Is your organization trying to develop a cyber-security strategy? It is critical to be aware of assumptions that could impact the strategy. With a cyber-security strategy, it is important to be aware of a relatively recent shift in best practice assumptions. The assumption is this: it is impossible to guarantee that an enterprise can deny access to all bad actors. This assumption has taken hold among some in such a strong way that they advocate security not spending any additional energy on developing new ways to deny bad actors access, but rather focus on detection and eradication of them inside the enterprise.
Among security professionals, this assumption has always been known to be a false assumption. However, the falseness of this assumption was brought into question by various forces: human nature, business dynamics, and the power marketing and sales machines played. The nail in the coffin finally killing this false assumption came with the 2013 release of the NSA’s hacking catalogue – filled with James Bond caliber hacking tools: https://www.wired.com/2013/12/nsa-hacking-catalogue/. This release destroyed those false beliefs; however, because this assumption is so embedded, the way businesses approach InfoSec has been slow to die.
Additionally, the explosion of social media has shifted the perception of this issue from a predominantly business concern to one that is also a personal concern. The well-publicized hacks of celebrity iPhone photos played a significant role in expanding the public’s awareness of the inability to deny bad actors access into data thought to be protected.
So, what kind of impact does this shift have on an organization’s InfoSec strategy?
A transformational impact. The security focus now shifts from an IT and technology problem to a business risk challenge. The outcome is a shift in who is responsible, who is accountable, whose subject matter expertise needs to be consulted to inform the decision process, and who the stakeholders are that need to be informed. People familiar with the concept of a RACI (Responsible, Accountable, Consulted, and Informed) matrix may recognize where I am going. For those unfamiliar with RACI, here is a decent place to begin understanding the concept: https://en.wikipedia.org/wiki/Responsibility_assignment_matrix.
For a moment, let’s switch back to the topic of information, cyber, and IT security as separate concepts. Traditionally, and understandably, IT security and information security were treated as separate problems. With the advent of wireless and the dramatic reduction in the physical size of computing devices, e.g. smart device, the demarcation between information and IT security began to blur. When wireless and smart devices became ubiquitous in personal life the awareness of the concept of cyberspace came into the consciousness of society in general. To overly simplify and put in non-technical terms, cyberspace encompasses any and all devices with the capability to connect to the WWW. Which today means, again in overly simplistic terms, cyberspace is made up of every information technology device not specifically configured at the hardware level with very specific protections to control the device’s connection to other information systems. Given that only highly specialized networks and devices are built this way, cyberspace essentially encompasses all information technology systems – every, single, one. Given this reality, bad actors have unfettered access to every component of cyberspace except those devices.
The below picture illustrates the transition areas between information, cyber, and IT security fairly well. Please notice one thing in particular, the “Persona Layer.” It is important to note because this is the layer where bad actors attack along what is called the “human vector,” i.e. exploiting a human action to affect the attack.
It is the ubiquity of mobile personal devices, the increases in their processing power in relation to their size, and the explosion of data and information flow though the social media applications on these devices that has led to the separations between information, cyber, and IT security being erased. Since the main focus of security in the information, cyber, and IT realms of security is the data/information, the term InfoSec again becomes the most appropriate way to address all three areas at once.
So, what does all this mean when it comes to developing a security strategy for an organization? It means organizations need to first develop the correct InfoSec strategy.
Yes, I said InfoSec strategy, not cyber security strategy. Just addressing cyberspace does not fully address all the human nature and behavior aspects necessary to correctly address cyberspace’s impact on security. Information, cyber, and IT security are no longer primarily a technology and IT organizational problem. They become a challenge for the entire organization.
This brings us back to the shift in best practice assumptions and RACI, i.e. the RACI Factor. Without the clarity and structure a RACI helps provide, the organizational approach to InfoSec becomes similar to this:
Fun times, for a kid. Not so much so for an organization seeking to mitigate risk.
Incorporation of RACI into an organization’s approach to InfoSec ensures the organization has gone through a process of identifying the correct people, processes, information, and organizational components to be involved in InfoSec, and ensures the correct functional roles and responsibilities of each can be identified, coordinated, and communicated properly and effectively.
Clearly more is required than a RACI, and those other critical areas will be covered in future blogs. However, the RACI Factor is a central factor in all effective organizational-level endeavors. The process of incorporating an effective RACI approach involves knowledge and experience across a broad spectrum of technology, business management, and data points. The good news is Peters & Associates’ vCISOs can help your organization develop a RACI to support a strategic InfoSec strategy and roadmap to help your organization develop a three to five-year plan to face its InfoSec challenges well into the future. Contact us at firstname.lastname@example.org for more information. We’re happy to help!