Earlier this month I’ve participated a panel discussion at the first SC Congress in London. Brian Brackenborough, Frank Florentine and myself opened the Congress with a discussion on “Inside, outside, upside-down: Staying ahead of the threat, wherever it comes from”. I think it was a worthwhile discussion and i definitively took some great points made by Brian and Frank, but also by the audience, away.
As I’ve written down some of my key statements i figured i might post them here as well.
In one of ‘The West Wing’ episodes I recently saw President Bartlet (Martin Sheen) states “To defend everything is to defend nothing: what does that even mean”? I’m sure everyone at the Congress knows very well what that means. There are too many threats, there is just no way we can deal with them all.
That’s why I believe looking at threats should start with looking at your organisation.
- What is important to ensure your organisation is successful, so what are your critical assets?
- Do those assets have value to anyone other than your organisation?
- Who are those people who may have an interest in those assets?
- What are they capable of doing to get what they want?
These questions will have different answers for each organisation and define a different point of view on what your threat landscape looks like.
It is crucial that time spent talking risks and threats with your C-Levels is focused on these priorities; discussing minor or non-strategic threats is likely a waste of their time and yours.
Your CxO may be interested to talk about the most recent SSL flaw on his iPhone but unless this is on your organisations list of priorities you should rather use this opportunity to nudge him/her to the topics that are of real importance to the organisations goals.
Press and media have been very helpful in past years to raise awareness for information security topics but this comes at the cost of lost focus; fundamental security efforts are in danger of being sidetracked by chasing after the latest , often overhyped, threats.
It may not be sensible to call for an emergency deployment of the latest SSL bypass in iOS when your organisation didn’t patch Java for a year.
Likewise it may not be the best value to your organisation to buy the latest threat intelligence product if your IT teams need days to track down infected endpoints.
At the end of the day there are more threats than you can reasonably handle; the question you have to answer for your organisation is which ones to focus on to get the most value out of your efforts.
To summarize –
- Know what you have and try to protect
- Excel at basic security hygiene
- Have solid governance in place
- Sensibly share and receive threat information