Fredrick the Great once told his Generals, “That to defend everything is to defend nothing.” There is no disputing that IT security and Risk Management professionals face an escalating and diversifying threat, but nobody has the resources required to defend everything in their organizations against every possible attack. In the face of limited resource and an endless array of threats, I believe that there are three strategic facets to mounting a financially responsible and technically effective cyber defense.
The first strategic facet is starting with an asset-based approach to determine your cybersecurity posture. Studies show that 60 percent of organizations that suffer a major data loss fail within six months. Data has become the most valuable asset that many organizations possess, yet a clear financial value of that data has often not been established. Creating a comprehensive inventory of organizational data and determining its financial value is foundational to create a cybersecurity investment framework. The value of the cash in the corporate operating account is readily apparent to everyone. Fraud activity that results in direct financial loss like the CEO email scam is a serious threat, but not one that requires the valuation of data.
Three-Pronged Financial Loss
When the smoke clears, there are essentially three major categories of financial loss related to data. The first and most readily quantified category is the economic value of confidential information like customer lists, proprietary processes, or intellectual property. The financial value of the design data for the company’s top selling product or the revenue associated with the top three customers should be fairly easy catalogued.
“IT Security Architects must strive to build more resilient designs that can rapidly detect, respond to, and contain breaches and compromises”
The second category of financial loss is linked to the disruption of a financial, physical or digital asset that generates product or revenue. In most cases, the financial impact of crypto-locking and Distributed Denial of Service (DDoS) attacks can be quantified long before they happen by simply calculating the revenue-producing capacity of the assets by the time it will be offline as a result of the attack. Clearly, a website or manufacturing asset that produces a $1Million a day is going to justify a larger investment in a more robust cyber defense then one that generates $1M per year. What is less obvious is what the organization is prepared to pay in the event of this type of attack. Knowing what the “just pay it” number is before the attack occurs can save invaluable time or make it clear when it is time to call the FBI and prepare to fight. The final category of financial loss is fines, penalties, and notification expense associated with the compromise of regulated data. Notification expenses in particular can mount quickly with the patch quilt and overlapping nature of International, Federal, and State laws regarding notification. Even an incident as straightforward as the accidental exposure of a company’s employee’s social security numbers can result in an expensive notification event with multiple government entities.
Another important consideration that needs to be accounted for is the impact to the organizational brand. Surveys indicate that 86 percent of customers will no longer do business with a company that lost or compromised their personal information. For publically traded companies this can represent the loss of millions of dollars in valuation instantly. Every organization has each of these categories of data at some level. A thoughtful and comprehensive cataloguing of all of these potential types of financial loss is crucial to understand what is really at stake.
The second key strategic facet is moving from a Perimeter Defense model towards an Assumed Breach approach. Far too many organizations still believe that if they spend enough, they can stop a breach at the perimeter. I refer to this as the Kevlar Egg approach. It is the cybersecurity equivalent of wrapping an egg in a Kevlar bullet proof jacket and putting it out there for everyone to shoot at. The Kevlar jacket doesn’t change the inherently fragile nature of the egg and eventually somebody is going to bring enough offensive firepower to defeat the Kevlar and compromise the security surrounding the egg.
An Assumed Breach approach acknowledges the historical reality that no defender has ever been able to repel a determined attacker with repeated opportunities to attack. According to a recent study, 86 percent of organizations lack the resources necessary to detect a hacker already in their network. Assumed breach does not mean you give up on the perimeter entirely, just that you deploy resources in depth to give yourself more time to monitor and detect unauthorized activity within the environment. The approach also changes the mindset of the defender from “keep them out” to “catch them as early as possible.” If that means your security can “catch them” at the perimeter all the better!
The third strategic facet is a shift in focus to the idea of Resilience. For most organizations the question is not “IF” they will have a cyber incident but “When.” This means that the shift from prevention to rapid recovery is critical to creating a cybersecurity strategy that is resilient. One of the ultimate examples of resilience is the compartmentalized water tight design of modern warships. If a compartment on an aircraft carrier is compromised by an attack or accident and is exposed to the open sea, the water tight doors in the adjacent sections of the ship are quickly closed and the crew immediately engages in damage control procedures. With the damage contained, the primary mission of the ship can continue and repairs can begin.
IT Security Architects must strive to build more resilient designs that can rapidly detect, respond to, and contain breaches and compromises. Just like damage control teams on a warship, the IT teams and Executive leadership need to practice their Incident Handling playbook to make sure that when an incident occurs they respond efficiently and effectively. The failure to have an incident response playbook is the equivalent of a warship without a damage control.
Sun Tzu in The Art of War states that, “every battle is won or lost before it is fought.” By implementing the three key strategic facets of an asset based approach, a shift to an assumed breach posture, and a focus on resiliency and rapid recovery, an organization can significantly improve its chances to win before the cybersecurity incident is actually engaged.