Cyber Security in a Nutshell
Managing cyber security has long relied on the ‘fortress and moat approach’. In other words, the defense of most computer systems has been designed so that the system resides in a fortress and is surrounded by an outer defense system like the walls surrounding a castle or a city. In fact, the term ‘firewall’ is often used in computer security discussions. The difficulty with the attacker-defender syndrome is that it requires the target to have knowledge that an attack is taking place so that the appropriate defenses are already in place or will be activated. The sophistication and number of attacks now possible by skilled hackers makes it easier to remain undetected while those responsible for computer systems security think all is well.
Cyber security requires applying a true risk-based approach. Part of that analysis of course should address what is the real impact of malicious intrusion. In many organizations, there will be a built-in tension between those who run the business and those who were attempting to keep systems secure and reduce the risks associated with cyber attacks. Organization leaders should understand that efforts to provide ironclad cyber security are likely to have an impact on the business that may be viewed negatively.
It is important for organizations to understand there also needs to be alignment between accountability, responsibility, and consequences, if cyber security processes are ignored or treated lightly. Some organizations understand this very well because of the nature of their primary business. My last employer is a good example. Our company was involved in sensitive projects that had oversight by government agencies. Some of the key information and data that we dealt with had national security implications. Employees who were entrusted with this information and data had the responsibility to act in accordance with the rules proscribed by the government or personally suffer the consequences if they did not. Violations of security rules could result in loss of your government clearance and your position of employment. Violations that were egregious could result in fines and imprisonment.
Organization leaders should be familiar with the increased importance placed upon ‘compliance’. This means certain systems protection steps have to be taken to satisfy both the legal and reputational requirements of good governance. One of the important lessons for organization leaders to understand is, being in compliance with requirements that may be placed by outside auditors or others does not guarantee cyber security.
The ‘compliance versus security model’ will probably receive increasing attention in management journals and publications. This is likely to take place as more and more leaders suffer systems intrusions, data breaches, and other electronic surprises—despite their systems being technically ‘in compliance’. Informed leaders and organizations need to think of compliance as the very minimum standard that should be met on the road to cyber security. Essentially, compliance standards involve the prescription of processes and procedures that are intended to be one-size-fits-all. This is not a criticism of what compliance is all about. In effect, compliance provides a starting point for creating a secure cyber environment.
All organizations should move beyond the one-size-fits-all character of compliance requirements. Effective cyber security requires an organization to take a bespoke or custom tailored approach. It is important that the leadership and members of the organization understand and look at a particular industry that they are associated with and the degree to which they may be a target. This internal review should consider how much the organization can afford to spend on systems intended to provide cyber security. What is the nature of your information that needs to be protected? What happens if it is not?
It is possible for an organization to assume that it is unlikely to be a target. However, the hyper-interconnectedness that now exists in the cyber world means that the thinnest shared thread could result in intrusive action against an organization that may think it would never be a target. Some organizations take what they may think is a very safe, ‘vanilla’ approach to the content of their public website to limit the probability of becoming an intrusion target for a cyber attack. Under many circumstances, this could be an effective strategy to reduce the chances of becoming a target. However, organizations need to employ greater imagination regarding how and why they may become an unlikely target.
The nature of an organization’s business, especially if it is involved in scientific or military-related services, may still make it subject to intrusion. In the Washington DC area, there are dozens of companies that provide services to sensitive government agencies, for example the Department of Defense, the Central Intelligence Agency (CIA), or the Department of Homeland Security. The service organization’s website may be subject to intrusion regardless of how innocuous the information it contains may be. The bad guys may attempt a ‘bank shot’ off the service provider’s website to gain entry to the systems of the sensitive government organizations that routinely visit it.
There is no question that cyber security involves the use of sophisticated technical tools to make sure that individuals sitting inside or outside the organization are not able to readily access and do harm to the systems that have now become the lifeblood of businesses. The science of providing cyber security has become a multibillion dollar business. Companies founded for the express purpose of keeping systems safe are headed by individuals who enjoy all of the perquisites associated with wealth and privilege. Unfortunately, spending a fortune on software or other elements intended to provide cyber security does not mean that a cyber attack will not take place.
-  Bank shots take place in basketball and billiards and other games and activities. In basketball it iswhen the ball is shot to hit the backboard before going into the basket. In billiards it is when thecue ball is driven into a ball that then hits the object ball and puts it in the pocket.