While preventing a cyberattack is often the sole focus of many security strategies, the reality is, your organization is likely to suffer a breach or other disruption to network operations. How you prepare for an inevitable break-in can make all the difference. The answer lies in cyber resilience.
That’s the key message from Dr. Mike Lloyd, Chief Technology Officer for RedSeal. Lloyd says that organizations who believe they have fully protected themselves from cyber threats are missing the point. Instead, planning and preparing for “what can possibly go wrong” can help prevent the worst and get you back up and running faster and with much less impact to your operations and your users.
Want to find out what Dr. Lloyd has to say, but don’t have time to read? You can listen to the podcast here.
Government Technology Insider (GTI): For commercial firms where shareholders, customers and the board are demanding answers, resilience is about limiting the hit to revenue and the ongoing health of the company. For government agencies, resilience means ensuring essential services are always available, as the impact on individual citizens and national security can be devastating. So, what should the objectives be?
Dr. Mike Lloyd, RedSeal (ML): We’ve seen a shift in thinking going on from organizations who are just trying to stop the attack of the week. And that technique hasn’t been working all that well. Organizations have been shifting their thinking to, “How do I deal with the fact that, unfortunately, some successful attacks are probably inevitable.” So, I need to be planning for those downsides. But
One interesting thing about that that I’ve seen in my experience working in commercial organizations but also talking to federal agencies, is I find a difference in thinking between the two. Commercial organizations look at it one way, federal agencies tend to look at a little bit differently. I think the reason why is the different role of entrepreneurs and governments in our society.
Many entrepreneurs that I meet are pretty optimistic by nature — they tend to think about “what can possibly go right if I pursue an idea.” And I find that federal agencies naturally have a different mindset because of the way that we call on the government. We call on the government when we have a crisis. We have a military crisis or an international crisis or a humanitarian crisis, a natural disaster. And so, I think government agencies in all the various specialties already have a mindset of ‘what could possibly go wrong’ and how to plan for that.
This means that federal agencies are ahead of the curve in this particular debate. We’ve seen breach after breach of commercial organizations because they’ve been trying to proceed optimistically. And I think a lot of federal agencies have, just by their nature, by their training, have been thinking about, “What could go wrong if we use these new technologies? What could go wrong between nation-states? What could be an unplanned disaster that could occur?” And that thought process is really important. There’s a lot more we can say about how resilience works out. But I find federal agencies are a bit readier to adopt that mindset that says, “I can’t block everything, I need to be planning for what will happen when things go wrong.”
GTI: This is reminiscent of the NASA philosophy: “We have to make sure we find every way to fail here on earth so that it doesn’t go wrong up in space.”
ML: That’s right. The QA that they use it NASA is rather a lot more intense than most organizations are willing to do, because the cost of a field repair is so high. Depending on context, different organizations already have a mindset towards needing to plan for failures. Federal agencies tend to put a lot of thought into this for traditional disasters, say natural disasters and things like that. FEMA, one obvious example, exists exactly because we know things are going to go wrong on that scale. But we haven’t yet figured out how to apply that mindset properly in cyber security. That’s still an active area. It’s just an area where I think the federal agencies are a little more prepared for the mindset that’s required.
GTI: So, knowing that things can go wrong, but also knowing that you must keep the doors open for business whether your customer is a consumer or a citizen, how does resilience fit into an organization’s overall security structure?
ML: It’s a standard joke in security that the only secure computer is one turned off, unplugged, encased in concrete and buried in the ground. And that is not a very useful computer.
The fact is, we have to continue to function. When I talk to commercial (firms) – when they realize that resilience means planning that a bad thing will happen — feel it’s a bit negative. It’s a bit fatalist but it really isn’t. I think you’re on the right wavelength with this idea of, “We have to keep the doors open for business. We have to continue to function.”
Again, military mindset is very good for this, that you need to keep fighting even though you’re taking blows. So in terms of what people need to do, I think you can break it down to just three main areas, three main things you need to think about. Those are: being hard to hit in the first place; detecting immediately; and then recovering rapidly.
The first point is you don’t just give up and say, “OK, I’ll leave all the doors open and I won’t make any attempt to control anything because there’ll be a security breach whether I try to defend myself or not.” That’s not resilience. Resilience is, first off, to make yourself as tough as you can, to prepare ahead of an attack to be a hard target. And most organizations have been doing some of that kind of work, trying to meet their compliance burden, meet their audit requirements and generally trying to be a bit harder to hit.
But once you realize that the world we live in is so complex, that cyber security is such a complicated topic that you must plan for failure, then you have to shift your thinking to, “OK, how can I detect quickly? What kind of sensing can I use to figure out that a breach has occurred? And then how can I make sure I can recover?”
And that last bit is where organizations can fall behind, can fail to plan just by simply not knowing their own organization well enough. You can’t recover if you don’t know what “normal” looks like.
The resilience mindset really breaks down into these three things. Try to see what you can do to be a hard target, figuring out how you can detect when an incident has occurred, because it will occur sooner or later, then having a plan in place for how you are going to recover. These three principles, I find, can guide a lot of projects.
Come back tomorrow to read part two of Dr. Mike Lloyd’s conversation on preventing and rebounding from cyber-attacks. Subscribe and get it directly in your inbox.