My colleague\u2019s talk revolved around the need for the project to provide a suitable level of assurance; the audience sat and listened in attentive silence, seemingly fully engaged. A lone voice called out, \u201cThis assurance, is it software we can go out and buy?\u201d But I think the fact the question was asked reveals a lot about how cyber security is seen in many organizations. You buy a software or hardware solution to address a potential problem and that\u2019s all there is to it. … That idea is akin to saying windscreen wipers on your car makes it safe to drive in all weathers, then never worrying about when to use them, when to have them go back and forth intermittently or continuously, when to replace the wiper-blades or whether you can still drive at 70mph down the motorway in torrential rain and blizzards.<\/p>\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
If you think of assurance as a guarantee your cyber security is fit for purpose and working perfectly then there are a few other things you\u2019re going to need: governance, risk management, policies, operational procedures, audit trails, personnel, effective training and awareness, security testing, oh and not forgetting the software and hardware underneath all that. In fact that\u2019s a very concise and condensed list which doesn\u2019t begin to cover everything but I\u2019m trying to give the overall picture here not send you to sleep or bamboozle you.<\/p>\n
First question: how do all these different items work together to give you that warm fuzzy feeling of assurance about your cyber security?<\/p>\n
To have governance, just like government, you need someone or something in control to maintain oversight of the cohesive efforts being made. This person or persons will of necessity be senior personnel who have the understanding and viewpoint required to see what\u2019s happening across the business, to make decisions and the authority to have those decisions acted upon.<\/p>\n
We\u2019re talking operational risk management specifically, a concept I\u2019ve heard described as an emotional process \u2013 a statement I do understand and have some sympathy with as it\u2019s a discipline requiring a lot of subjective thinking. Many people view operational risk management as a potential minefield inside a nightmare, but it\u2019s not that hard to do and there are sources of information out there which can help you, although some are so badly written they can fry your brain if you\u2019re not careful. For the moment I\u2019ll just pare it down to bite-sized chunks of bare essentials for you by outlining an easy way I\u2019ve used in the past to tackle it. … For the next stage you need to look at what makes these threats more or less likely to happen. Here\u2019s an example: there\u2019s a threat that some malcontent might break a window in your office, climb in and steal something, but if you have bars over the windows then this is less likely to happen. Ah, so they can\u2019t come through a window but how strong are the doors? You need to consider all possible \u2013 or at the very least all you can think of \u2013 ways the vulnerabilities in the situation could turn the threats into reality. On to stage three where you\u2019ll look at what the impact would be if something happened. Say you had strong doors and barred windows except for one which only allowed access to that old storeroom with nothing in it; that would have a lower impact than if it allowed access to the computer room. Along with the impact remember to think about the value of whatever could get lost or destroyed; that\u2019s not just the capital cost by the way, it should also encompass the value of your brand, your reputation and anything else it\u2019ll be expensive to get back, these are your company\u2019s assets. … The next stage is to look at what you can do to reduce the likelihood and the cost of that incident. In many cases it can be something very simple such as putting in place a procedure to ensure the last person to leave shuts and locks all the windows; it doesn\u2019t need to be a monstrously expensive piece of software that will automatically seal off the building at 6pm sharp. … Of course someone will need to define what the acceptable level is but we know whose job that is, governance. Last stage now, where the risk is not acceptable you\u2019ll need to come up with a plan on how to deal with it. This might be further investment in equipment or staff, or it may be possible to devise a plan that removes the risk entirely, for example by moving valuable assets to another more secure location. These plans will be reported up to the governance level whose role is to agree to them, provide what you need to get them done and to monitor progress.<\/p>\n
You\u2019d be surprised how many organisations are completely missing the two items described above, although most have all the rest but they\u2019re not much good on their own.<\/p>\n
They don\u2019t have to be long and wordy, in fact the shorter and punchier they are the better; they need to have impact.<\/p>\n
Unlike policies these need to have more detail in there, they need to cater for when things go wrong as well as right and how to deal with that. They show the governance layer that procedures are being followed correctly and can be used in the risk management process to identify potential issues. If your organisation undergoes audits you\u2019ll know auditors love nothing more than evidence; it\u2019s the only thing that proves you\u2019re doing what you say you do.<\/p>\n
It\u2019s a natural human attribute to be helpful and friendly, I\u2019ll just see if that stranger over there needs help with carrying that suspiciously large box down to his van (that\u2019s based on a true incident folks). It\u2019s not easy to measure if all this investment in security is working; until someone tries to break it you\u2019ll never know if it works or not. … The idea is you pay another company a load of money to test your security and they produce a nice big report for you in return. … Some tests need specialist skills and equipment so those you are stuck with coughing up for, but many tests can be conducted by you or your friends and colleagues. Go round the building and check doors are locked, no confidential paperwork is left out on a desk, PCs aren\u2019t left logged in. Get a friend to see if they can get inside past reception without an appointment, tell them to carry a box and say they\u2019ve got equipment to install in the computer room. … All these tests will go towards proving the governance is in place and working, the risks are being managed effectively and the policies are being adhered to. The only caveat to this advice is where you\u2019ll be audited and the results of the tests are offered as evidence; I find auditors aren\u2019t keen to accept a handwritten note from uncle Joe saying he tried but he couldn\u2019t break in as sufficient for their needs.<\/p>\n
They\u2019re still important and getting the right tool will save you a lot of pain and sorrow further down the road but don\u2019t think they\u2019re the whole answer.<\/p>\n
Security should be seen as a continuous circle where the outputs are constantly fed back as input and the circle revolves again, each time improving and refining the process; you need all the spokes of the wheel in place if your organisation is going to successfully move forward with a mature and effective security stance.<\/p>\n