Ray Rothrock, Chairman & CEO of RedSeal, makes the case for a new cyber defense strategy – digital resilience.
WHO SAYS PREVENTION is better than cure? Since the advent of networks and hacking, prevention, coupled with detection, has been the primary cyber strategy to counter cyber attacks. But, with the exponential increase in the pace and complexity of digital connections, and sophistication of the attackers, this approach is falling short as the recent Shamoon attacks in KSA so clearly demonstrated.
Clearly, we need more and better prevention. But, here’s the cold, hard truth: It’s not a question of if your organization will suffer a security breach but when – no matter how good your prevention is. Cyber-attacks are now so advanced that, should a hacker’s attention turn to your company, the attack will almost certainly succeed in getting inside your network. Your mission should be to shut the attacker down – and fast.
You must be able to keep operating and stay productive even while fending off a cyberattack or fixing a vulnerability. A new cyber operating strategy is needed. This new strategy is called resilience, and more specifically – digital resilience. Digital resilience, coupled with world-class prevention, is your best defense.
An attack doesn’t have to equal disaster. To minimize harm and loss, your organization must be able to operate through impairment and rebound quickly. I’ll say it again: Your organization must have resilience as part of your cyber strategy. To make this happen, you must be able to accurately measure and manage your organization’s digital resilience. This is now a crucial line in any effective cyber defense strategy. How do you measure it? You start with knowing your network and providing understandable metrics to the executive leadership.
Network liabilities: People, Places, Things
Networks evolve. They were built over decades by different people to achieve different goals. And, they are continuing to be built, even faster than ever. But people move on, they change jobs, and this means most companies do not possess a complete and accurate blueprint of their network. Even if those people are still around, the reasons behind a particular design ten years ago may no longer apply, yet that design is likely still to be in the network.
Rarely is there complete or accurate documentation that shows the true blueprint, design and infrastructure of a network. The result is that these networks are very often fragile, fraught with design flaws, and while they were built with the best intentions by good people, they frequently contain devices with unpatched software, weak or default passwords or misconfigurations. The first step in addressing digital resilience is for every organization to truly understand its network – in its entirety – starting with finding all the undocumented assets and understanding how it all works as a system. It is “The Unknown” that keeps the CISO up at night.
Leadership liability: Lack of Visibility
We have to get smarter. We can be smarter. We have to realize that cyber security is not a tactical aspect of business—it is a critical strategic function that starts at the top of the business. And as such, it must be understood at the board level. Yes, C-suite and board members may not be equipped to understand all the technicalities of cyber security. That’s not their job. But they should at least be able to understand a measurement of their organization’s digital resilience and understand what the measurement tells them.
If done properly, it will tell them how and where to invest, how to make decisions through an impediment, how to make decisions about which assets to protect first, how to respond, how to recover and how to reduce the impact of loss. Measurement also provides a means to discuss cyber investments. A simple question like “if I spend $X, what might be my expected benefit in terms of resilience or security capability?” Measuring this capability provides the board with a starting point to have this important conversation in an informed, intelligent manner.
Right now, the kind of overview data available to most executives looks something like the following. The IT department reports that it received 1,000 IDS alerts in the preceding 24-hour period. Maybe it pushed out 200 antivirus signatures in the same period. Or perhaps it implemented 50 device patches across the enterprise with 5000 devices in the past week. But such a report does not say if the network is at more or less risk based on these activities, or if it is better after their work compared to before. It does not indicate overall risk. In reality, the only knowledge you can draw from such a report is how busy the security team is. That’s a useful number for staffing and budgeting but it provides zero insight to the network’s resilience in the face of an attack.
Resilience and preparation
The benefits of preparing for a cyber attack extend well beyond the company walls. Digital transformation, in the modern world, has made sure that virtually all companies these days are connected. And, given this connectivity, attention must be paid to the fact that a cyber-attack can initiate from a company’s own supply chain. Once organizations understand the value of being able to measure and manage their digital resilience, they can demand the same level of insight and accountability from their supply chain – containing their partners, their customers and their suppliers. Ideally, this connected resilience will soon form a new line of cyber defense.
The Dutch Renaissance scholar Erasmus of Rotterdam coined the adage “prevention is better than cure” back in the 16th century. But the only network Erasmus dealt with was the network of roads and canals around his city. In the modern cyber world, his slogan doesn’t hold water. But we’re not here to diss on Erasmus. In fact, we embrace another of his famous adages: “Give light and the darkness will disappear of itself.”
In today’s cyber work, this light is in the form of knowing the network and operating with a strategy of digital resilience.