Every modern organisation has to systematically tackle its cyber risks and offer short-, medium-, and long-term responses. It’s important to monitor changes in the threat situation during implementation.
These days, IT security officers are busier than ever. Attacks on companies of all kinds are becoming more and more sophisticated and diverse. Business dependence on functional IT systems is generally on the increase. And the risks to finances and reputations – for example, due to a leak of sensitive data – are increasing in parallel. At the same time, the IT landscape that needs to be secured is becoming more complex and networked, which in turn affects the number of hypothetical and practical attack scenarios. Keeping up with this situation requires building up as complete a picture of suitable responses as possible, systematically and based on risk analysis, and implementing it along the time axis in a prioritised way. A variety of frameworks are available for this kind of ‘cyber security roadmap’ – for example, NIST, ISO or CIS.
The timing of implementation is critical for every cyber security roadmap. After all, the object is to minimise the window for catastrophic attacks and damage that, because of insufficient checks, could be considered negligent. Of course, the vast majority of businesses run into the obstacles of limited funds and personnel. Outsourcing some tasks is an obvious solution wherever a mature service can simply be purchased and quickly implemented. Economies of scale and offshoring offer opportunities to save on initial investments and personnel costs. On the other hand, outsourcing also has disadvantages that should be assessed realistically. Otherwise, the overall level of protection may actually fall rather than rise. A few examples:
Another factor that should be considered for an effective cyber security roadmap is the dynamism of the environment, which should allow priorities to be redefined at any time. When adversaries undertake a targeted attack, they don’t care how much money your company has sunk into its defences. They focus on the overlooked gaps. As Kevin Mitnick, a well-known hacker and later security consultant, says: ‘You could spend a fortune purchasing technology and services, and your network infrastructure could still remain vulnerable to old-fashioned manipulation.’ To find and close these gaps, you have to constantly compare current attack scenarios to your own defences and search for vulnerabilities. Taking the attacker’s point of view often helps you find blank spots that can be remedied at a manageable cost, ensuring that you detect attacks early or defend against them better. But for this you need security specialists who not only have a good overview of your company but who are also given the scope to constantly keep up to date and share information with other experts in trusted groups. As a CERT with 25 years of experience in trusted community management, we consider regular, active information sharing at the highest level of confidence to be one of the most effective means of keeping cyber defence in step with attackers.
Because of the complexity of the initial situation, companies need to be highly systematic and thorough in their approach to cyber security projects, using risk analysis and cyber security roadmaps. Outsourcing is often a reasonable way of achieving the required speed and cost efficiency during implementation, but it entails risks and limitations that should not be ignored. You also need to account for the dynamism of attackers, which calls for a certain agility in implementing defences. Internal security experts are a critical factor in detecting and defending against complex attacks in good time. They need to have a good operational overview of their own company and a network of trusted peers.