How elastic are you?
By Tim McCreight
Over the past year, we’ve read a number of disturbing reports on major companies and the breaches they’ve suffered to their information systems.
By Tim McCreight
With all the incidents we’ve read about (and those we aren’t even aware of), will we ever be secure in this ‘Internet of Everything’? If we can’t be secure, can we focus on being resilient instead? What does it mean to be resilient?
When I think of resilience, I picture an elastic band. You can apply pressure by stretching it beyond its initial shape. When the pressure is released, the elastic band reacts by returning to its original form. Mature organizations do the same in times of crisis. An event occurs, pressure is applied to the organization, but it eventually returns to its initial state if it has well-developed processes and procedures.
From an IT perspective, I appreciate we cannot protect every information asset and guarantee the confidentiality, integrity and availability of every piece of data. It has taken me a lifetime of working in the physical and IT security industry to come to this realization: we cannot be 100 per cent secure. We can, though, build out processes to recover from events and reduce the impact a crisis can create.
As security professionals, we play a key role in creating a resilient organization. While we cannot script a response to every threat, we can work within our organizations to develop communication processes so that when an incident occurs, we know how and when to inform our senior leadership team.
We can work with operational teams to identify the critical or key assets within our organizations. This information identifies who the asset owners are, the affect these assets have on our business and the impact we’ll face if these assets are unavailable, damaged beyond repair, or compromised due to an information systems breach.
If we’ve done our homework, we’ve conducted exercises to practice our recovery capabilities. The information collected from these exercises should be reviewed and then incorporated into our recovery plans. And then we test these plans again.
Try as we might, we can’t predict every type of incident or attack our organizations may face. After reading how some organizations were breached, it amazes me how the attackers look at an organizations defense posture and find ways around it. What we can focus on is creating an adaptive approach to responding to these threats.
If we’ve developed our communication processes, identified our assets, understood the impact to our business if an asset is unavailable or missing, and practiced exercises to recover our assets, we’re in pretty good shape! If pressure is applied to our organization, there’s a good chance we will eventually return to our initial state.
But there’s one thing missing.
When an incident occurs that we haven’t practiced for, what then? That’s when our ability to adapt will be tested, and our problem-solving approach must change. Catastrophic disasters such as fires, floods, terrorist attacks and massive system compromises require adaptive and reflexive approaches. All too often, organizations fall back on procedures they’ve previously developed, but fall short of addressing the new threat or crisis. The impact can be devastating to an organization, and can even lead to the business failing to recover after the crisis.
We can help our organizations by offering leadership and expertise in times of crisis. I don’t know a security professional who hasn’t had to manage an investigation, deal with a difficult visitor, detain a suspect or manage a computer forensic assignment. Maybe it’s time we started playing a greater role in our organizations.
Tim McCreight is a managing consultant at Seccuris (www.seccuris.com).