Cybersecurity: Hype vs. Reality
Effective cybersecurity has always relied on three components – people, process and technology. However, each of these components typically presents its own challenges that are combined with an industry often driven by fear and hype. It’s no wonder organisations struggle to put in place relevant, proportional, and effective cybersecurity measures.
There is no shortage of alarming articles written about the cybersecurity threats organisations face. Make no mistake: the threat is real, and increasing – but there seems to be a new, worse threat every time a new product is launched –and if not prepared for appropriately, organisations may fail to protect themselves.
Effective responses need to be realistic. In order to take a pragmatic and proportional view of the risks that companies face, it’s first necessary to cut through some of the hype.
When the information security industry first began to tackle the rising threat of cybercrime in a coordinated fashion, it took the concept of cybersecurity and divided it into manageable steps. It then developed standards or frameworks to describe those steps. The problem is that we didn’t create just one standard. In South Africa alone, we have about twenty standards. Globally, there are hundreds more.
These frameworks prescribe what ought to be done in order to deliver information security. The problem was that their prescriptions were often vague. Every organisations risk profile is different, so their security needs are different. Guidelines need to be interpreted in order to implement them in the context of specific environments, goals and risk appetites.
People, process, and skills
Once we understand our needs and context we can move on to implementation. Effective implementation requires three complementary pillars – people, process and technology – all working in concert. However, this is not often the case.
In both South Africa and globally, the missing element is a skills shortage when it comes to people. Research indicates that as many as one third of required cybersecurity positions will remain unfilled over the next two to three years.
With regards to process, many technologies aren’t completely integrated yet as organisations find it difficult to decide what ought to be automated and what ought to stay in human hands. At this stage more terms (machine learning, AI) will be bandied about. An interesting conundrum in this regard is that given the skills gap, there should be more automation taking place. However, skilled people are needed to define parameters and set up such automation.
The final pillar involves the technological controls. Here, the problem is not that there isn’t enough of them; but that we have too many. At the RSA Conference this year, there were over 700 vendors on the exhibition floor. There are more than 2 000 in total. That’s up from around 1 500 just over a year ago. Currently, the sheer number of vendors out there is bad for the industry. Getting them to communicate with one another adds cost, complexity, and skills requirements to businesses.
The threat is real, it is increasing, and it is often exaggerated or ill-defined. There are hundreds of standards out there and guidelines that are supposed to provide direction, but some create more confusion than they dissipate.
Faced with this proliferation of solutions and limited skills, as well as limited budgets and time, we decided as a system integrator to take some of the burden off our customers. We started analysing the most common standards. We listed the specific recommendations outlined in each. We organised these, got rid of duplicates, and arranged them into six logical steps, comprising approximately of 70 specific actions or controls:
- Discover – This step establishes the parameters for further planning.
- Understand – Involves taking a closer look at existing systems and weaknesses, as well as assessing anything from periodic penetration testing or vulnerability assessments, to audits or risk assessments, screening personnel, or scanning application code for insecurities.
- Protection – This step contains the bulk of your security controls.
- You need to monitor continuously and report on the results of that monitoring immediately.
When it comes to implementation, there are two broad strategies:
- Maintaining security controls
- Outsourcing them
If you’re going to maintain your own controls, you must first have the skills needed to do so. The necessary skills depend on the number of controls you need, and the degree to which they need to be entrenched. You need the right skills to implement them, manage them, understand the information they’re providing and remediate incidents that arise. This is a challenge in a scarce-skills environment, but if you’re smart about it it’s not impossible; many organisations successfully assemble the right teams.
To make this process easier, the number of vendors used needs to be reduced. In a project for a large financial institution, their estate was unpacked, revealing that they were using over fifty separate vendors. This is high, but not atypical for such an organisation. This “vendor sprawl” is understandable: it comes out of two mind-sets that have been prevalent in cybersecurity:
- The first is “best in breed” – you buy the best possible solution for each individual control
- The second is “defence in depth” – which recommends multiple layers to achieve a control.
There is merit in both of those approaches. But both introduce complexity, sometimes to a degree that is self-defeating.
Reducing the overall number of vendors reduces overall skills requirements. If there are two controls from the same vendor, even if they’re built on different platforms, there is hope that the interfaces and the skill-set required to use them are similar.
Vendors are quickly realising that a culture of collaboration might better suit their objectives. Two vendors might not necessarily compete, and if their products complement and communicate with one another, employing both of them presents a more attractive proposition to CIOs. A ray of light in the gloom of vendor choice is that there is likely to be more collaboration, joint platforms and standardised suites of services made available.
If there aren’t necessary internal expertise organisations should consider outsourcing specific functions or the management of specific controls. Outsourced cybersecurity providers are likely to have highly skilled resources delivering on security requirements, and have the added benefit more knowledge across more than one environment.
However, it is still the organisations responsibility to measure outsourcing effectiveness, and if a hybrid system is adopted, these organisations need to ensure that in-house and outsourced functions are effectively integrated.
The key is to understand!
There’s a lot of hype out there. There are also real threats, real vulnerabilities, and a real need to stay up to date. That means that the first and most critical step, and the only way of staying secure without a proliferation of cost and complexity, is to properly understand the landscape and context and build out a plan or strategy that is consistently executed.