INTELLIGENT ENTERPRISE SECURITY
INTELLIGENT ENTERPRISE SECURITY
class prevention, is your best defence.
Fortunately, an attack doesn’t have to
equal disaster. To minimise harm and
loss, your organisation must be able to
operate through impairment and rebound
quickly. I’ll say it again: Your organisation
must have resilience as part of its cyber
strategy. To make this happen, you must
be able to accurately measure and manage
your organisation’s digital resilience. This
is now a crucial line in any effective cyber
defence strategy. How do you measure it?
You start with knowing your network and
providing understandable metrics to the
executive leadership.
Network liabilities: people,
places, things
Digital resilience: a better
way to cybersecurity
Your organisation must have resilience as part of its cyber strategy. To make this happen, you
must be able to accurately measure and manage your organisation's digital resilience says
Ray Rothrock, Chairman & CEO, RedSeal.
W
ho says prevention is better
than cure? Since the advent
of networks and hacking,
prevention, coupled with detection, has
been the primary cyber strategy to counter
cyberattacks. But, with the exponential
increase in the pace and complexity of
digital connections, and the sophistication
of the attackers, this approach is falling
short as the recent worldwide WannaCry
38
attack and Shamoon attacks in KSA so
clearly demonstrated.
Clearly, we need more and better
prevention. But, here’s the cold, hard truth:
It’s not a question of if your organisation
will suffer a security breach . . . but when
. . . no matter how good your prevention
is. Cyberattacks are now so advanced that,
should a hacker’s attention turn to your
company, the attack will almost certainly
succeed in getting inside your network.
Your mission should be to shut the attacker
down . . . and fast.
You must be able to keep operating
and stay productive even while fending off
a cyberattack or fixing a vulnerability. A
new cyber operating strategy is needed.
This new strategy is called resilience, and
more specifically – digital resilience.
Digital resilience, coupled with world-
ssue 07
NTELLIGENT TECH CHANNELS
Networks evolve. They were built over
decades by different people to achieve
different goals. And, they are continuing to
be built, even faster than ever. But people
move on; they change jobs and this means
most companies do not possess a complete
and accurate blueprint of their network.
Even if those people are still around, the
reasons behind a particular design 10 years
ago may no longer apply, yet that design is
likely still to be in the network.
Rarely is there complete or accurate
documentation that shows the true
blueprint, design and infrastructure
of a network. The result is that these
networks are very often fragile, fraught
with design flaws and, while they were
built with the best intentions by good
people, they frequently contain devices
with unpatched software, weak or default
Ray Rothrock, Chairman & CEO, RedSeal.
passwords, or misconfigurations. The first
step in addressing digital resilience is for
every organisation to truly understand
its network – in its entirety – starting
with finding all the undocumented assets
and understanding how it all works as a
system. It is ‘the unknown’ that keeps the
CISO up at night.
Leadership liability:
lack of visibility
We have to get smarter. We can be smarter.
We have to realise that cybersecurity is not
a tactical aspect of business; it is a critical
strategic function that starts at the top
of the business. And, as such, it must be
understood at board level. Yes, C–suite
and board members may not be equipped
to understand all the technicalities of
cybersecurity. That’s not their job. But
they should at least be able to understand
a measurement of their organisation’s
digital resilience and understand what
the measurement tells them. If done
properly, it will tell them how and where
to invest; how to make decisions through
an impediment; how to make decisions
about which assets to protect first; how
to respond; how to recover and how to
reduce the impact of loss. Measurement
also provides a means to discuss cyber
investments. A simple question like: if
I spend $X, what might be my expected
benefit in terms of resilience or security
capability? Measuring this capability
provides the board with a starting point
to have this important conversation in an
informed, intelligent manner.
Right now, the kind of overview
data available to most executives looks
something like the following. The IT
department reports that it received
1,000 IDS alerts in the preceding 24-
hour period. Maybe it pushed out 200
antivirus signatures in the same period.
Or perhaps it implemented 50 device
patches across the enterprise with 5,000
devices in the past week. But such a
report does not say if the network is at
more or less risk based on these activities,
or if it is better after their work compared
to before. It does not indicate overall risk.
In reality, the only knowledge you can
To minimise
harm and
loss, your
organisation
must be able to
operate through
impairment and
rebound quickly.
draw from such a report is how busy the
security team is. That’s a useful number
for staffing and budgeting, but it provides
zero insight to the network’s resilience in
the face of an attack.
The benefits of preparing for a
cyberattack extend well beyond the
company’s walls. Digital transformation,
in the modern world, has made sure that
virtually all companies these days are
connected. And, given this connectivity,
attention must be paid to the fact that a
cyberattack can initiate from a company’s
own supply chain. Once organisations
understand the value of being able
to measure and manage their digital
resilience, they can demand the same level
of insight and accountability from their
supply chain, containing their partners,
their customers and their suppliers.
Ideally, this connected resilience will soon
form a new line of cyber defence.
The Dutch Renaissance scholar
Erasmus of Rotterdam coined the adage
‘prevention is better than cure’ back in
the 16th century. But the only network
Erasmus dealt with was the network of
roads and canals around his city. In the
modern cyber world, his slogan doesn’t
hold water. But we’re not here to disrespect
Erasmus. In fact, we embrace another
of his famous adages: ‘Give light and the
darkness will disappear of itself.’ In today’s
cyber world, this light is in the form of
knowing the network and operating with a
strategy of digital resilience.
39