It seems in today’s cyber security community that everyone is an expert! The embracing of social media outlets, the waves of security conferences, webinars and coverage in the mainstream media has seen a huge increase in the profile of cyber security, but not all of it is good. There is a myriad of commentary out there that lacks depth of understanding of the subject matter. The nuances that separate cyber security from the core InfoSec practices. Albeit closely aligned and feeding off each other there are differences.
The reams of information professing to offer insights into cyber security, in my opinion, does more harm than good. It serves little more than to perpetuate myths, feed false information, build confusion and NOT bring the community forward in terms of maturity, focus and thinking. Having said that it is not all without content and context, but the thorough expert insights tend to get lost in the need for ‘experts’ to be heard to be saying something and vendors trying to sell (well it is their job!) technological panaceas to combat the latest, greatest, biggest and baddest sophisticated threats.
Don’t fall into the trap of terminology misuse and mythology. For example with APT (which is a hugely overused and misunderstood term), if you reverse it (TPA) and look at it from that perspective, you will first detect a threat (T). From analysing the data and information of events and attacks you may find commonality or relationships that enable you to link multiple events or attacks to a particular threat actor (attribution), which indicates that the threat actor is persistent (PT). You can then analyse the behaviour of that threat actor to determine their sophistication, tools, capability, operational tempo etc. and possibly conclude with confidence that they are advanced (APT).
On that topic let’s just set one thing straight before delving into the wider world of cyber security. Threats are getting more sophisticated! Of course they are. Just look at how people, processes and technology have advanced across IT and business in general. Why would threats not evolve in a similar fashion? Having said all that, a good dose of hygiene done well will stand any organisation in good stead against the vast majority of threats out there. I know it’s an old adage, a tired message, a broken record, but it is true. The consistent message across the security community for years and years has been to cover the basics. Get your basic cyber hygiene nailed!
The time is absolutely ripe for board level conversations regarding the need for cyber security. The volume of high profile breaches and financial and reputational impact has got the highest attention. In order to get the best from those conversations you really need to have a plan in mind, not only to advise on current risk exposure, but also to drive home the need for enhanced capabilities. You’ve got to strike while the iron is hot and the boardroom door is open to cyber conversations, but you cannot go in cold and wing it. If you can get that initial buy-in then you’ll need to follow it up with a firmer and more robust proposal.
The purpose of this paper is to walk through common aspects of cyber security and bring a sense of practical reality to them to hopefully help with that framing conversation. It is a view from the inside of the cyber security community, from someone that has built capabilities and actively undertaken defence of an organisation, simply trying to break down the common components therein.
It is designed to give the reader an overview of developing a cyber security capability, from initial scope and outset to the fully established and mature, hopefully in a manner that is easily readable and digestible.
This is just my thoughts on the subject of cyber security. It does not make me an expert or thought leader as I would consider myself as neither. I am learning every day as I understand more and more of the nuances of cyber security and as new standards and frameworks develop and evolve. What I do, and what I would recommend all readers to do is research, read, talk and ask questions.