“If we guard our toothbrushes and diamonds with the equal zeal, we will lose fewer toothbrushes and more diamonds.” – McGeorge Bundy, National Security Advisor to Presidents Kennedy and Johnson
If your home was in the path of a Category 5 hurricane, would you, 1) create a sandbag perimeter to protect all your possessions, or 2) grab what is most valuable and can fit in your car, and race to safety? When it comes to protecting data, most companies choose the equivalent of option 1, because that’s the way it’s always been done. And it’s the riskiest approach.
In our personal lives, when confronted by an imminent threat, most of us would likely consult with our closest loved ones and prioritize what we most want to protect. Enterprise security chiefs need to take that same approach with business leaders to craft a risk-based security program that prioritizes data and assets that are most important to your business.
If your cyber security strategy assumes that you can protect all IT assets, you’re placing your company and your career, at risk. You cannot realistically protect against threats you don’t know about, and in today’s connected world those threats are ever-present and multiplying rapidly. The assumption we can actually control anything within our sphere of control is false; we are often not even aware of devices, software, or users who are residing within that sphere.
Virtually all business cyber defenses were designed for a world that no longer exists. The days when business users communicated only within the boundaries of the enterprise network are long gone. Devices you don’t control are coming into your environment every day, and users are connecting to applications you don’t control. You can’t stop those users from bringing devices into your environment or from connecting to applications outside it communicating with the outside world, or prohibit outsiders from interacting with the business, but you can ensure they don’t have access to your most critical assets.
Establishing a risk threshold
CISOs and CIOs need to scrap the concept of perimeter-based defenses and adopt a risk-based strategy that isolates users from the data and systems, that if compromised would cause the most harm. This is no easy task, for sure. But it must begin by engaging with the business to forge agreement on what is an acceptable risk threshold. By this, I mean a threshold above which the degree of damage to your business is unacceptable, whether that means a service interruption, of the theft of specific intellectual property, or the loss of data.
Anything above that threshold should be protected absolutely, which means eliminating network access. That may sound incongruous with today’s concept of unlimited connectivity, but it really isn’t. Most security defenses are based on the theory that if we can stop, identify, or track a network intruder, then we can halt or mitigate the damage. This is inside-out thinking.
We know outsiders can find gaps in even the best of defenses if there is an internet connection to the enterprise network. And, whether the danger is from an outsider or an insider, once they are on the corporate network they are limited only by their ability to elude or circumvent your current protections. But why are we granting network access privileges to begin with, when most internal and external users only need access to specific applications?
What are acceptable risks?
Talk to a typical CFO about the types of endpoint and datacenter protections you’ve implemented, and before long you’re likely to see her eyes glaze over. Talk about business risk management and that same CFO is likely to engage in a dynamic dialog.
Business leaders, generally, neither care nor understand the tactical implementation of cyber security or its implications on the business. The assumption is that is what CIOs and CISOs are paid to take care of. And, when the security policy is discussed at a technical level, few on the business side are aware that they, their subordinates and all the external parties they interact with are constantly engaged in risky behavior.
Any individual today with an internet connection and some type of computing device is constantly swapping unencrypted email, surfing potentially malevolent web sites, and sharing information on social media with people they don’t know. Any of these actions can infect internal networks with malware or provider outsiders with unintended access into the network.
Nobody, certainly in this era of digital transformation and corporate agility, wants to handcuff the business. Nor is it reasonable to expect that users will abide by the imposition of arbitrary restrictions—it’s too easy to set up a Dropbox account, or provision software-as-a-service.
No CISO is going to wage a battle to prohibit the use of Salesforce, even though it’s highly likely that it could expose proprietary information, perhaps even intellectual property, that could be extremely costly if compromised. What the CIO and CISO can do is sit down with sales executives and discuss the impact on revenue targets if a make-or-break customer proposal were to leak to a competitor, or if a disgruntled sales rep or third-party affiliate were able to abscond with customer and pricing information.
Hypothetically, let’s assume that the risk threshold for a large enterprise is $1 billion in sales revenue or $1 billion in legal fees. With that threshold in mind, security leaders can engage business leaders in an exercise to discuss what activities fit below that bar, and which exceed it. Once those activities are identified, it is easy to segregate what must be protected at all cost.
Implementing a “dark net”
Once the risk thresholds are established CIOs and CISOs can get to work protecting those assets that are deemed as essential. To do so, those assets must be isolated from external connectivity and from everyday users inside the firewall.
IT must create a “dark net” that is exclusionary—critical applications are only accessible by users that are authorized to connect to them. Access to private internal applications (whether public/private/hybrid cloud or legacy datacenters) should only be granted without exposing the network to users or applications to the Internet.
The key here is providing access to applications, rather than critical networks. In this manner, internal and external users can only access that to which they’ve specifically been authorized. They can’t use that as an on-ramp to the sensitive, dark net. With this mode of operation, IT now has visibility into who is doing what.
With increased visibility—and a dramatic reduction in the everyday network “noise” that IT must deal with today—protecting critical assets becomes much more manageable.
No, It’s Never Simple
Obviously, what I’m advocating is a fundamental reordering of security strategies. And, no, convincing business leaders is no slam dunk. Business by nature will resist anything perceived as an imposition. It will take dialog, persistence and a shared understanding of risk.
CIOs and CISOs addressing CEOs and boards of directors must be up front about the reality of cyber security. If you just tell them that you have visibility into 99.9% of devices on the network and are confident you can secure those devices, it obscures the real issues. If you tell them that for every 100,000 devices on the network that you’re aware of, there are 1,000 unknown devices that each have the potential to cost the business $1 billion, you’ll be well on the way to forging a risk-based security strategy.