One of the biggest failures of the security industry since the beginnings of the internet age has been the separation of its functions from both individuals and businesses. Rather than mesh security with the aims of the organisation and its employees, many decided security was simply a necessary evil, best left to unsocial specialists to cope with. Even within IT, protecting data was often separate from the daily tasks of the team.
The data indicates this has had a wholly negative impact on a business’s ability to protect against digital attacks and respond to them. The Ponemon Institute’s 2013 Cost of Cyber Crime Study showed that over the last four years, the time it takes to resolve an attack has risen by an astonishing 130 per cent.
But times are changing. The siloed approach is, for the good of businesses and internet security as a whole, being culled. What is striking about this progressive new world, in which resilience to digital attacks is core, is that it is non-technical C-level executives who are being asked to lead the way, creating a flexible, holistic approach. They are the ones who can bring together the disparate parts of the organisation and external partners so that everyone knows how to keep themselves and their employer safe from malicious hackers.
“Cyber threats and resilience are not just an issue for the security function: they require the involvement of every discipline within an organisation, its partners and stakeholders,” says Steve Durbin, director of the Information Security Forum, an independent advisory body.
“A co-ordinated approach led by senior business leaders – preferably the chief executive or chief operating officer, certainly a board member – is needed. Organisations need to co-ordinate with customers, suppliers, investors, the media and other stakeholders, so that resilience enables the organisation to prepare and respond to events that are impossible to predict.”
Security has to stop being a purely technical issue and techies have to start talking sensibly about data protection to the rest of the business
This concept of sharing is at the core of cyber resilience. In sharing information on threats and best practices, organisations are better protected. The UK government is now facilitating such collaboration in earnest. The Cyber Security Information Sharing Partnership has been widely praised by those participating.
In late-January, Foreign Secretary William Hague signed the UK up to the World Economic Forum’s principles on cyber resilience, along with 70 companies and government organisations across 15 industries and 25 countries. Its aim is to forge a “responsible and collective approach to ensuring secure, resilient digital global networks”.
The drive for change has also emerged out of frustration at the failures of old, ineffective forms of protection. Anti-virus is continually proven incapable of stopping modern malware, while the firewall has been made almost redundant by the explosion of mobile devices connecting into corporate networks.
To achieve a high level of resilience, security has to stop being a purely technical issue. This, in turn, means techies have to start talking sensibly about data protection to the rest of the business.
“This requires the technical people, who would traditionally focus on point solutions to specific technical threats, to translate the potential impact of security incidents into terms and language that business and non-techy people will understand,” says Brian Honan, founder of security-focused BH Consulting.
Businesses are increasingly carrying out regular stress tests involving employees from inside and outside IT. A recent probe of financial firms’ resilience, known as Operation Waking Shark II, was co-ordinated by the Bank of England, bringing together the City’s big players.
The European Union Agency for Network and Information Security also sets up regular cyber scenarios, looking at how critical infrastructure would respond to a severe attack, such as an attempt to knock power stations offline. Such practices are now filtering down to businesses of all kinds.
While every organisation should consider frequent assessments to determine which holes need filling with security appliances and where policies need updating, more innovative approaches to building resilience at the technological and intelligence levels are emerging.
The term “offensive security” has been gaining traction in recent months. It does not amount to hacking back, as many feared it would, but instead involves the identification of adversaries by planting fake data on a company’s servers, tricking hackers into stealing the information and watching where they go. The attackers remain unaware they are being watched, giving away their tactics and their motives.
Why would a chief executive care about who is hacking them? Dmitri Alperovitch, co-founder and chief technology officer at CrowdStrike, one of the offensive security industry’s best-known providers, gives this simple analogy: if a thief broke into a business’s premises, stole all the files and disappeared, the chief executive would want to know who was behind it. The same goes for the digital realm.
“You won’t find a single company that is not going to be interested in knowing that answer,” he says. That’s another reason why it’s the chief executive, not just the chief information officer, who is pushing for more proactive security.