It seems that since time immemorial, the IT world has had its standard for measuring success. The much coveted ‘five nines’; the traditional promise of 99.999 per cent uptime for the business, and it is universally accepted that’s all you need to know or care about for business continuity.
It covers the basics of ‘likelihood’ and ‘probability’, right? And everyone in the industry knows what it means. All possible measures have been taken to ensure that the lights will stay on but there is a very small chance that something may fail because, well, there are no guarantees. And we all nod and agree because it’s a reasonable view of the real world.
However, the cyber security market has no such measure. Its view of success is polarised in comparison. The business itself and the outside world hold two opinions on how secure you are; you’ve either been breached or you haven’t. If you have been compromised, your environment is deemed as insecure and if you’re free from all defects, then you must be doing your job well.
Of course, it is a naïve view because a security breach is almost inevitable. The question is what precautions have been taken to reduce the probability. Equally, its measure should include how the business responds when a problem occurs.
Unfortunately, this isn’t recognised broadly enough in today’s modern market.
The more common story reflects an entirely different outcome. When a breach occurs, it is often accompanied by blind panic and more often than not, a pretty nasty headline, either publicly or at least internally. The person then responsible for security (who has probably spent much of their working life encouraging better practices) gets hauled over the coals or worse still, gets sacked.
Everyone who is considered important then sit around a big table and agree this shouldn’t happen again. Somebody is made an example of and it is concluded that the company should spend considerably more money in employing more robust security technology and then the whole affair is swept back under the carpet until next time.
The tragedy, of course, is that there is always a next time because nothing has fundamentally changed. The person responsible may have been replaced but the probability of being compromised hasn’t diminished. New technology may have been employed but the risk of it being bypassed is no less likely.
The reality is that much of this can be counterbalanced by an effective security strategy, modern methods to continually monitor and analyse the potential risk, and a grown-up view of the world that appreciates that breaches do occur and that it’s how you minimise their chances of success and how quickly you respond that count.
We tend to find that the most sobering process is understanding where the risks lie today. More often than not, we discover that most companies have implemented appropriate security technology but it’s either not working at its most effective level or simple things such as the most recent patches haven’t been applied (one of the most common reasons for a breach occurring).
There is often a clear explanation for why seemingly straight-forward tasks haven’t been addressed. Even if there is a security professional on-site, they’re not necessarily spending their days analysing and monitoring the activity at every level in the business.
On paper, everything looks good. They’ve done their due diligence to ensure that the technology is in place to protect the business and the staff are advised not to do anything stupid like putting unencrypted memory sticks where they shouldn’t. It’s an appropriate and well-trodden security strategy, but asking them to monitor the entire business and every conceivable software release and at every entry point 24 hours a day… who has time for that?
And that’s the point. Most organisations either don’t have the time, resources or necessarily understand the need to constantly update, monitor and analyse and therefore the risk of a breach never reduces.
Positioning security as a managed service may on the surface may feel like a partial loss of control, but in practice it is demonstrably the opposite. It allows the introduction and application of a set of checks and balances, analytics and support to ensure that the technology is optimised in real time at every layer so that the probability of a breach is considerably minimised.
‘Prevent, detect and respond’ is the new simplified security mantra for 2015.
- Prevent: how do you make sure your security technology is doing its job at every conceivable entry point, patched and updated to prevent the likelihood of a breach?
- Detect: attacks can and will occur; it is how quickly you detect them before any damage is done.
- Respond: how will the business respond if you are compromised? Is there a procedure and plan in place that will hit the incident head-on and bury it as quickly as it occurred?
There are no ‘five nines’ in the world of security, just due diligence and a quantifiable approach to reducing the probability of the risk itself.
It’s understandable if most organisations don’t have the time or the resources to accomplish this easily. However, it is less understandable if they haven’t explored the options available or external support from the right partner that could reduce both their costs and risk.
After all, you can’t protect yesterday.
David Beesley is managing director of NetDef.