Does the above resonate? For the better part of two decades security in the information technology industry has been predominantly a protection focused spend. Build the Bastion!
Which according to IT sales, will look something like this:
Building the bastion was not a bad idea–it kept the hordes at bay and life inside the castle was pretty good. Citizens could, and did, venture out into the wilderness of the World Wide Web. The WWW was a wild place, but the bad actors were kept mostly at bay since their ability to leverage the surface area of the WWW for attack was limited.
The sales force also had some legitimate arguments. The weapons bad actors needed to use were difficult to develop; only the most advanced and wealthy bad actors could afford the weapons necessary to do real damage. Which led to this…
Again, legitimate. Hard to do much other than defend when under attack. While a bit misleading, this is a favorite image of how many actual attacks are underway.
Makes the gun fight at the O.K. Corral look like child’s play.
So, why the ‘shift’ in the title? Why imply the bastion is bad? It’s very simply this:
This would be the Top Secret National Security Agency ANT Product Catalogue. Once it was shown the NSA was hacked through the exposure of this document, all the illusion of the bastion fell away.
It could no longer be assumed that, if one employed the ‘state of the art’ in bastion protection, the crown jewels could be guaranteed protection. Staying ‘state of the art’ was no longer enough.
Here is an overly simplified depiction of state of the art, in the past:
And here is the reality it faced…
What is important to recognize in the above, other than Dave?
What has also increased in number and value?
The Crown Jewels contained in the data center. That pile of boxes in the corner across from Dave.
So the NSA hack proved that although the Dave paradigm was true, even if Dave was …
… that state of the art technology and Super Dave were unable to protect any Crown Jewels, no matter how much money or technology one could muster up.
So, where does this leave us?
Below is a great representation of the new strategic focus. It is a representation of NIST’s Cyber Security Framework (CSF), but unfortunately not a commonly used one.
First, notice that Detection is right in the center. Detection along with Protection are the technology heavy categories in CSF. When one rolls together Protection and Detection, at the state of the art level, this is what one sees from an architectural view.
Clearly, things can quickly become very complicated and very expensive!
But they do not have to be.
From a strategic lens, the second thing I want you to notice is the graphical size of Protection and Detection relative to the other categories – Identify, Respond, and Recover.
Just as in sport and war, what is done off the field determines winning and surviving. Surviving is the primary goal here – and that is the point of the shift.
The shift is from Protection to Survival, from Protection to Resiliency.
The shift is from Protection to Preparation and Recovery.
So what can one do to prepare?
The key to preparation, if one’s spend cannot support the spend for a deep-dive review, is a high-level review and retained, specialized support.
In short, actions like a Security In A Day (SIAD) review and vCISO services. A SAID provides the foundation for a focused but phased approach to deep-dive preparations. A vCISO, a virtual Computer Information Security Officer, on retainer or under contract for limited but focused support, provides the expertise to effectively and efficiently transform a SIAD into a strategic approach continuum that correctly tailors and balances Identification, Protection, Detection, Response, and Recovery.
Peters & Associates can provide both. Contact us at firstname.lastname@example.org to set up a discussion with one of our Security Experts on how a tailored resilient approach to cyber security can be created for your organization.