Thursday, November 1, 2018 at 05:24
Old Strategies Don’t Work
In his keynote speech at the Securing the Enterprise 2018 conference in Cambridge, MA, BT Security president Mark Hughes said that when it comes to the threats enterprises and government are facing, the global network is telling us that old strategies don’t work.
In the face of ongoing cyber-attacks, mounting privacy concerns and daily data breach announcements, the current cybersecurity technologies fall short, according to Howard Shrobe, associate director, cybersecurity at MIT Computer Science & Artificial Intelligence Lab (CSAIL), and principal research scientist, MIT CSAIL. In order to effectively move forward in the direction of “where we need to go,” the industry needs to develop a more formalized approach that combines design and analysis methods.
“Our approach is based on three key elements,” Shrobe said. “Collaborating closely with industry for input to shape real-world applications and drive impact. Leveraging the breadth and depth of CSAIL security researchers to approach the problem from a multi-disciplinary perspective. And creating a test-bed for our industry partners to implement and test our tools, as well as have our researchers test tools developed by our partners.”
To enable security transformation, enterprises should first assess their structure, said Hughes. “Put the team responsible for delivering change at the forefront of your strategy.” Given that there are lots of threats, those threats turn into risks, which have a very tangible bottom-line impact.
“Those risks are changing rapidly, so much so that in a matter of weeks, the risk profile changes. Using known, well-understood risks and putting those into a cyber context is extremely useful,” Hughes said.
Given that the risks are changing all the time, one key to building an effective security strategy is adaptability. “Prepare to constantly evolve,” Hughes said, but it’s also important to realize that there is no endpoint or perfect solution. When organizations realize that protecting everything all the time is ineffective, many turn to red teaming, which Hughes said yields interesting outcomes that allow organizations to assess and then prepare to evolve.
The next step in enabling security transformation requires internal engagement so that you are building knowledge and advocacy of security at all levels of your organization, said Hughes. From there, the company is well positioned to understand its risk and take the necessary steps to fully assess its security landscape and prioritize and protect the areas that would be most impactful in the event of a security incident.
I get where this comes from: the landscape is dynamic.
But the problem with the “old strategies” isn’t in the strategies … it’s in the people who failed to implement them well if at all, which presupposes that the strategy was well defined and communicated to those expected to execute. Too many managers chase “shiny objects” and the “next big thing” and any number of magic bullets based off of information provided by sales people, consultants, and think tanks.
Organizations who implemented the “old strategies” well, from governance to people to technology, got to focus their limited expensive security resources on higher value security issues earlier and overall matured faster than their counterparts.
Organizations ahead of the curve and those ready to improve embrace the fact that security is a program, not a project. There is no finite end date. There’s no banner on an aircraft carrier to let you know that the mission is accomplished. It’s on going, just like a business – your business – competing in the marketplace.