A healthy, growing company is a risky business. Why? Modern businesses must innovate, grow and change continuously to stay ahead of the competition. Normally, we look at workforce mobility solutions and business agility as great things – a differentiator; a challenge to be adopted; a way to shake the invisible hand which drives our planet. But from a security standpoint, this change is an issue, particularly for cybersecurity.
If you ask CIOs what their greatest challenges are when it comes to business IT solutions and services, inflexibility is close or at the peak of the list. For instance, this explains why the cloud has taken over the world. It’s not because it is cheaper – it is not, for the exact same reason that leasing is more costly than owning (for any advantage you use consistently). It’s because it is flexible: you may change your mind and divert resources to where they’re needed. If we had to change our entire wardrobe each week, we would rent clothes too rather than own them.
But this very flexibility means our company environments are constructed to tolerate or even welcome change. This requires open ports, since any piece of a company has to be replaceable in the event a better invention comes along. It means each bit of the infrastructure needs to be prepared under a software testing course and other agile managed services for the surrounding ecosystem to change, and change regularly. And this willingness to change, while essential to a healthy company, is the main cause of most security issues. A network of modules signifies an enormous attack surface for cybercriminals.
Think first of a computer – it is not too tough to secure only one. Researchers work hard to find vulnerabilities before the bad guys do, and so long as you keep up with the most recent advice, you can manage 1 computer with relative ease. However, as any teacher knows, just because you can handle a couple of children efficiently, it does not mean that you can handle 30 or (heaven forbid) 300. All of us have limitations on how much complexity and chaos we could deal with. So it is not that we do not understand security; it is that we struggle to climb correctly. Everyone can understand the principles of Chess or Go easily enough, but knowing the game becomes hard as you scale up to believe about all the interactions.
So should we just accept this safety issue as the cost of a thriving, innovative business? Far from it. Just because physicians cannot cure all ailments, there is no reason to say we do not have to wash our hands before we manage food, this is why businesses integrate a safety management system. Digital resilience is achievable, even if ideal protection isn’t. It comes from keeping up with change and understanding interactions. The good thing is that people are poor at both of them; we often unconsciously resist change, and our attention spans are short (request a teacher!). Fortunately, software is great at these exact items that test us. It’s particularly good at understanding interactions, and if built right with an accurate ICT risk mitigation systems and strategies, software can handle dynamic change.
Helpful, constructive advice for coping with this stems from a potentially unexpected source: the National Institute of Standards and Technology. Lots of men and women are predisposed to believe the government is a source of problems, not solutions. The thought that something called an Interagency Report from an agency focused on criteria could likewise be readable, let alone beneficial to high-speed, nimble, modern companies stretches credibility. And I admit, its prose isn’t about to put J.K. Rowling out of work. But trust me, you will find interesting things afoot in the record.
It’s a huge document – 93 pages for Volume 1 of a projected 13. I don’t recommend reading the entire thing unless your job is dependent upon it. But only the first paragraph of this executive summary is a nugget you may offer to any leader of a company with a cyber existence – that is to say, all companies. In brief, it states it clearly: Our companies stand on networks, the networks have grown too complex, folks cannot maintain, change is inevitable and so every system put into production has to be assessed, mechanically, against machine-interpretable guidelines.
These are wise words from people thinking seriously about what it is going to take to turn around the dismal state of our networks so that we can attain digital resilience. The fantastic thing for many IT consulting companies and support services is that machine-based evaluation is not as hard to do as it once was. Think of your network as a chessboard and your IT resources as chess pieces arranged on the board. You can divide the NIST advice into both of these regions: How should your personal chess pieces look, and then what does your overall defensive position look like? Finding and understanding your entire endpoints takes a while, but it’s highly automatable – endpoint discovery, patch management and vulnerability assessment are older technologies, and there are often free tools that will help you get started if your business is behind the curve on understanding what you have. But, no chess player would think about a listing of the pieces on the board for a good description of the tactical position.
The best advice for a company looking to implement NIST’s perceptive guidance is to start a conversation between your IT groups – involving the people who know chess pieces, and the men and women who understand chessboards. If you ask the correct questions (by way of instance, which machines make our assault surface?), you might be amazed how successful the conversation can be.