Over the past year, we’ve witnessed all the hype surrounding cybersecurity finally transform into a frightening new reality, one where corporate and government organizations seem helpless to stop cyberincursions. No need to list statistics or polls anymore to try to quantify the threat: Cyberattacks have become nonstop headline news. The transformation from perceived threat to actual headlines has occurred for the following reasons:
- Hacking, cracking and other forms of cybermischief have reached a level of sophistication equaling (and in many cases surpassing) the capability of most organizations to defend against.
- Those practicing cyberattacks in 2015 are hardened professionals with more years of actual technical security experience than the average IT worker employed to defend against them. The days of the amateur hacking enthusiast are largely gone. Cyberattacks today are conducted by nation states, terrorist groups and crime syndicates. It is no longer a hobby; it is a profession with very high stakes involved.
- Those defending against the current onslaught of cyberattacks are battling the wrong threat: A threat as defined circa 2005. The 2015 threat is not focused on simple disruption; the new threats are “campaigns” which involve complex strategy and tactics to achieve targeted goals. It’s like a war, but it’s a war with hundreds of attackers, thousands of targets and no end in sight.
So, what do we do about it? Last week, President Obama held a Cybersecurity Summit at Stanford University that represented the culmination of nearly five years of federal efforts to redefine how the government will continue to reorganize itself to meet this crisis. It’s been a long process and there is much yet to be done; soon we will likely have a new federal agency dedicated to nothing but cybersecurity intelligence.
But how does that help organizations under attack right now? While it highlights that the government is taking things more seriously, and the new Cybersecurity Framework developed by NIST provides a nice conceptual context for how cyberdefense ought to be approached, it doesn’t do much else yet. The President himself recognized this by calling out to private industry to come together to help solve the challenge. So, now the ball is back in our court.
While the topic of Cyber Consortiums is fascinating, I’d like to address something that nearly every organization can do on its own right now. If your group, company or even agency is concerned with how it can improve its security, there is only one place to start. Organizations with any IT capability (you don’t even need Internet connectivity to be vulnerable) ought to use 2015 to re-evaluate their cybersecurity strategy if they have one, or create one if they don’t.
Here are 10 reasons why your organization needs a (new) cybersecurity strategy this year:
- Chances are good that your assumptions regarding what you’re defending against are wrong (or at least incomplete). Perhaps you’re only concerned about compliance, or network intrusion—there are dozens of things that might have driven your strategy before. How many of them are still valid, and how many have you missed? You’ll probably never find out if you don’t engage in a deliberate effort to question them.
- Having a strategy dedicated to nothing but cybersecurity implies a level of commitment that may not have otherwise been present. Keeping that strategy current and making it specific gives it the power to influence the decisions at the highest level (e.g. not just the IT group).
- Reactive defense is a sure path to defeat. We don’t need a cyber Maginot Line and we already know that won’t work. But how can an organization become more proactive? This begins with the cyber strategy, which takes into account what’s unique about your organization (as well as what’s important to it). All else should derive from that foundation.
- Strategy is the central organizing mechanism for any group or organization. It allows for centralized control, decision-making and is the only way that policy, funding and action can be coordinated to solve a common problem. Again, this isn’t just a statement of principles, but rather a specific set of goals, objectives and the key decisions designed to tackle the challenges.
- In any war, strategy drives tactics; there is no difference for cybersecurity. All of the detailed planning, solution architecture, behavioral response and processes should largely align to what is laid out in the strategy.
- A strategy is the ultimate performance metric. You can use it to highlight your expectations as to how you will perform against the challenge, while outlining the approach necessary towards achieving those expectations. Without a strategy, you can never properly assess your security stance. Keep in mind that the metric should not be based entirely on the threats you’ve seen before; it must extend to those you haven’t experienced yet. Defending against yesterday’s attack won’t protect against many of today’s (and perhaps most of tomorrow’s) dangers.
- Using that metric, your cyber strategy provides accountability to your business stakeholders. It serves as the highest-level contract (or SLA if you will) for what you can and will do to make them and their information secure.
- A cyber strategy is the first step towards helping to fit together organizations attempting to coordinate. Each individual entity in a larger group of companies might share certain parts of their strategy at a high level (and perhaps this is where things like NIST’s Cybersecurity Framework can come in handy). This can allow defenders to collaborate and coordinate just like attackers do now. The key is to make sure not all of the strategy is generic or shared.
- Your cyber strategy can and should provide language that can be passed along to consumers or end-users that illustrates your commitment to security.
- A strategy is just a really good place to start when dealing with complexity—and few things are as complex today as cybersecurity.
Some of you might be thinking that the real battle is counter-warfare at the code or network level, and of course that’s a part of the puzzle. But that’s just the thing: Up until now, we’ve been moving puzzle pieces around without being quite sure of the shape or outline in which they fit. Cybersecurity strategy is the big picture that gives us the chance to begin solving that puzzle; rather than just being experts on three or four pieces, we need to master the picture.
Image: Sergey Nivens/Shutterstock.com