clients often know that they need to do something, but are not 100% sure of what that is. They then engage a specialist who (rather than taking the time to understand their business) sells them their highest margin product or service.
Here are a few tips and suggestions for the non-security business when having such discussions:
Do you have some reference clients and can we talk to them about your service?
How does your product / service help us i) reduce the likelihood or ii) impact of a security issue?
Is your product / service certified, comply with any standard or will it help us to demonstrate compliance? (e.g. PCI DSS, CPS 234, Privacy Act)
What specific security issue (Threat, Vulnerability, etc) does this product or service address and how do we know that it is the most important to invest in?
You have told us that your product/service will reduce our risk. What specific measures or reporting will you put in place to demonstrate this ongoing?
The consultant advises her client on security measures
2) What are we doing to help businesses make informed investment and procurement decisions?
The short answer is "Not Enough". So what could we do? Standardise cybersecurity products and services, simplify language (ideally bringing it back to a discussion about business risk) and invest in education and training.
Other alternatives (just as in other industries such as Building, Engineering and Manufacturing) organisations can use specialists as advocates, arbitrators and advisors.
Here are a few tips to help make informed decisions on procuring security services:
Get references - and check them.
Check for qualifications and certifications such as CREST and ISO 27001.
Ask for samples of reports or deliverables.
Ask for demo's and walkthroughs.
Consult with industry analysts Gartner or Forrester.
Phone a friend - talk to industry colleagues about their experiences.
The CISO surveys just the surface of their issues
3) Even though security hardware and software continue to evolve, why is the problem space still so large and seemingly insurmountable?
Every business (budget, culture, imperative, obligations, capability, location, information, technology) is unique, not every threat and vulnerability are relevant, nor a one-size fits all for security controls.
The security gap is based on where a business is at (initial state) where it wants to be (target state) and its appetite and capacity for change (and ability to sustain the change).
There are many options for Technology based controls for security but few that take into consideration the People and Process (or service). In addition, the evolution of defensive security measures still lags behind offensive ones.
In the same way that knowing that a system is missing patches and may be vulnerable to certain attacks, simply patching may not be as straightforward. As platforms and applications form only part of the full ecosystem and the role of the defender in cybersecurity must also consider the potential (negative) impacts of applying any security controls.
Cybersecurity, often like driving at night on a dark road
4) Why do security vendors still use scare tactics to promote their wares?
The short answer is that fear (and the organisational requirement to reduce/avoid risk) still motivates many organisation to invest in security. The problem with this is that the threat landscape is a moving target and often based on what is happening locally and globally.
The more difficult answer is that security vendors and service providers struggle to properly articulate the positive value (what will the security control actually enable). To provide this requires a lot more business context and requires a deeper understanding of the objectives, the environment, constraints and dependencies.
Here are a few tips to put security products and services in context:
Rather than focus on risk mitigation alone, consider what additional benefits may be able to be achieved. e.g. While SSL Encryption helps to avoid compromise of the communications between a web browser and a web server, it also helps to show a customer that they are talking to the website that they expect to be (i.e. helps to build online trust).
Work out where the control fits in the scheme of things. Preparation, Prevention, Detection, Response or Recovery. Usually security controls can help to address the Likelihood or Consequence of Loss or Harm from a given threat.
Determine how you (or the provider on your behalf) will demonstrate (and track) the value and performance of the security control ongoing. If not properly maintained, it is common for the value of a security control to degrade over time.
Weigh the cost of the service against the potential value, loss or downsides. If the cost is higher than the expected annual (or likely) loss or impact (or if there are better, cheaper controls) some services may not be so cost effective or justifiable.
You must be "this" tall to operate the firewall
5) What is the minimum / baseline knowledge required to safely interact with technology?
This is a tricky question as it depends on a number of factors but one thing is clear that basic security awareness is a key requirement for a modern business. Minimum security knowledge should ideally include:
Keeping systems up to date and patched
Basic antivirus and security software
Safe web browsing and email habits and be wary of downloads and attachments
Limit sharing of personal information and consider using temporary email services (to help avoid spam and other scams)
Limit the use of untrusted WiFi networks (and consider using a VPN)
Maintain awareness of online threats and scams
Here are additional some tips and thoughts from Kaspersky
AI delivers the first CISO on a chip
6) What are some of the big problems security professionals are trying to solve?
Here are a few of the big problems (not exhaustive)
Application Security and security within the software development lifecycle.
Patching of IoT devices (especially those that are a] numerous, b] geographically dispersed, c] lacking vendor support)
Supply chain security
The shortage of cybersecurity expertise
Workforce resilience and education
It is clear from the list above that AI and automation will be central to security long into the future, however the next question is where / when will the collaboration between security and AI become more commonplace and less product centric?
In summary, security is not really something you can buy off a shelf. As a risk management discipline it is an ecosystem that involves People, Process and Technology.
If you would like to talk to us about improving your overall resilience to cyber attack (and not just products and technology) - get in touch.
Author: Clinton Smith