By Steve P. Higdon
A circus might employ the best clowns, magicians, and performers in the world. The big attraction however, are the trapeze artists. These brave souls soar high above the crowds, performing aerial stunts that defy gravity. The nature of their craft is inherently dangerous, and no matter how skilled the trapeze artists are or how much the circus spends on training and roped bars, there is always a chance that a mistake or other unforeseen event could cause them to fall. Even though much time and effort is spent on making sure that the trapeze artists stay in the air, there is always a net to catch them.
There has been a continuous shift over the last year in the cybersecurity strategies of large organizations. With the high-profile attacks on Sony, Home Depot, the United States Office of Personnel Management, the White House, and others, executives are no longer trying to determine if they will be attacked, but when.
Until recently, the focus of security strategies has been to reduce the likelihood of a successful attack through perimeter defenses. As a result, even organizations that spent their entire IT budgets on the newest and greatest intrusion detection/prevention systems, firewalls, and vulnerability management tools, but they became fact victims due to a zero-day exploit module downloaded by a teenage amateur “hacker” or an unaware employee clicking on a link or opening an email attachment. Now we see large organizations reallocating a portion of their money into a cybersecurity “safety net”, which we can revisit shortly.
It is important to understand and remember the primary purpose of cybersecurity when making investment decisions and plans. Cybersecurity isn’t about “keeping the bad guys out” or even safeguarding information. It isn’t about making sure that all the blocks are marked on a compliance checklist or maintaining access control lists. The purpose of cybersecurity is to protect key business processes and capabilities. All the other bits and bobs that we trouble ourselves with are just popular methods to address that purpose.
In line with that thinking, and getting back to the topic at hand, organizations are looking beyond technical controls to protect their processes and capabilities, and instead are focusing on ways to minimize impacts of potential or expected cybersecurity incidents.
There has been a fairly recent increase in marketing for cybersecurity insurance programs. Other safety net methods being entertained are not new, but simply reinvigorated approaches to incident response and business continuity. The biggest difference today is that these approaches incorporate newer technology and there are numerous third party organizations willing to do it all for you at a premium cost. The trend, if it wasn’t clear, is that organizations are starting to outsource their incident impact reduction efforts.
This is not to say that organizations are not concerned with traditional security controls and methodologies – they are just dedicating a larger portion of their budget to an arguably more effective approach to addressing cybersecurity concerns.
Steve P. Higdon is has been working in the information security field for over ten years, providing support and advice to several public and private sector organizations. He can be reached via email at [email protected] and on Twitter at @SteveHigdon.