What are you defending?

Friday, 8 November, 2019

In our opinion, most cyber security consultants spent most of their time talking about how things go wrong. One of our mottos at Cydea is “Let’s make things go right.”

One way of doing that - and an important principle that guides us - is by understanding as much as possible about how each organisation works.

We don’t start by asking “Are you defending against all these possible attacks?”

Rather, we start with: “What are you defending?”

Let me explain why.

Frameworks frame, but don’t fix

Many people use frameworks (eg the ISO27000 series, or NIST’s Cybersecurity Framework), in their security programmes. They’re useful tools to guide security teams and programmes. They recommend using a risk assessment to guide implementation, an approach we believe in. They include a handy list you can use to make sure you don’t forget anything. So far, so good.

They’re not exhaustive, but they can be exhausting to implement: ISO27002 has 114 control objectives, the NIST framework has 108 sub-categories. Most organisations end up on a treadmill of implementation and improvement.

Viewed through a “defence against attacks” lens, the challenges are usually about implementing controls, making sure those controls are efficient, and making sure they’re effective. James Hatch, a colleague at BAE Systems, and I ended up visualising them as rungs on a ladder, like this:

  • Being efficient
  • Being effective
  • Implementing controls

Let’s start at the bottom of our ladder, implementation: in any large (or even medium-sized) organisation, it’s easy for important aspects of security to get overlooked, even when you’re using one of those helpful frameworks.

Why? Largely because internal communication is hard, and in organisations, tasks tend to get assigned to sub-divisions that may or may not have a good understanding of security. Assets? They’re handled by IT. People? That’s HR. The people in charge of those divisions are given a checklist to work through, and that’s exactly what they do. That feels like it’s right, it feels like progress being made. Is everything more secure now? Rarely.

Incidents continue. Risk remains unchanged. It turns out that the implementation didn’t work, so we move up to the next level of the pyramid: effectiveness. Most of the organisations we meet tend to find themselves here.

The list of complaints will probably sound familiar to many readers:

  • “We’re still seeing data loss, so we need to retune or redesign our data loss prevention policy.”
  • “People are still breaking in, we need to update our firewall rulesets.”
  • “Staff are still using bad passwords or subject to phishing, we need to run an awareness and education campaign.”

The thinking is always that If we can just make these more effective then everything will be OK. Again, that’s rarely the case in the real world.

In a few cases, some organisations have done the implementation, they’ve done the effectiveness improvements, and senior management weigh in with a new request: make things more efficient. Do more with less.

Every busy CISO will be familiar with what happens next. Constant plate-spinning, fine-tuning and cost-cutting. It’s stressful and difficult.

By this point, the framework has been implemented. Everyone’s done what seems to be the right things. But security remains a problem. What’s gone wrong?

No-one has asked the big question

All this work was prefixed on the most important of foundations: that each organisation knows what it’s defending.

We think there’s a more fundamental rung to the ladder, underpinning and supporting all the others. It’s about understanding your organisation: the business you’re in, the processes you’ve aggregated over time, the things that matter most. All too often the question that gets glossed over, or that no-one has asked is: “What are we defending?”

  • Being efficient
  • Being effective
  • Implementing controls
  • Understanding your organisation

It’s uncomfortable to think about, but in our experience it’s true: too often, organisations investing in security don’t know what they’re trying to protect, who from, where it is, or why. This is the common thread running through many of the most high-profile security incidents of recent years: a lack of organisational understanding. Those incidents are rarely the result of some advanced threat using a zero day exploit to gain unseen access to an organisation. Most of the time, they happen because someone forgot about a years-old database. Or because someone moved jobs, and after they’d left no-one else knew what they knew. Or because someone didn’t know they needed to do something.

A real-world case study

This example comes from our own experience.

In the aftermath of a high-profile, reputation-damaging security incident, one client asked: “Could this happen again?”

The answer was hard to find, because they weren’t sure how many applications they had. The first estimate was 60, but that number grew. When it got to about 120, people starting asking a different question: “How many systems do we have?”

From the start, they didn’t have a good understanding of their estate. They didn’t know what they were defending.

Eventually, they got an answer: over 600 systems and applications. Ten times more than their original estimate.

Starting with that better understanding, the client organisation started simplifying, tackling technical debt, improving business resilience.Within two years, they had halved the number of applications, and reduced headcount, but improved the speed at which they were able to change.

Understanding underpins everything

It’s OK to ask: “What are we defending?” We think it’s one of the most important things business leaders or non-executive directors can ask, especially as part of good governance.

Without the clear understanding that the answer will give you, you’re leaving a lot to chance. Protections designed by framework are a good thing, but making sure that they are implemented appropriately, and then made as effective and efficient as possible, comes down to starting with that basic understanding first.