It is no secret that cyber security risks add complexities that often restrict the process of seamlessly carrying out business transactions. Firms and institutions in a multitude of sectors need solutions that ensure confidentiality, availability, and integrity of sensitive data to avert significant damages to their business.
However, companies should never fall into the trap of thinking that a set of solutions today will deliver them safely from the cyber security threats of tomorrow.
Unfortunately, many managers are becoming tone-deaf to the constant narrative of “it’s not a matter of if you’ll be hacked – it is a matter of when” and are being seduced by vendors that promise “peace of mind.” These promises are dangerous and expensive fantasies that deliver a false sense of security.
That said, business must go on, and we are all responsible for taking pragmatic steps to mitigate cyber security risk. We do this by selecting and applying the right security controls for our businesses.
First things first, though: We need to recognize that there is no “one size fits all” solution. Each sector is different and each business is different, even within the same industry. Moreover, each business has a different risk appetite than its peers.
The right controls for one business will prove excessive for the next, and not enough for the third. Therefore, the first thing that must be established is what is the risk appetite of the organization. That is set either by the board, or by the owner.
The next thing we need to do is get a grip on business assets. What, exactly, are the things of value we are trying to protect, and what are the threats against them? Is it a matter of protecting intellectual property? Customer data? Classified information? Reputation? Is it a question of physical security? Insider threats? In short, what does your world look like, and where are the threats coming from?
It is no accident that the National Institute of Standards and Technology (NIST) framework for improving critical infrastructure cybersecurity leads with “Identify” and not with “Prevent.”
There is no “Prevent” in cyber security, and the sooner we get comfortable with that, the sooner we’ll get to the real work of Identifying, Protecting, Detecting, Responding, and Recovering (the five NIST framework functions) from cyber security events.
Once you have identified what it is that warrants protection, the real work begins. Accounting for your organization’s risk appetite and armed with your asset valuation and threat assessments, you are now ready to apply the right controls.
Remember: Controls “do” things. They are not some abstract notion, they do-the-do!
There are four kinds of controls: Preventive, Detective, Corrective, and Compensatory.
Now, you’ll argue, what’s with the “Preventive” controls when one paragraph ago you claimed there is no “Prevent” in cyber security? You’re right, but remember, controls “do things.”
A preventive control, therefore, acts like a barrier to an attack. It hasn’t prevented the attack, but just like the barrier on the street that hopes to stop the runaway truck from hitting the building: it hopes to prevent an aspect of the attack. Think of it as a locked door.
Another example of a preventive control is segregation of duties. Your systems administrator shouldn’t know the database password, and the database administrator shouldn’t know the systems password. Security awareness training is another excellent example of a preventive control.
Detective controls are easier to understand. They detect. They know the door has been opened (e.g., a motion detector), and they do something about it. Either they close it, or alert someone that the door has been opened. Other examples of detective controls include system’s monitoring applications, intrusion detection systems, even anti-virus and anti-malware solutions.
Corrective controls fix or restore the environment. For example, applying the right security patches and upgrades is a corrective control. Restoring your data from backup is another corrective control.
Finally, compensatory controls are those designed to compensate for some of the damage. A disaster recovery site is a compensatory control. Cyber insurance can also be a compensatory control. Even a backup generator, a second set of servers or computers, or the ability to switch over operations at another country, all are compensatory controls.
Keep in mind that there are some solutions that span control classes. For example, an anti-virus/anti-malware solution can be a preventative control, a detective control, and a corrective one all at the same time.
Exactly like in real life, you get your flu shot each year in hopes to prevent the onset of this year’s flu strain. You hope that armed with the inoculation your body will detect the attack of the flu virus and will take corrective action keeping you healthy. Unless, sadly, the new strain is so different than the previous year’s that you still end up in bed sneezing and wheezing away. Which is where your compensatory chicken soup control kicks in, making life a little less miserable.
What is the right blend of controls for your organization? As we discussed, it depends on risk appetite, type of asset, type of threat, regulatory environment, budget, and skillsets. You need to take all this into consideration in developing your defense-in-depth cyber security strategy. Remember: You have a tremendous advantage over your attacker, or any expert: You know your business better than anyone else, and you know what’s of value that needs protection. So, more than any solution out there, trust yourself and your judgement and apply pragmatic controls for this cyber season.
For, next season, you’ll have to do this all over again.
(About the author: Chris Moschovitis is co-author of the critically acclaimed “History of the Internet: 1843 to the Present” as well as a contributor to the “Encyclopedia of Computers and Computer History” and the “Encyclopedia of New Media.” He is cyber security and governance certified (CSX, CISM, and CGEIT), and an active member of ISACA, ISSA, and IEEE. Chris, in addition to his duties as CEO of tmg-emedia, personally leads the cyber security and consulting teams and delivers cyber security awareness training and consulting. He is an active speaker and writer, and delivers workshops on a variety of topics, including Cyber Security, Information Technology Strategy, Governance, and Execution. Chris is working on his latest book “How I Stopped Worrying and Learned to Love the Hackers,” to be published in early 2017. He can be reached at Chris.Moschovitis@tmg-emedia.com)