Information security is not alone

Businesses face a whole spectrum of risks, but rather than waste effort by taking each in isolation, the real dividends will come from a holistic and layered defence, writes Kevin Townsend

Security isn’t working. If it were, Sony, Mitsubishi, Citigroup, RSA, the CIA and FBI, Sega, Nintendo, Gmail and so many others would not have been hacked this year. The problem is that cyberwar is an asymmetrical conflict that favours the criminal - and it needs to be rebalanced.

The first thing is not to abandon what exists. Business must not abandon traditional barrier defences – firewalls, anti-malware, filters, data loss prevention, encryption, access control and so on – just because it isn’t enough. On the contrary, business must redouble its efforts in layered security.

“Only layered security can fully defend the corporate environment, as it’s incredibly risky to rely on just one level of protection against unauthorised access to a network,” explains Mark Reeves, senior vice president international at Entrust. The second step is to abandon the traditional view, if not the traditional defences, of information security. It is not a business category that stands on its own; it is part of the risk mitigation aspect of risk management – and must be treated as part of the overall function of corporate risk.

The third step is that we need to share global threat information. The UK’s new Cyber Security Strategy report is clear on this. Government will, it says, “establish a new operational partnership with the private sector to share information on threats in cyberspace”.

We must develop a predictive and holistic view of risk management

It is less clear on how it will do so; but the model already exists: the cloud. “What’s needed,” says Blue Coat’s Nigel Hawthorn, “is a means to exploit the power of crowds and create a system of sharing that traces threats between millions of users. Like a herd of zebra, we can be the eyes and ears looking out for new threats and keeping each other safe. A collaborative defence cloud system that joins together millions of users, to track and block the malnets that are responsible for launching attacks, will proactively protect users from future attacks.”

Those are three of the major steps that need to be taken to rebalance the battlefield and make cybersecurity work: an increase in layered traditional defences, the adoption of a new holistic and predictive risk management attitude, and the sharing of threat information on a global scale.

LOOKING AT THE BIGGER PICTURE

Bruce McIndoe is president of iJET Intelligent Risk Systems, one of the new breed of companies that takes an holistic view of security and risk management. “Our company is founded on taking a risk management approach to the overall threat in order to provide predictive solutions rather than simple event reporting,” he says.

For example, Mr McIndoe says that as mobility grows in global business, so must our attitudes change. Right now, since security isn’t working, it is easiest for the criminal to hack the system. But as we improve technical security with encryption and location- aware logins, then the travelling user becomes more exposed.

“Criminals are going to start going after the employee rather than trying to circumvent security technically,” he explains. So iJET analyses the overall threat environment around the world, then analyses corporate data exposure, enabling companies to focus their threat mitigation effort on the greatest hazards. This is an attitude that we must develop: a predictive and holistic view of risk management – we need to get ahead of the criminals.