As one of my colleagues like's to put it, "Relying upon static IT security measures is like driving a car but only keeping your eyes open for 5 seconds out of every minute." Sure you may get lucky for a while, but eventually you are going to crash...and burn...quite spectacularly...
|Some guidelines on responding to security threats.|
By Nick Hopkinson | Published: 10:30 GMT, 18 June 12 | CIO UK
Over the last year cyber security has never been out of the headlines as new dimensions of risk have been exposed and publicised.
They bring in to sharp focus the need for organisations to develop a defence strategy that is a part of its everyday on-going operations which can detect and respond to threats in real time.
The attack on Sony PlayStation was clearly a seismic event for the company both in terms of reputation and financial impact.
However, the attack on security company RSA highlighted the complex plans, ambition and strategic intent of cyber attackers.
In this case it is almost certain RSA was not the prime target but a means to provide a key to unlock the defences of western aerospace and defence companies.
Another significant development has been the proliferation of attacks designed to exploit industrial control systems.
These systems are key to the operation of a wide variety of industrial processes, including power generation and distribution, transport networks and other critical industries.
Previously these systems were separated from corporate networks, but the drive for efficiencies, automation and better customer service are driving towards widespread networking of these industrial processes with consequent exposure to new cyber attack vectors.
What is the significance of these developments? Firstly, they are all raising awareness at the corporate level of the new and emerging risks that many organisations in many different industries are facing.
Secondly, they are prompting questions about how these organisations can be protected against the potential damage and disruption of a cyber attack.
Increasingly, security is seen as a corporate risk, no longer the sole preserve of the IT Security Officer or CISO.
Corporate leaders need to understand how they can protect their organisations against the increasingly sophisticated or persistent attacks that can cause such damage.
For those of us working in the security industry the real challenge is defining and communicating an effective strategy which provides the assurance sought by senior executives that the risk is under control.
However, there is no simple solution to this problem: there is no single product, system, policy or practice which can deliver the certainty that many are seeking.
Effective mitigation requires a range of measures, controls, policies which are configured to manage the specific risks faced by an organisation but the challenge is to present this as a coherent package or strategy which resonates at the senior level.
What is often overlooked is the fact that none of the measures will work without a fundamental shift in the culture which determines how security is viewed and addressed in an organisation.
An operational need
There is one phrase which encapsulates the strategic shift and culture change required in many organisations. We need to operationalise security.
In too many cases security is managed as a static function: security controls and features are designed in as part of the implementation of a new system, and may even be properly implemented and accredited, but thereafter they are not upgraded or enhanced with new releases or to address new vulnerabilities.
Software is patched but this can often take place days, weeks or even months after the patch release; log data is collected from security devices in the network but reports may be issued weeks after the event.
New developments in cyber attacks are followed but organisations are not systematically collating information and intelligence on new attack vectors which could constitute a threat to their business.
To provide the new level of assurance required by our organisations, we need to manage security as an operational activity.
Information, intelligence and log data need to be collected, correlated and analysed in real time providing indicators and warning of likely attacks and attack vectors.
Incidents, alerts and reports need to be issued and acted upon in quick time so that any threats, attacks, anomalous behaviour by systems or individuals can be recognised and investigated quickly.
Real time response
In this way an attack may be prevented or the damage minimised.
We need an incident response process and capability which is in place and exercised, like other key resilience and safety systems, enabling rapid recovery and minimising any disruption or cost to the business.
At the same time we need to recognise that not only is the threat evolving and changing but so is the enterprise we are trying to protect and the processes and systems within it.
These need to be monitored and tracked so that new vulnerabilities are not created.
For many people and organisations this represents a real step change in how we view and manage security.
This is the message for our senior executives who are increasingly concerned about the risks posed to their business.
We need to match our response to the nature of the threat, which is constantly and rapidly evolving its focus, targets, motivation, and attack methods.
A truly dynamic cyber defence capability, which is managed as an integral part of business operations, involves constant monitoring, analysis and reporting on security status.
Exercising response and recovery processes will significantly reduce the risk of a breach and provide a much quicker recovery from an attack.
Nick Hopkinson was formerly CIO at GCHQ. He is now cyber security director at CSC: an IT services company providing cyber security solutions for business.