Sunday, February 12, 2023

Quality Vs. Quantity: Which Is More Important For Cyber?

 


I still keep in touch with friends I have made over 20 years ago when I was in undergrad and grad school.  The one thing we keep asking each other is:  “How did we make it back then”?  I am talking about the resources we had then versus to what is available now to get papers, projects, and even theses done. 

Back in my day, there was no Google, and hardly even an Internet. All computing was done on mainframe machines, and the terminal that was given to you.

Although it took time to do things (especially the theses), life was far simpler back then.  We didn’t have social media, cellphones, or even having to worry about Cyberattacks or Identity Theft.  Heck, even my Purdue ID card had my social security number all over it. 

But now, with everything all digital and interconnected with one another, life has really become confusing (at least for me).  It’s hard to keep up with what is happening out there, and especially so on the Cyber front of things.

There have been so many advances made in terms of tools and technology, but yet we still cannot keep up with the Cyberattacker.  It has become a cat and mouse game of sorts, and of course, the good guys are falling behind.  So, this begs the question:  When it comes to digital warfare, which is better?  The quality of the defenses, or the total number of defenses that you have?

In other words, is it better to have 10 firewalls or 5 really smart threat hunters who are well trained and can keep the hackers at bay?  Well, according to a report by McKinsey, businesses in Corporate America are spending an annual of 12% year over year on new tools and gadgets to beef up their lines of defenses. 

While this may sound good initially, the bad news is that security breaches will cost Corporate America at least $10 trillion by the time 2025 rolls around (which is only two years away).  This report can be downloaded at this link:

https://www.mckinsey.com/capabilities/risk-and-resilience/our-insights/cybersecurity/new-survey-reveals-2-trillion-dollar-market-opportunity-for-cybersecurity-technology-and-service-providers

So what is a CISO or even a vCISO supposed to do?  Well, according to recent article I found this morning, here are some key steps to help make the quality stand out versus the quality:

1)     Watch who you hire:

Yes, there is still a huge shortage of workers in the Cyber field. This fact still remains even despite the inflationary fears that still abound and the number of tech layoffs that are happening today.  Also, I have been advocate to hire really just about anybody who has the passion for Cyber and willing to take risks to get ahead in the crowd.  But, there is yet another group of people you may want to look at hiring for your IT Security team.  These are former members of the US military.  These individuals have been taught structure, discipline, and how to stick with things when the going gets rough.  Also for the most part, they have received a good amount of training in Cyber.  So why not look into this pool of candidates?  After all, if you really need somebody that has experience, well, here you have it.  And it is a great way of giving back to our country.

2)     The Zero Trust Framework:

Although this methodology has been around for quite some time, its adoption has just started to take root right now.  Under this framework, absolutely nobody is trusted, and all individuals have to be verified over and over again for every time they need to access shared resources.  It sounds extreme, but in today’s environment, this is all that is left to truly fight off the Cyberattacker.  The motto here is to never trust, but verify, verify and further verify.  Now, the other leg is starting to come out, which involves continuous testing.  Meaning, you have to keep testing your Zero Trust Framework to make sure that it is airtight.  The logic here is that you should have a Red Team that is constantly trying to break through your walls of defenses in order to find out any gaps or weaknesses which are hidden.  This also sounds extreme, but once again, Corporate America has to go through these extraordinary measure in order to make sure that their digital assets remain as safe as possible.  When it comes to this Red Teaming, humans do not have to be involved each and every time.  There are tools now out in the market place that will let you conduct Penetration Testing exercises on both an autonomous and automatic level.

3)     Keep practicing:

One of the main things that COVID-19 taught us is the need to have a comprehensive set of Incident Planning/Disaster Recovery/Business Continuity Plans in place.  But that is just one part of the equation.  The other part is to rehearse them on a regular basis, at least on a quarterly basis.  Another aspect here is Security Awareness Training for not only the C-Suite, but for all of your other employees as well.  This is not a one off, it too should be done on a regular basis as well.  Part of a good training program is to have what are known as Tabletop Exercises.  This is where you engage your attendees in a mock Cyberattack, and get their feedback as to how they would respond and try to resolve the situation at hand.  It is important to keep in mind that even tis kind of input can be used in upgrading your recovery plans.

My Thoughts On This:

Remember that in the end, it takes a combination of both people and technology in order to have a finely tuned Cyber machine.  But even more critical is to have communications with all key stakeholders, and to keep that line open during all times, 24 X 7 X 365.  Also keep in mind to keep things simple when planning your Cyber strategies. 

There is no need to get into all of the Cyber technojargon, in the end nobody cares about that.  Instead, take those efforts and funnel them into conducting a risk assessment to determine which of your digital assets are most at risk.

Then from there, try to figure out how to strategically place your lines of defenses so that you can get maximum protection without having to procure additional technology.  Think quality instead of quantity.  Remember that instead of deploying 10 firewalls, try to make use of just 5 of them.

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...