We live in an era of ever-increasing cyber security threats and data breaches. As security professionals we know that it is not whether our systems have been compromised as much as it is when we will find they have been and to what extent. Add to this, the aggregation of data sets at geometric rates and the amplified concerns about how well organizations can protect all of this data entrusted to them… there is clearly a problem.
Data is at the center of all we do. In this ever-increasing digital and interconnected world, simple perimeter security or anti-virus has proven insufficient. Additionally we are fumbling in the drive to integrate our security program efforts. We all know the axiom that defenders of have to be vigilant 24/7, adversaries only have to be lucky once.
This problem is not one of security for securities sake, the fear of a data breach impacts trust in our ability to protect an individual’s assets, privacy, and ability to operate their business functions. It is more important than ever to stay connected and well informed on all topics related to cyber security, information risk management, and privacy concerns. Each of these is interconnected and that places a requirement on today’s cyber security professional to maintain better knowledge of what they are protecting, why they are protecting it, how they are protecting and for whom they are providing this protection.
Privacy concerns are obviously interwoven with security concerns, it's unimaginable to have privacy in this environment without strong security. Additionally organizations like the Electronic Freedom Foundation and American Civil Liberties Union have integrated with other lobby groups to strengthen demands for increased privacy protection in legislation and technology advancement. Legislation creates requirements for stronger governance and equally demanding reporting which already takes weeks, months, or years to prepare and submit to oversight bodies for both privacy and security.
There will be data breaches. A more robust emphasis will be placed on data loss prevention and tagging data at the appropriate classification levels. This will promote the application of the appropriate controls, add greater confidence in knowing where the data resides, and know precisely what has been lost during the breach.
Requirements will be placed on speed of identification of whom, how and what has been compromised in order to notify the impacted persons and or business functions, so that they can address the damage and mitigate the impact. Increased knowledge of the attackers will assist in faster Cyber Kill Chain responses and smarter solutions on internal network defense.
Cyber security concerns will embrace privacy concerns with monitoring, data storage, and data access rights. There will be a stronger push to integrate cyber security with privacy, legal, and human resources in order to ensure that cyber vigilance and insider threat programs are monitored in accordance with policy and legislative requirements. This integration will not be easy, due in large part to the cultural distinctions existing between these highly specialized areas, but organizations will have no choice but to consolidate areas of privacy into their overall cyber security governance models.
Full adoption of the information technology risk based methodology across sections will take a significant amount of awareness and education. Integration of privacy and cyber security controls and processes along with the adoption of a risk-based approach is required, and should be desired for maximum efficacy and efficiency of scale. True Enterprise Risk Management.
Organizations like the Electronic Freedom Foundation and American Civil Liberties Union will not cease to exist but rather grow stronger in demands for increased privacy protection during this period. In the end, data protection will be on all sides and the data. The reason why the data exists, to enable functional and business operations, will be balanced with a variety of other impactful concerns such as compliance with Federal and state information sharing and data laws, protection of civil liberties and individual privacy rights.
2019 – How do we get here?
There will be data breaches. The complexities of the environment and the human factor most certainly guarantee this to be true. The damage can be mitigated through early adoption of a holistic cyber security approach, leaning forward on implementation.
Apply a holistic approach, integrate the strategies for both privacy and cyber security to reach a confluence. No matter the maturity of a cyber-security or privacy program, there should be a viable combined program strategy and complementary implementation plan to ensure our goals and objectives within the strategy are being driven to achievement. This solution should drive a correct increase in knowledge base through targeted requirement, closer attention to processes and process improvements that support the strategic goals and objectives, and smartly aligned investment in technologies.
Manage the "wet ware". As an organization, we must view the user interacting with our systems as part of the system, so integrate cyber-security and privacy training to the greatest extent possible. We cannot forget to proactively educate the public on threats to privacy, and to cyber security. All that the public knows is what they may hear from mainstream media, which is practically insufficient. Embracing a planned public awareness program that delivers awareness, teaches, and advises will support a more security and privacy aware society.
Shift from prevention solutions to detection tactics, techniques, and procedures. Focus on response to cyber security threats and increase threat assessments to create preliminary damage assessment and swifter response times. Preliminarily evaluate all possible impacts on the security architecture, applicable security laws, and privacy implications. Measure operational effectiveness of current controls and use Red Teams to simulate an attack with the defenders prepared to map the attacker’s life-cycle.
How fast do they operate within the cyber kill chain? Measure the performance of the defenders against these simulated impromptu incidents.
What was the response time? Did the Red Team achieve their goal before they were noticed? Real world attackers evolve and so should we!
It is all about the data. Work with all information owners to properly classify data based on confidentiality, integrity, and availability impact-level determinations to smartly apply the correct amount of security to the data. The knowledge of what has been compromised is required, and the proper data classification schema supports greater visibility into the enterprise and connected networks. We will need to use diligence to not only protect the data’s confidentiality, integrity, and availability but also in understanding the data purpose and that many data sets require protection to support the individual’s civil liberties, thus further supporting a holistic perspective to the management of the data and the systems in which it resides.
Organizational change management is needed. Balance can be achieved, and while not all parties may be happy during the transition, it is a necessity to move toward integration sooner than later. It will be more important than ever to provide balanced secure solutions to support the business of the organization.